MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: What is Protocol Wavetop, on HJT log file
June 02, 2020, 10:27:39 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 02, 2020, 10:27:39 PM

Login with username, password and session length
 Featured Sites:
News
Welcome to MyTechSupport.ca! - Registration is FREE, so why not join our friendly community today?
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: What is Protocol Wavetop, on HJT log file  (Read 2082 times)
Bracgypsy
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 6


Timeless Brac Sunset: Taken by BracGypsy!


Bookmark and Share

View Profile
« on: July 17, 2008, 11:13:05 PM »

Hi,
 
Could someone please help me with my HJT log file?

Please explain what the "O18 - Protocol: wavetop - (no CLSID) - (no file)" is, and what it does. It is outlined in my logfile in RED below. It will not delete from HJT. I have ran a search on Google and on your site, I did find 3 other log files here that have this "wavetop" but I couldn't find anyone who said to much about it, or what it is, or anything else about the no name file. If there is something on this site about wavetop, I am sorry I missed it.

Also does everything else listed on my log file look OK?

Thanks.
BracGypsy!
**********************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:48 PM, on 7/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O18 - Protocol: wavetop - (no CLSID) - (no file)
O23 - Service: a-squared Free Service (a2free) - Unknown owner - C:\Program Files\a-squared Free\a2service.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 3374 bytes
Logged

If you don't have a smile, i'll give you one of mine...
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: July 18, 2008, 12:49:33 AM »

Its a harmless file,a shotcut.The full file is :
 Protocol: wavetop - {2828353E-8B60-11D1-821D-00609720131C} - C:\Program Files\WaveTop\Bin\WaveProt.dll


http://process-dll.com/pd/dll.php?id=waveprot.dll_0,%202,%200,%200
Logged

An Australian Member of

EDDY
Bracgypsy
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 6


Timeless Brac Sunset: Taken by BracGypsy!


Bookmark and Share

View Profile
« Reply #2 on: July 19, 2008, 05:56:19 PM »

In the past few days I have read on a few sites, that the "wavetop" a virus, then I read it a Trojan, I have now heard more than once that it's harmless. One question is: If it's so harmless why can't it be delete off of HJT? Everytime I delete it' it come right back. And my PC is running like a snail, webpages come up snail slow also. And something is eating my Ram alive. When I boot up it's already down below 50 ram. I have a Ram recovery program " Uniblue SpeedUpMyPC" and that boost it back to just below normal, "which is 256" then with in 5 minutes the ram is back low again. I have been fighting this now about 2 weeks, My PC will not even do a system recovery. I find this very strange. Any ideas?

Thanks, and sorry I am late getting back with you...

BracGypsy!
Logged

If you don't have a smile, i'll give you one of mine...
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #3 on: July 19, 2008, 11:17:46 PM »

I will check to see if any malware is slowing you down.If not I suggest you consult one of our other forums.


Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This  applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.



Logged

An Australian Member of

EDDY
Bracgypsy
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 6


Timeless Brac Sunset: Taken by BracGypsy!


Bookmark and Share

View Profile
« Reply #4 on: July 22, 2008, 04:20:27 PM »

Hi Pancake,
  Here is the list you ask for. So sorry I am so late in getting back with you. When I first read what you wanted me to do with the Combo program, I said to myself, OMG this is way out there in left field for me, but I think I got it right!  Shocked The only thing I changed in the list was my real name. I didn't think you would mind. Also I did take notice that there is a lot, and I mean a lot of uninstalled programs in the list below. If that means anything, and if you want their names let me know and will highlight them and repost this list.

Thanks... BracGypsy.  Wink
**********************************************************




ComboFix 08-07-21.2 - BracGypsy 2008-07-22 10:41:04.1 - FAT32x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.67 [GMT -5:00]
Running from: C:\Downloaded Programs\ComboFix\ComboFix.exe
Command switches used :: C:\Downloaded Programs\ComboFix\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Dcads Advanced Toolbar
C:\WINDOWS\start.exe
C:\WINDOWS\Web\default.htt

.
(((((((((((((((((((((((((   Files Created from 2008-06-22 to 2008-07-22  )))))))))))))))))))))))))))))))
.

