AVSystem Removal Help

bloodrayne03 · October 9, 2007

Ok, I've got AVSystem removal on my comp, and I've run various programs, including RogueRemover, and they got rid of the popups, but if I switch to a different user profile, it still tries to download. Also, for some reason, it says I'm blocked from certain things, such as going into add/remove programs, and many other things on the Control Panel, if it lets me navigate to the Control Panel at all, and it says I should contact the system admin, even though I never put an admin profile. I just noticed this today, and it's never happened before, so I think that might be something else that's happening. Also, I just noticed my Control Panel icon is gone from the Start Menu... To my knowledge, it has not been downloaded, as it doesn't show up in the program list. I really need help on this, and I want all this stuff gone from my computer. What should I do?

EDIT: Ok, I just ran all the pre-post stuuf, and the scans did get rid of something, but eScan had something like 147 errors, and I'm still lacking a Control Panel icon, and admin access, even in Safe Mode's Administrator profile. Also, my problem seems to be eerily like Dave, or whoever the topic next to mine is. You know, just in case that helps get rid of the bug. Now then, just tell me which tests/scans/removal programs to run and post on and I will.

Here are some logs, hope they help.

HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:30:04 AM, on 10/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\Explorer.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Dell Network Assistant\hnm_svc.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\PeerGuardian2\pg2.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Dell Network Assistant\ezi_hnm2.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program Files\MSN Messenger\livecall.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Messenger\msmsgs.exe

C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 64.6.128.250:553

F2 - REG:system.ini: Shell=Explorer.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Dell Network Assistant.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe

O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 9580 bytes

bloodrayne03 · October 10, 2007

Ok, this is what I got for the AVG scan:

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

+ Created at: 9:06:02 AM 10/10/2007

+ Scan result:

C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Ignored.

C:\Documents and Settings\Nathan\Cookies\nathan@pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.

C:\Documents and Settings\Nathan\Cookies\nathan@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.

C:\Documents and Settings\Nathan\Cookies\nathan@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.

::Report end

It seems kinda short... Hope I did it right. Panda coming in next post.

JeanInMontana · October 10, 2007

Hi bloodrayne03 and welcome to Malwarebytes. You will have to clean every account on the machine to totally rid it of infection. This infection has started a new turn in causing the control panel loss. I saw my first case just in the last day or two.

1. Download this file :

http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:

Do not mouseclick combofix's window while its running. That may cause it to stall

bloodrayne03 · October 10, 2007

Hi bloodrayne03 and welcome to Malwarebytes. You will have to clean every account on the machine to totally rid it of infection. This infection has started a new turn in causing the control panel loss. I saw my first case just in the last day or two.
1. Download this file :
http://www.techsupportforum.com/sectools/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply
Note:
Do not mouseclick combofix's window while its running. That may cause it to stall

So do I run only that on every account, or the whole shebang? Oh, and it says that the combofix link you gave me is wrong. Let me copy the notebook thing I get when I try to run it:

You have used an invalid url to download ComboFix.exe. Please be advised that these are the correct links to use

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

bloodrayne03 · October 10, 2007

Also, I'm going to have to leave for school in just a bit. I'll get back around 1-2 PM, US Mountain Time. Do you think you could be on then to give me further assistance?

I'll be leaving Panda and Combofix running, and I'll post the logs once I get back.

JeanInMontana · October 10, 2007

You should clean one account at a time. Open a new thread for each one. I don't use the procedures in the preposting instructions but they are not going to do harm.

The link for CF works fine for me. That site is the same as your link only with the creator's name added to the url. But that is fine what ever link works for you. Please post the log for that and a new HJT.

JeanInMontana · October 10, 2007

You do NOT run CF with anything else at the same time. I will do my best to keep up with your topic. I am busy also.

We are in the same time zone. That helps.

Edited October 10, 2007 by JeanInMontana
time zone info

bloodrayne03 · October 10, 2007

You do NOT run CF with anything else at the same time. I will do my best to keep up with your topic. I am busy also.
We are in the same time zone. That helps.

Agreed, and I noticed that and shut down all other programs. Here's the log, HJT in next post.

ComboFix 07-10-09.3 - Nathan 2007-10-10 9:20:59.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.590 [GMT -6:00]

Running from: C:\Documents and Settings\Nathan\Desktop\Spyware tools\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2007-09-10 to 2007-10-10 )))))))))))))))))))))))))))))))

.

