Member Panel

dahli

In the same place you typed "purity", type the following:

Code:

c:\users\*.* /u /s

DarkLord7854

Here we go:

[Custom Input]
< c:\users\*.* /u /s >
File/Folder c:\users\*.* not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03

dahli

Click Start>run then type cmd
In the command window that opens type the following:

Code:

 dir c:\w?auclt.exe /a /s > C:\found.txt & start notepad c:\found.txt

Post the log it creates.

*****You may have to open the command prompt using the "run as administrator" (I can't remember off-hand)

DarkLord7854

Here we go:

Volume in drive C is VistaOS
Volume Serial Number is 60EC-BC6D

Directory of c:\Windows\System32

02/29/2008 02:59 PM 53,080 wuauclt.exe
1 File(s) 53,080 bytes

Directory of c:\Windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_6.0.6000.16386_none_acab9aec acae685d

11/02/2006 05:46 AM 41,472 wuauclt.exe
1 File(s) 41,472 bytes

Directory of c:\Windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.0.6000.381_none_981d19142b c9942c

02/29/2008 02:59 PM 53,080 wuauclt.exe
1 File(s) 53,080 bytes

Total Files Listed:
3 File(s) 147,632 bytes
0 Dir(s) 30,163,357,696 bytes free

dahli

That is good news. Then it must only be registry entry that I saw.

Using msconfig, enable all startups and run Combofix. Post the log.

DarkLord7854

Alright, here we go:

ComboFix 08-03-14.4 - Enzo 2008-03-15 4:38:49.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1285 [GMT -4:00]
Running from: C:\Users\Enzo\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\uninstall_nmon.vbs