2008-07-19 13:07 . 2008-07-19 13:07   <DIR>   d--------   C:\WINDOWS\Registry Drill
2008-07-19 13:07 . 2008-07-19 13:07   <DIR>   d--------   C:\Program Files\Easy Desk Utilities
2008-07-19 11:49 . 2008-07-19 11:49   <DIR>   d--hs----   C:\FOUND.030
2008-07-15 17:01 . 2008-07-15 17:01   <DIR>   d--------   C:\WINDOWS\Google Earth Pro 4.2
2008-07-15 17:01 . 2008-07-15 17:01   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-15 17:01 . 2008-07-15 17:01   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple
2008-07-15 13:15 . 2008-07-15 13:15   123   --a------   C:\WINDOWS\rootkitno.ini
2008-07-15 12:15 . 2008-07-15 12:16   30,946   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\Partizan.sys
2008-07-15 12:15 . 2008-07-15 12:16   25,088   --a------   C:\WINDOWS\SYSTEM32\Partizan.exe
2008-07-14 19:18 . 2008-07-14 19:18   <DIR>   d--------   C:\Documents and Settings\Bracgypsy\Application Data\Apple Computer
2008-07-14 15:13 . 2008-07-14 15:13   <DIR>   d--------   C:\Program Files\QuickTime
2008-07-14 15:11 . 2008-07-14 15:11   <DIR>   d--------   C:\Program Files\Apple Software Update
2008-07-14 12:18 . 2008-07-14 12:18   <DIR>   d--------   C:\Program Files\YahooFriend
2008-07-09 11:35 . 2008-07-09 11:36   <DIR>   d--------   C:\Program Files\Avant Browser
2008-07-09 10:33 . 2008-07-09 10:33   <DIR>   d--------   C:\Program Files\Belarc
2008-07-09 10:33 . 2005-04-07 16:18   3,840   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\BANTExt.sys
2008-07-08 17:21 . 2004-08-04 00:56   4,274,816   --a------   C:\WINDOWS\SYSTEM32\nv4_disp.dll
2008-07-08 17:21 . 2004-08-04 00:56   4,274,816   --a------   C:\WINDOWS\SYSTEM32\dllcache\nv4_disp.dll
2008-07-08 17:21 . 2004-08-03 22:29   1,897,408   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys
2008-07-08 17:21 . 2004-08-03 22:29   1,897,408   --a------   C:\WINDOWS\SYSTEM32\dllcache\nv4_mini.sys
2008-07-08 16:45 . 2006-11-17 19:21   208,896   --a------   C:\WINDOWS\SYSTEM32\NVUNINST.EXE
2008-07-08 14:46 . 2008-07-08 14:46   <DIR>   d--hs----   C:\FOUND.029
2008-07-08 09:20 . 2008-07-08 09:20   <DIR>   d--hs----   C:\FOUND.028
2008-07-07 23:46 . 2008-07-07 23:47   <DIR>   d--------   C:\RootkitNO
2008-07-07 18:38 . 2008-07-07 18:38   <DIR>   d--------   C:\Documents and Settings\Administrator.Q6Z2P4\Application Data\AVG7
2008-07-07 18:01 . 2008-07-07 18:01   <DIR>   d--------   C:\Documents and Settings\Administrator.Q6Z2P4\Application Data\Uniblue
2008-07-07 17:54 . 2008-07-07 17:54   <DIR>   d--------   C:\Documents and Settings\Administrator.Q6Z2P4\Application Data\Avant Profiles
2008-07-06 20:07 . 2008-07-06 20:08   <DIR>   d--------   C:\Program Files\Windows Media Connect 2
2008-07-05 14:43 . 2008-07-05 14:43   <DIR>   d--hs----   C:\FOUND.027
2008-07-03 17:56 . 2008-07-03 17:56   <DIR>   d--hs----   C:\FOUND.026
2008-07-02 12:37 . 2008-07-02 12:37   <DIR>   d--h-----   C:\Documents and Settings\BracGypsy\Recent(2)
2008-06-30 20:01 . 2008-06-30 20:01   <DIR>   d--------   C:\Program Files\CDG Disc Player
2008-06-28 16:04 . 2008-06-28 16:04   230   --a------   C:\WINDOWS\SYSTEM32\spupdsvc.inf
2008-06-28 15:34 . 2008-06-28 15:34   <DIR>   d--------   C:\Program Files\CCleaner
2008-06-28 14:36 . 2008-06-28 14:36   2   -rahs----   C:\WINDOWS\winstart.bat
2008-06-28 14:34 . 2005-04-03 14:02   8,944   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\UnHackMeDrv.sys
2008-06-28 13:30 . 2008-06-28 13:30   <DIR>   d--------   C:\Program Files\Exterminate It!
2008-06-28 13:22 . 2008-06-28 13:22   <DIR>   d--------   C:\Program Files\Sophos
2008-06-28 11:02 . 2008-06-28 11:02   <DIR>   d--------   C:\Documents and Settings\BracGypsy\DoctorWeb
2008-06-26 18:50 . 2008-06-26 18:50   <DIR>   d--hs----   C:\FOUND.024
2008-06-26 14:26 . 2008-06-26 14:26   <DIR>   d--------   C:\Program Files\Trend Micro
2008-06-25 13:55 . 2008-06-25 13:55   <DIR>   d--------   C:\Program Files\SceneCaster