2007-10-10 09:19 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-10-10 09:09 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2007-10-10 08:27 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-10-10 08:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-10-10 08:23 <DIR> d-------- C:\WINDOWS\LastGood

2007-10-09 21:02 <DIR> d-------- C:\mwav

2007-10-09 21:02 <DIR> d-------- C:\Downloads

2007-10-09 21:02 <DIR> d-------- C:\Bases

2007-10-09 20:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2007-10-09 20:56 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\SUPERAntiSpyware.com

2007-10-09 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2007-10-09 20:32 <DIR> d-------- C:\HJT

2007-10-09 17:10 <DIR> d-------- C:\Program Files\RogueRemover FREE

2007-10-09 17:03 <DIR> d-------- C:\Program Files\XoftSpySE

2007-10-09 16:57 <DIR> d-------- C:\Program Files\Enigma Software Group

2007-10-09 16:47 <DIR> d-------- C:\Documents and Settings\Susan\Application Data\Symantec

2007-10-09 16:47 <DIR> d-------- C:\Documents and Settings\Susan\Application Data\InstallShield

2007-10-09 16:47 <DIR> d--h----- C:\Documents and Settings\Susan\Application Data\Gtek

2007-10-09 16:19 16,384 --a------ C:\WINDOWS\xlavra.exe

2007-10-09 16:15 737,280 --a------ C:\WINDOWS\iun6002.exe

2007-10-09 16:08 7,849 --a------ C:\WINDOWS\system32\sulimo.dat

2007-10-05 13:10 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll

2007-10-05 13:05 <DIR> d-------- C:\Program Files\Sierra

2007-10-04 20:59 <DIR> d-------- C:\Program Files\Skype

2007-10-04 20:59 <DIR> d-------- C:\Program Files\Common Files\Skype

2007-10-04 20:59 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\Skype

2007-10-04 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype

2007-10-03 17:58 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\Template

2007-10-03 17:58 146 --a------ C:\Documents and Settings\Nathan\Application Data\wklnhst.dat

2007-10-02 15:40 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2007-09-30 19:10 <DIR> d-------- C:\Program Files\MagicDisc

2007-09-30 14:24 <DIR> d-------- C:\Program Files\thriXXX

2007-09-29 09:51 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\AdobeUM

2007-09-27 17:11 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe

2007-09-27 17:11 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys

2007-09-27 17:10 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe

2007-09-27 15:35 <DIR> d-------- C:\Program Files\Call of Duty

2007-09-27 08:00 179 --a------ C:\handle.dat

2007-09-27 05:47 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\Sonic

2007-09-27 05:47 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\Leadertech

2007-09-26 16:19 <DIR> d-------- C:\Program Files\PeerGuardian2

2007-09-26 15:49 <DIR> d-------- C:\Program Files\uTorrent

2007-09-26 15:49 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\uTorrent

2007-09-25 21:36 <DIR> d-------- C:\Program Files\StepMania

2007-09-23 10:25 <DIR> d-------- C:\Documents and Settings\Elizabeth\Application Data\Symantec

2007-09-23 10:25 <DIR> d-------- C:\Documents and Settings\Elizabeth\Application Data\InstallShield

2007-09-23 10:25 <DIR> d--h----- C:\Documents and Settings\Elizabeth\Application Data\Gtek

2007-09-23 09:35 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\Nexon

2007-09-22 23:15 <DIR> d-------- C:\Program Files\MSXML 4.0

2007-09-22 22:33 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\Viewpoint

2007-09-22 21:57 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\SecondLife

2007-09-22 08:37 23,040 --------- C:\WINDOWS\kb913800.exe

2007-09-22 08:34 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\Symantec

2007-09-22 08:34 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\InstallShield

2007-09-22 08:34 <DIR> d--h----- C:\Documents and Settings\Adam\Application Data\Gtek

2007-09-21 18:48 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\Ventrilo

2007-09-21 18:46 <DIR> d-------- C:\Program Files\Ventrilo

2007-09-21 18:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-09-21 18:04 <DIR> d-------- C:\WINDOWS\system32\LogFiles