.
((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-03-15 08:39 --------- d-----w C:\Users\Enzo\AppData\Roaming\uTorrent
2008-03-15 08:37 --------- d-----w C:\Users\Enzo\AppData\Roaming\GetRightToGo
2008-03-15 08:18 --------- d-----w C:\Users\Enzo\AppData\Roaming\Skype
2008-03-15 07:42 --------- d-----w C:\Users\Enzo\AppData\Roaming\Xfire
2008-03-15 07:41 --------- d-----w C:\ProgramData\Avg7
2008-03-15 06:42 22,528 ----a-w C:\Windows\system32\drivers\nhcDriver.sys
2008-03-15 05:51 --------- d-----w C:\ProgramData\Test Drive Unlimited
2008-03-15 05:08 24,576 ----a-w C:\Windows\System32\VundoFixSVC.exe
2008-03-15 04:19 --------- d-----w C:\Program Files\Notebook Hardware Control
2008-03-15 03:42 --------- d-----w C:\Program Files\Lavalys
2008-03-15 02:31 413,696 ----a-w C:\Windows\System32\wrap_oal.dll
2008-03-15 02:31 110,592 ----a-w C:\Windows\System32\OpenAL32.dll
2008-03-15 02:31 --------- d-----w C:\Program Files\OpenAL
2008-03-14 23:38 --------- d-----w C:\Program Files\Steam
2008-03-13 05:17 --------- d-----w C:\ProgramData\Lavasoft
2008-03-13 05:17 --------- d-----w C:\Program Files\Lavasoft
2008-03-13 05:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-13 04:41 12,978 ----a-w C:\Users\Enzo\AppData\Roaming\nvModes.dat
2008-03-13 03:50 --------- d-----w C:\Program Files\RivaTuner v2.08
2008-03-13 03:41 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-03-13 00:56 --------- d-----w C:\Program Files\Common Files\Steam
2008-03-12 23:56 --------- d-----w C:\Users\Enzo\AppData\Roaming\Hamachi
2008-03-12 20:29 --------- d-----w C:\Users\Enzo\AppData\Roaming\mIRC
2008-03-12 19:38 195,995 ----a-w C:\msexe.exe
2008-03-12 03:55 2,380,800 ----a-w C:\Windows\System32\mIRC - English.exe
2008-03-12 03:50 --------- d-----w C:\Program Files\mIRC
2008-03-11 07:24 --------- d-----w C:\ProgramData\Microsoft Help
2008-03-11 07:02 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-03-10 21:11 --------- d-----w C:\Users\Enzo\AppData\Roaming\Apple Computer
2008-03-10 20:10 --------- d-----w C:\Program Files\Winamp
2008-03-10 19:57 --------- d-----w C:\ProgramData\Apple Computer
2008-03-10 19:57 --------- d-----w C:\Program Files\iTunes
2008-03-10 19:57 --------- d-----w C:\Program Files\iPod
2008-03-10 19:56 --------- d-----w C:\Program Files\Bonjour
2008-03-10 19:55 --------- d-----w C:\Program Files\Common Files\Apple
2008-03-10 08:10 4,224 ----a-w C:\Windows\system32\drivers\NVStrap.sys
2008-03-09 20:26 --------- d-----w C:\Program Files\support.com
2008-03-09 05:21 --------- d-----w C:\Program Files\Common Files\SupportSoft
2008-03-09 00:59 --------- d-----w C:\ProgramData\VMware
2008-03-09 00:56 --------- d-----w C:\Users\Enzo\AppData\Roaming\VMware
2008-03-09 00:45 --------- d-----w C:\Program Files\Elaborate Bytes
2008-03-08 02:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-07 22:03 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-03-06 22:07 --------- d-----w C:\Program Files\uTorrent
2008-03-06 17:52 --------- d-----w C:\Users\Enzo\AppData\Roaming\SystemRequirementsLa b
2008-03-06 00:48 --------- d-----w C:\ProgramData\Xfire
2008-03-05 22:27 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-03-05 22:17 32 ----a-w C:\ProgramData\ezsid.dat
2008-03-05 22:17 --------- d-----w C:\Users\Enzo\AppData\Roaming\skypePM
2008-03-05 22:16 --------- d-----w C:\ProgramData\Skype
2008-03-05 22:16 --------- d-----w C:\Program Files\Skype
2008-03-05 22:16 --------- d-----w C:\Program Files\Common Files\Skype
2008-03-04 22:15 107,888 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-03-04 08:22 --------- d-----w C:\Program Files\Nokia
2008-03-04 08:22 --------- d-----w C:\Program Files\Intuwave
2008-03-03 23:53 --------- d-----w C:\ProgramData\Apple
2008-03-03 23:53 --------- d-----w C:\Program Files\QuickTime
2008-03-03 23:53 --------- d-----w C:\Program Files\Apple Software Update
2008-03-03 23:34 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-03 23:18 --------- d--h--w C:\ProgramData\{0E8E33D8-193A-414A-A909-0F101A142D26}
2008-03-03 20:24 --------- d-----w C:\Users\Enzo\AppData\Roaming\Intel
2008-03-03 14:44 --------- d-----w C:\Program Files\AdomBot
2008-03-03 06:44 --------- d-----w C:\ProgramData\FLEXnet
2008-03-03 02:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-03 02:32 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-03-01 06:32 --------- d-----w C:\ProgramData\~0
2008-03-01 06:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-01 06:19 --------- d-----w C:\ProgramData\Symantec
2008-03-01 06:04 --------- d-----w C:\Users\Enzo\AppData\Roaming\Infineon
2008-03-01 02:21 66,872 ----a-w C:\Windows\System32\PnkBstrA.exe
2008-03-01 02:21 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-03-01 02:21 103,736 ----a-w C:\Windows\System32\PnkBstrB.exe
2008-03-01 00:45 --------- d-----w C:\Program Files\MSBuild
2008-03-01 00:36 --------- d-----w C:\Program Files\Microsoft Works
2008-03-01 00:35 --------- d-----w C:\Program Files\Microsoft Expression
2008-03-01 00:34 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-29 23:39 --------- d-----w C:\Users\Enzo\AppData\Roaming\Leadertech
2008-02-29 23:12 22,328 ----a-w C:\Users\Enzo\AppData\Roaming\PnkBstrK.sys
2008-02-29 22:36 21,840 ----atw C:\Windows\System32\SIntfNT.dll
2008-02-29 22:36 17,212 ----atw C:\Windows\System32\SIntf32.dll
2008-02-29 22:36 12,067 ----atw C:\Windows\System32\SIntf16.dll
2008-02-29 22:16 70,656 ----a-w C:\Windows\ScUnin.exe
2008-02-29 21:18 25,280 ----a-w C:\Windows\system32\drivers\hamachi.sys
2008-02-29 21:18 --------- d-----w C:\Program Files\Hamachi
2008-02-29 21:15 --------- d-----w C:\Users\Enzo\AppData\Roaming\Winamp
2008-02-29 21:01 --------- d-----w C:\Program Files\ASUS
2008-02-29 20:52 --------- d-----w C:\Program Files\Frameworkx
2008-02-29 20:51 --------- d-----w C:\Program Files\Java
2008-02-29 20:50 --------- d-----w C:\Program Files\Common Files\Java
2008-02-29 20:44 716,272 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-02-29 20:44 --------- d-----w C:\Users\Enzo\AppData\Roaming\DAEMON Tools
2008-02-29 20:40 --------- d-----w C:\Program Files\PowerForPhone
2008-02-29 20:39 --------- d-----w C:\Users\Enzo\AppData\Roaming\Ahead
2008-02-29 20:39 --------- d-----w C:\Program Files\Common Files\Ahead
2008-02-29 20:32 174 --sha-w C:\Program Files\desktop.ini
2008-02-29 20:28 --------- d-----w C:\Program Files\Windows Mail
2008-02-29 20:28 --------- d-----w C:\Program Files\Windows Calendar
2008-02-29 20:22 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-02-29 20:21 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-02-29 20:20 82,432 ----a-w C:\Windows\system32\drivers\sdbus.sys
2005-07-29 20:24 472 --sha-r C:\Windows\RW56bw\lqcdvT.vbs
.