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 00:37   ---------   d-----w   C:\Program Files\ZoneAlarmSB
2008-06-22 00:35   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-06-21 21:22   ---------   d-----w   C:\Documents and Settings\LocalService\Application Data\Symantec
2008-06-21 20:41   ---------   d-----w   C:\Program Files\SymNetDrv
2008-06-21 20:31   ---------   d-----w   C:\Program Files\Norton AntiVirus
2008-06-21 20:30   ---------   d-----w   C:\Documents and Settings\BracGypsy\Application Data\Symantec
2008-06-21 17:34   ---------   d-----w   C:\Program Files\VirtualDJ
2008-06-20 21:27   ---------   d-----w   C:\Program Files\Easy Songwriter
2008-06-20 17:41   245,248   ----a-w   C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41   245,248   ----a-w   C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll
2008-06-20 17:41   148,992   ----a-w   C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-06-20 10:45   360,320   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45   360,320   ----a-w   C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys
2008-06-20 10:44   138,368   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44   138,368   ----a-w   C:\WINDOWS\SYSTEM32\dllcache\afd.sys
2008-06-20 09:52   225,920   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52   225,920   ----a-w   C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys
2008-06-20 01:01   ---------   d-----w   C:\Documents and Settings\BracGypsy\Application Data\Aim
2008-06-20 00:58   ---------   d-----w   C:\Program Files\AOD
2008-06-20 00:58   ---------   d-----w   C:\Program Files\AIM
2008-06-16 05:28   ---------   d-----w   C:\Documents and Settings\Guest\Application Data\Uniblue
2008-06-14 21:09   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Uniblue
2008-06-14 17:09   34,308   ----a-w   C:\WINDOWS\SYSTEM32\BASSMOD_OLD.dll
2008-06-14 16:41   ---------   d-----w   C:\Program Files\Uniblue
2008-06-14 16:17   ---------   d-----w   C:\Documents and Settings\BracGypsy\Application Data\Uniblue
2008-06-13 13:10   272,128   ------w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10   272,128   ------w   C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2008-06-05 20:25   ---------   d-----w   C:\Program Files\BitTorrent
2008-06-05 20:25   ---------   d-----w   C:\Documents and Settings\BracGypsy\Application Data\BitTorrent
2008-06-01 02:12   ---------   d-----w   C:\Program Files\Micrografx
2008-05-24 22:24   23,600   ----a-w   C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-05-23 23:39   ---------   d-----w   C:\Documents and Settings\BracGypsy\Application Data\Stupid roam
2008-05-23 23:18   ---------   d-----w   C:\Program Files\Stupid roam
2008-05-23 23:18   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\platform dupe draw memo
2008-05-23 23:17   ---------   d-----w   C:\Program Files\BitDownload
2008-05-23 22:25   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-05-22 20:10   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-22 19:42   ---------   d-----w   C:\Program Files\SystemRequirementsLab
2008-05-08 12:28   202,752   ----a-w   C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys
2008-05-07 05:18   1,287,680   ----a-w   C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18   1,287,680   ----a-w   C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2008-04-23 04:16   63,488   ------w   C:\WINDOWS\SYSTEM32\dllcache\icardie.dll
2008-04-23 04:16   6,066,176   ------w   C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
2008-04-23 04:16   52,224   ------w   C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
2008-04-23 04:16   459,264   ------w   C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
2008-04-23 04:16   383,488   ------w   C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
2008-04-23 04:16   267,776   ------w   C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
2008-04-22 07:39   13,824   ------w   C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-08-10 23:02   630,784   ----a-w   C:\WINDOWS\system32\config\systemprofile\NTUSER(2).DAT
2007-06-12 19:55   266   --sh--w   C:\Program Files\desktop.ini
2007-06-12 19:55   11,079   ---h--w   C:\Program Files\folder.htt
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 22:36   8454656   --a------   C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2008-05-02 15:15 9442584]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoRun"= 0 (0x0)
"NoClose"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"VIDC.VDOM"= vdowave.drv
"VIDC.MPG4"= msscmc32.dll
"vidc.vivo"= ivvideo.dll
"msacm.vivog723"= vivog723.acm
"msacm.voxacm119"= vdk32119.acm
"VIDC.TR20"= tr2032.dll
"VIDC.UCOD"= clrviddd.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\NVCPL.DLL,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"AVG7_CC"=C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
"AVG7_EMC"=C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
"AVG7_AMSVR"=C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
"LWBMOUSE"=C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\HydraIRC\\HydraIRC.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\WINDOWS\\System32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 01:07]
S3 CH341SER;CH341SER;C:\WINDOWS\system32\Drivers\CH341SER.SYS [2006-06-05 00:00]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 00:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 00:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 00:56]
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-07-15 12:16]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc   REG_MULTI_SZ      p2psvc p2pimsvc p2pgasvc PNRPSvc