2007-09-21 16:39 <DIR> d-------- C:\Program Files\World of Warcraft

2007-09-21 16:39 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

2007-09-21 16:32 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\Nexon

2007-09-21 16:31 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys

2007-09-21 16:29 <DIR> d-------- C:\Nexon

2007-09-21 16:03 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

2007-09-21 16:03 <DIR> d-------- C:\Program Files\MSN Messenger

2007-09-21 16:03 <DIR> d-------- C:\Documents and Settings\Nathan\Contacts

2007-09-21 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP

2007-09-21 15:48 <DIR> d-------- C:\Program Files\Common Files\HP

2007-09-21 15:47 <DIR> d-------- C:\Program Files\Hewlett-Packard

2007-09-21 15:46 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard

2007-09-21 15:42 <DIR> d-------- C:\Program Files\HP

2007-09-21 15:42 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys

2007-09-21 15:40 112,411 --a------ C:\WINDOWS\hpoins07.dat

2007-09-21 15:40 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys

2007-09-21 15:40 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys

2007-09-21 15:40 21,124 --------- C:\WINDOWS\hpomdl07.dat

2007-09-21 15:39 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\HP

2007-09-21 15:39 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys

2007-09-21 15:39 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys

2007-09-21 15:14 <DIR> d---s---- C:\Documents and Settings\Nathan\UserData

2007-09-21 15:04 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\Symantec

2007-09-21 15:04 <DIR> d-------- C:\Documents and Settings\Nathan\Application Data\InstallShield

2007-09-21 15:04 <DIR> d--h----- C:\Documents and Settings\Nathan\Application Data\Gtek

2007-09-21 14:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

2007-09-21 14:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec

2007-09-21 14:56 <DIR> d-------- C:\Program Files\EarthLink Setup

2007-09-21 14:55 <DIR> d-------- C:\Program Files\Dell Support

2007-09-21 14:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GTek

2007-09-21 14:55 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\GTek

2007-09-21 14:54 <DIR> d-------- C:\Program Files\Yahoo!

2007-09-21 14:54 <DIR> d-------- C:\Program Files\Sonic

2007-09-21 14:54 <DIR> d-------- C:\Program Files\Microsoft Works

2007-09-21 14:54 <DIR> d-------- C:\Program Files\illiminable

2007-09-21 14:54 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared

2007-09-21 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\YAHOO

2007-09-21 14:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield

2007-09-21 14:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-03 19:47 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF

2007-10-03 19:47 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL

2007-10-03 19:47 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS

2007-10-03 19:47 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT

2007-09-29 03:17 11,973 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-09-21 20:50 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys

2007-09-20 13:49 7,763 ----a-w C:\WINDOWS\system32\drivers\1028_Dell_DIM_DIME521.mrk

2007-08-27 23:13 97,672 ----a-w C:\WINDOWS\system32\drivers\symfw.sys

2007-08-27 23:13 537,992 ----a-w C:\WINDOWS\system32\SymNeti.dll

2007-08-27 23:13 31,624 ----a-w C:\WINDOWS\system32\drivers\symids.sys

2007-08-27 23:13 28,040 ----a-w C:\WINDOWS\system32\drivers\symndis.sys

2007-08-27 23:13 23,944 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys

2007-08-27 23:13 189,320 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys

2007-08-27 23:13 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll

2007-08-27 23:13 12,680 ----a-w C:\WINDOWS\system32\drivers\symdns.sys

2007-07-31 01:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll

2007-07-31 01:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-07-31 01:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-07-31 01:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll

2007-07-31 01:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-07-31 01:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe

2007-07-31 01:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-07-31 01:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-07-31 01:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll

2007-07-31 01:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-07-31 01:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll

2007-07-31 01:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-07-31 01:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll

2007-07-31 01:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-07-31 01:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll

2005-05-12 05:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-10 17:36]

"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 02:12]

"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 02:00 C:\WINDOWS\stsystra.exe]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]

"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2007-01-16 11:26]

"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 04:20]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 15:50]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-21 14:50]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 20:57]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-09-25 15:23]

"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31]

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]

Dell Network Assistant.lnk - C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2007-09-21 14:48:48]

Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-09-21 14:48:33]

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]

HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{827D3881-317C-442A-B4ED-F576CBA700BB}"= C:\WINDOWS\SYSTEM32\GWSEH.dll [2004-09-23 06:21 155648]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=C:\WINDOWS\system32\sulimo.dat

R3 pgfilter;pgfilter;\??\C:\Program Files\PeerGuardian2\pgfilter.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

AutoRun\command - E:\setup.exe

*Newly Created Service* - AVG_ANTI-SPYWARE_DRIVER

*Newly Created Service* - AVG_ANTI-SPYWARE_GUARD

*Newly Created Service* - CATCHME

*Newly Created Service* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

"2007-10-06 04:29:50 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Nathan.job"

.

**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-10-10 09:24:21

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-10-10 9:25:51

.

--- E O F ---

bloodrayne03 · October 10, 2007

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:28:07 AM, on 10/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Dell Network Assistant\hnm_svc.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\PeerGuardian2\pg2.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Dell Network Assistant\ezi_hnm2.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program Files\MSN Messenger\livecall.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\explorer.exe

C:\Program Files\internet explorer\iexplore.exe