((((((((((((((((((((((((((((( snapshot@2008-03-15_ 2.42.32.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-15 06:38:48 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-03-15 07:42:06 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-03-15 06:38:48 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.D AT
+ 2008-03-15 07:42:01 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.D AT
- 2008-03-15 05:13:19 6,936 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-765763825-3370971890-1530031887-1000_UserData.bin
+ 2008-03-15 06:41:30 7,312 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-765763825-3370971890-1530031887-1000_UserData.bin
- 2008-03-15 05:13:19 69,194 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics _SystemData.bin
+ 2008-03-15 06:41:30 69,500 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics _SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Xcnvrmg"="C:\Users\Enzo\AppData\Roaming\?asks\w?a uclt.exe" [ ]
"nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-07-11 05:12 1006264]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-01 09:24 857648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 05:31 630784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 05:07 4390912 C:\Windows\RtHDVCpl.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"PowerForPhone"="C:\Program Files\PowerForPhone\PowerForPhone.exe" [ ]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-04-28 19:05 86016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray. dll" [2007-04-28 19:05 81920]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-04-28 19:05 8429568]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [ ]
"MSServer"="C:\Windows\system32\ddcdc.dll" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [ ]
"IFXSPMGT"="C:\Windows\system32\ifxspmgt.exe" [ ]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 16:37 174872]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"CognizanceTS"="C:\PROGRA~1\ASUSSE~1\ASUSSE~1\Bin\ ASTSVCC.dll" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"ATKMEDIA"="C:\Program Files\ASUS\ATK Media\DMEDIA.EXE" [ ]
"ASUS Screen Saver Protector"="C:\Windows\ASScrPro.exe" [2007-07-11 05:52 33136]
"ASUS Camera ScreenSaver"="C:\Windows\ASScrProlog.exe" [ ]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 05:45 222208]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 07:44:06 29696]
PCSuiteForNokia6600 Detect.lnk - C:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe [2008-03-04 04:22:51 196608]
PCSuiteForNokia6600 TS.lnk - C:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe [2008-03-04 04:22:51 258112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-765763825-3370971890-1530031887-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"TCP Query User{21FB533C-E45C-4C07-938B-78F252CE7886}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{3EBFB993-273A-401C-AFF1-F9AF434CA508}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
"{3C0D88E5-1653-4249-9C57-16513242769C}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{AD583B4F-8CD0-4EA6-AC61-DA50FFD80BDC}"= UDP:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{7E899F81-59B4-4924-B033-B0F51BDADA61}"= TCP:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;C:\Windows\System32\StkCSrv.exe [2007-02-07 06:44]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\atl01v32.sy s [2007-03-15 02:41]
R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;C:\Windows\system32\Drivers\StkCMini.sys [2007-02-13 00:41]
R3 TPM;TPM;C:\Windows\system32\drivers\tpm.sys [2006-11-02 05:50]
S0 NVStrap;NVStrap;C:\Windows\system32\drivers\NVStra p.sys [2008-03-10 04:10]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-03-12 03:11]
S4 Windows Executable Manager;Windows Executable Manager;"C:\Windows\msexe.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
GPSvcGroup REG_MULTI_SZ GPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{9e347c1f-eba3-11dc-855e-005056c00008}]
\shell\AutoRun\command - G:\autorun.exe
\shell\install\command - G:\setup.exe

*Newly Created Service* - AAWSERVICE
*Newly Created Service* - APPLE_MOBILE_DEVICE
*Newly Created Service* - BONJOUR_SERVICE
*Newly Created Service* - CLTNETCNSERVICE
*Newly Created Service* - IAANTMON
*Newly Created Service* - LIGHTSCRIBESERVICE
*Newly Created Service* - TABLETINPUTSERVICE
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 04:40:14
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-03-15 4:40:47
ComboFix-quarantined-files.txt 2008-03-15 08:40:45
ComboFix2.txt 2008-03-15 06:42:56
.
2008-03-11 07:24:19 --- E O F ---

Can I re-disable all start-up items? Also, I've been trying to disable TaskScheduler (since Services doesn't allow me to stop/disable it)...

Thanks

dahli

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Are you referring to ECTaskScheduler?

Member Panel

Sponsors and Ads

Noticeboard