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-06-14 20:35:18 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-07-14 21:10:22 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-07-07 23:36:54 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A7A46FCF-50E3-4EA5-A8DA-6865D52B9571} - (no file)
ShellExecuteHooks-{FBF23B40-E3F0-101B-8488-00AA003E56F8} - shdocvw.dll
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R1 -: HKCU-Internet Settings,ProxyOverride = <local>

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\SYSTEM\dajava.cab

O16 -: Internet Explorer Classes for Java - file://C:\WINDOWS\SYSTEM\iejava.cab
C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

O16 -: Microsoft XML Parser for Java


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 10:44:48
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-22 10:46:22
ComboFix-quarantined-files.txt  2008-07-22 15:46:18

Pre-Run: 2,323,873,792 bytes free
Post-Run: 2,326,855,680 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

232   --- E O F ---   2008-07-09 08:01:17
« Last Edit: July 22, 2008, 05:54:03 PM by Bracgypsy » Logged

If you don't have a smile, i'll give you one of mine...
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #5 on: July 22, 2008, 11:46:05 PM »

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote



File::

C:\WINDOWS\winstart.bat

Folder::
 C:\FOUND.030
 C:\FOUND.029
C:\FOUND.028
C:\FOUND.027
 C:\FOUND.026
C:\Documents and Settings\All Users\Application Data\platform dupe draw memo


 

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply  please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*


Logged

An Australian Member of

EDDY
Bracgypsy
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 6


Timeless Brac Sunset: Taken by BracGypsy!


Bookmark and Share

View Profile
« Reply #6 on: July 23, 2008, 04:28:00 PM »

Hi Pancake.
To be truthful here, I am not sure what I am doing' but it looks as if I got this right again... LOL

Also I have taken notice that there are a few more things running in the HJT file that wasn't in the first file that I posted here. Hummmmm, but that's not shocking' cause I am beginning to think Computers have a mind of their own!

 Idea Do you think if I danced nude around my PC and chanted a little VooDoo chant that it would help my PC run better?  Wink

Thanks a bunches,
BracGypsy

************************************************************************


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:48 AM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O18 - Protocol: wavetop - (no CLSID) - (no file)
O23 - Service: a-squared Free Service (a2free) - Unknown owner - C:\Program Files\a-squared Free\a2service.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 3268 bytes

****************************************************************************************************


ComboFix 08-07-21.2 - BracGypsy 2008-07-23 10:52:24.2 - FAT32x86
Running from: C:\Downloaded Programs\ComboFix\ComboFix.exe
Command switches used :: C:\Downloaded Programs\ComboFix\CFScript.txt
 * Created a new restore point

FILE ::
C:\WINDOWS\winstart.bat
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\platform dupe draw memo
C:\FOUND.026
C:\FOUND.027
C:\FOUND.028
C:\FOUND.029
C:\FOUND.030
C:\WINDOWS\winstart.bat

.
(((((((((((((((((((((((((   Files Created from 2008-06-23 to 2008-07-23  )))))))))))))))))))))))))))))))
.

2008-07-22 14:36 . 2008-07-22 14:36   <DIR>   d--------   C:\Temp
2008-07-19 13:07 . 2008-07-19 13:07   <DIR>   d--------   C:\WINDOWS\Registry Drill
2008-07-19 13:07 . 2008-07-19 13:07   <DIR>   d--------   C:\Program Files\Easy Desk Utilities
2008-07-15 17:01 . 2008-07-15 17:01   <DIR>   d--------   C:\WINDOWS\Google Earth Pro 4.2
2008-07-15 17:01 . 2008-07-15 17:01   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-15 17:01 . 2008-07-15 17:01   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple
2008-07-15 13:15 . 2008-07-15 13:15   123   --a------   C:\WINDOWS\rootkitno.ini
2008-07-15 12:15 . 2008-07-15 12:16   30,946   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\Partizan.sys
2008-07-15 12:15 . 2008-07-15 12:16   25,088   --a------   C:\WINDOWS\SYSTEM32\Partizan.exe
2008-07-14 19:18 . 2008-07-14 19:18   <DIR>   d--------   C:\Documents and Settings\BracGypsy\Application Data\Apple Computer
2008-07-14 15:13 . 2008-07-14 15:13   <DIR>   d--------   C:\Program Files\QuickTime
2008-07-14 15:11 . 2008-07-14 15:11   <DIR>   d--------   C:\Program Files\Apple Software Update
2008-07-14 12:18 . 2008-07-14 12:18   <DIR>   d--------   C:\Program Files\YahooFriend
2008-07-09 11:35 . 2008-07-09 11:36   <DIR>   d--------   C:\Program Files\Avant Browser
2008-07-09 10:33 . 2008-07-09 10:33   <DIR>   d--------   C:\Program Files\Belarc
2008-07-09 10:33 . 2005-04-07 16:18   3,840   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\BANTExt.sys
2008-07-08 17:21 . 2004-08-04 00:56   4,274,816   --a------   C:\WINDOWS\SYSTEM32\nv4_disp.dll
2008-07-08 17:21 . 2004-08-04 00:56   4,274,816   --a------   C:\WINDOWS\SYSTEM32\dllcache\nv4_disp.dll
2008-07-08 17:21 . 2004-08-03 22:29   1,897,408   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys
2008-07-08 17:21 . 2004-08-03 22:29   1,897,408   --a------   C:\WINDOWS\SYSTEM32\dllcache\nv4_mini.sys
2008-07-08 16:45 . 2006-11-17 19:21   208,896   --a------   C:\WINDOWS\SYSTEM32\NVUNINST.EXE
2008-07-07 23:46 . 2008-07-07 23:47   <DIR>   d--------   C:\RootkitNO
2008-07-07 18:38 . 2008-07-07 18:38   <DIR>   d--------   C:\Documents and Settings\Administrator.Q6Z2P4\Application Data\AVG7
2008-07-07 18:01 . 2008-07-07 18:01   <DIR>   d--------   C:\Documents and Settings\Administrator.Q6Z2P4\Application Data\Uniblue
2008-07-07 17:54 . 2008-07-07 17:54   <DIR>   d--------   C:\Documents and Settings\Administrator.Q6Z2P4\Application Data\Avant Profiles
2008-07-06 20:07 . 2008-07-06 20:08   <DIR>   d--------   C:\Program Files\Windows Media Connect 2
2008-07-02 12:37 . 2008-07-02 12:37   <DIR>   d--h-----   C:\Documents and Settings\BracGypsy\Recent(2)
2008-06-30 20:01 . 2008-06-30 20:01   <DIR>   d--------   C:\Program Files\CDG Disc Player
2008-06-28 16:04 . 2008-06-28 16:04   230   --a------   C:\WINDOWS\SYSTEM32\spupdsvc.inf
2008-06-28 15:34 . 2008-06-28 15:34   <DIR>   d--------   C:\Program Files\CCleaner
2008-06-28 14:34 . 2005-04-03 14:02   8,944   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\UnHackMeDrv.sys
2008-06-28 13:30 . 2008-06-28 13:30   <DIR>   d--------   C:\Program Files\Exterminate It!
2008-06-28 13:22 . 2008-06-28 13:22   <DIR>   d--------   C:\Program Files\Sophos
2008-06-28 11:02 . 2008-06-28 11:02   <DIR>   d--------   C:\Documents and Settings\BracGypsy\DoctorWeb
2008-06-26 18:50 . 2008-06-26 18:50   <DIR>   d--hs----   C:\FOUND.024
2008-06-26 14:26 . 2008-06-26 14:26   <DIR>   d--------   C:\Program Files\Trend Micro
2008-06-25 13:55 . 2008-06-25 13:55   <DIR>   d--------   C:\Program Files\SceneCaster

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 00:37   ---------   d-----w   C:\Program Files\ZoneAlarmSB
2008-06-22 00:35   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-06-21 21:22   ---------   d-----w   C:\Documents and Settings\LocalService\Application Data\Symantec
2008-06-21 20:41   ---------   d-----w   C:\Program Files\SymNetDrv
2008-06-21 20:31   ---------   d-----w   C:\Program Files\Norton AntiVirus
2008-06-21 20:30   ---------   d-----w   C:\Documents and Settings\BracGypsy\Application Data\Symantec
2008-06-21 17:34   ---------   d-----w   C:\Program Files\VirtualDJ
2008-06-20 21:27   ---------   d-----w   C:\Program Files\Easy Songwriter
2008-06-20 17:41   245,248   ----a-w   C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41   245,248   ----a-w   C:\WINDOWS\SYSTEM32\dllcache\mswsock.dll
2008-06-20 17:41   148,992   ----a-w   C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-06-20 10:45   360,320   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45   360,320   ----a-w   C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys
2008-06-20 10:44   138,368   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44   138,368   ----a-w   C:\WINDOWS\SYSTEM32\dllcache\afd.sys
2008-06-20 09:52   225,920   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52   225,920   ----a-w   C:\WINDOWS\SYSTEM32\dllcache\tcpip6.sys
2008-06-20 01:01   ---------   d-----w   C:\Documents and Settings\BracGypsy\Application Data\Aim
2008-06-20 00:58   ---------   d-----w   C:\Program Files\AOD
2008-06-20 00:58   ---------   d-----w   C:\Program Files\AIM
2008-06-16 05:28   ---------   d-----w   C:\Documents and Settings\Guest\Application Data\Uniblue
2008-06-14 21:09   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Uniblue
2008-06-14 17:09   34,308   ----a-w   C:\WINDOWS\SYSTEM32\BASSMOD_OLD.dll
2008-06-14 16:41   ---------   d-----w   C:\Program Files\Uniblue
2008-06-14 16:17   ---------   d-----w   C:\Documents and Settings\BracGypsy\Application Data\Uniblue
2008-06-13 13:10   272,128   ------w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10   272,128   ------w   C:\WINDOWS\SYSTEM32\dllcache\bthport.sys
2008-06-05 20:25   ---------   d-----w   C:\Program Files\BitTorrent
2008-06-05 20:25   ---------   d-----w   C:\Documents and Settings\BracGypsy\Application Data\BitTorrent
2008-06-01 02:12   ---------   d-----w   C:\Program Files\Micrografx
2008-05-24 22:24   23,600   ----a-w   C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-05-23 23:39   ---------   d-----w   C:\Documents and Settings\BracGypsy\Application Data\Stupid roam
2008-05-23 23:18   ---------   d-----w   C:\Program Files\Stupid roam
2008-05-23 23:17   ---------   d-----w   C:\Program Files\BitDownload
2008-05-23 22:25   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-05-08 12:28   202,752   ----a-w   C:\WINDOWS\SYSTEM32\dllcache\rmcast.sys
2008-05-07 05:18   1,287,680   ----a-w   C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18   1,287,680   ----a-w   C:\WINDOWS\SYSTEM32\dllcache\quartz.dll
2008-04-23 04:16   63,488   ------w   C:\WINDOWS\SYSTEM32\dllcache\icardie.dll
2008-04-23 04:16   6,066,176   ------w   C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
2008-04-23 04:16   52,224   ------w   C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
2008-04-23 04:16   459,264   ------w   C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
2008-04-23 04:16   383,488   ------w   C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
2008-04-23 04:16   267,776   ------w   C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
2007-08-10 23:02   630,784   ----a-w   C:\WINDOWS\system32\config\systemprofile\NTUSER(2).DAT
2007-06-12 19:55   266   --sh--w   C:\Program Files\desktop.ini
2007-06-12 19:55   11,079   ---h--w   C:\Program Files\folder.htt
.

(((((((((((((((((((((((((((((   snapshot@2008-07-22_10.45.45.70   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-23 14:11:16   16,384   ----a-w   C:\WINDOWS\TEMP\Perflib_Perfdata_510.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2007-10-25 22:36   8454656   --a------   C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2008-05-02 15:15 9442584]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoRun"= 0 (0x0)
"NoClose"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"VIDC.VDOM"= vdowave.drv
"VIDC.MPG4"= msscmc32.dll
"vidc.vivo"= ivvideo.dll
"msacm.vivog723"= vivog723.acm
"msacm.voxacm119"= vdk32119.acm
"VIDC.TR20"= tr2032.dll
"VIDC.UCOD"= clrviddd.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\NVCPL.DLL,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"AVG7_CC"=C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
"AVG7_EMC"=C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
"AVG7_AMSVR"=C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
"LWBMOUSE"=C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Avant Browser\\avant.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\HydraIRC\\HydraIRC.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\WINDOWS\\System32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 01:07]
S3 CH341SER;CH341SER;C:\WINDOWS\system32\Drivers\CH341SER.SYS [2006-06-05 00:00]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 00:56]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 00:56]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 00:56]
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-07-15 12:16]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc   REG_MULTI_SZ      p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-06-14 20:35:18 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-07-14 21:10:22 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-07-07 23:36:54 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 11:00:39
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-23 11:02:33
ComboFix-quarantined-files.txt  2008-07-23 16:02:28
ComboFix2.txt  2008-07-22 15:46:26

Pre-Run: 2,272,788,480 bytes free
Post-Run: 2,276,360,192 bytes free

211   --- E O F ---   2008-07-09 08:01:17
« Last Edit: July 23, 2008, 09:38:03 PM by Bracgypsy » Logged

If you don't have a smile, i'll give you one of mine...
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #7 on: July 23, 2008, 11:44:16 PM »

I dont see any more malware now.How are things running.?
Logged

An Australian Member of

EDDY
Bracgypsy
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 6


Timeless Brac Sunset: Taken by BracGypsy!


Bookmark and Share

View Profile
« Reply #8 on: July 24, 2008, 03:27:54 PM »

I dont see any more malware now.How are things running.?

Thanks so much for your help. At boot up things are loading faster. But webpages are still loading on the slow side. On the HJT list I deleted the first three R1 files. Also as you notice' there are 3 files on the HJT list that have "missing files". {Which are: "a-squared"
"Lavasoft Ad-Aware" and "Google Updater". What I find strange about these three files are, I have uninstalled these three programs' so I am wondering why they still come on HJT list. And another strange thing is, they will not delete.  Do you have any answers for this?

Also I would like to explain something about what happen about a month ago. Wavetop popped up on my HJT list. I looked it up online and a few sites said it was a Trojan, and other sites said it was a virus, and a few said it was harmless. I wasn't sure what to beleve. My Uniblue Spy scan said it was a Trojan.  So I ran a search for the "wavetop on my PC" and found 3 places it was listed. One was in the Program System32 files, and the other System files, and the other one was in Cab files. I wasn't able to delete the 2 system files until I changed the name of the wavetop file to "wavetop-old in the cab files. When I did that I had no other problem with my PC or webpages loading slowly. I also deleted everything that had anything to do with the wavetop file in my Registry. After all I did I had no problems at all with my PC. It was running like a top. Then about 2 weeks later I had to do a system restore" but it would only let me restore back during the time I had the "Wavetop" problem. {Which I had forgotten about, I guess I had a blonde moment"  Grin .  So anyway' when I restored, the wavetop came back. But the strange thing is: it's only showing up on my HJT list, because when I do a PC search for the wavetop file it's nowhere in my PC files. Now when I run the Uniblue Spy scan, it doesn't show any wavetop file, but it shows on my HJT list. I am not sure what's up with that! Do you have any ideas? I might be wrong ' but I was thinking, Since it's not showing up on search as "wavetop" Could it have changed it's name somehow? Sorry for all the questions, but this is really strange to me....

Thanks again for all your help. You've been the best.
I haven't tried the VooDoo dance yet, but' as Chris Rock says: YA never know!!  Wink

BracGypsy!
Logged

If you don't have a smile, i'll give you one of mine...
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #9 on: July 24, 2008, 10:39:25 PM »

Dont worry about things.Its all fine now.
Logged

An Australian Member of

EDDY
Bracgypsy
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 6


Timeless Brac Sunset: Taken by BracGypsy!


Bookmark and Share

View Profile
« Reply #10 on: July 24, 2008, 11:49:47 PM »

Dont worry about things.Its all fine now.

Thanks for everything that you have done. You taught me a few things. I know who to ask if I have another problem.

BracGypsy!
Logged

If you don't have a smile, i'll give you one of mine...
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page April 11, 2017, 01:16:29 PM