13 replies to this topic

[calione]

hello,

My CPU usage is very high, it only started to work like this few weeks ago, i tried to use many trojan removers, they found some infected files, but my CPU is still very high... It is high because avp.exe uses up to 50%, does anyone know how to deal with such a problem? if you need i can post the hijackThis log. please let me know if you have any ideas how to fix my pc...

[rridgely]

Yes, please post a hijackthis log.

[calione]

Logfile of HijackThis v1.99.1
Scan saved at 01:37:20, on 2007.04.16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\playa.PLAYA-659760DB5\Desktop\hjt.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5FED9C8-6F76-49F4-B83C-431F127BD3F2}: NameServer = 212.59.0.1,212.59.0.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe




One other thing, Trojan Remover finds C:\WINDOWS\System32\Drivers\sptd.sys as locked, as much as i understand it is a file which should belong to Deamon tools. however, i have uninstalled the deamon tools, but trojan remover still finds this file. how should i deal with that?

[rridgely]

avp.exe is from kaspersky.
I notice you have quite a few real time spyware scanners running on that computer. Running all of those could not only slow you down but they might be conflicting with each other.

If your running spyware doctor 5 it very well could be slowing you down. The latest version of it is having major issues with high ram usage and more.

Your hijackthis log looks good.
That sptd.sys should be fine, but if you want to delete it since you dont use the program anymore you could do that.(I could show you a tool to remove it if you cant delete regularly)

[calione]

yes, i would like to delete it, as my was never working like that before, i'm pretty shure that something wrong with it... thank you for your time, and please show me the tool.

[calione]

by the way, i was using all those programs because my computer was really infected, now when i have cleaned it i can uninstall some of them, which one would you recommed to keep? here's the list of stuff i havein my pc:
1.Ad-Aware SE Personal
2.lspfix
3.ATF-Cleaner
4.HijackThis
5.avenger
6.SDFix
7. SmitfraudFix
8. CCleaner
9. Trojan Remover

[rridgely]

Looks like we need to dig a little deeper and make sure there is nothing hiding.

Run Panda Activescan from Here.

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.

---------
Download AVG Anti-Spyware

• Load AVG antispyware and then click the Update tab at the top. Under Manual Update click Start update.
  
• After the update finishes (the status bar at the bottom will display "Update successful")
  
• Click on the Scanner tab at the top and then click on Complete System Scan
  
• Ewido will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG antispyware will then display "All actions have been applied" on the right.
  
• Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back

Note that this is not AVG antivirus but the program formally known as Ewido.
---------
Download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall

Come back with all of the logs in your next post.

[calione]

Here's the log of AVG, i'll post other results tommorow


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 01:54:58 2007.04.17

+ Scan result:



C:\Documents and Settings\playa.PLAYA-659760DB5\My Documents\install\kazaa_setup.exe -> Adware.Altnet : Ignored.
C:\SDFix\backups\backups.zip/backups/ndis.sys -> Not-A-Virus.SpamTool.Win32.Agent.u : Ignored.
C:\Documents and Settings\playa.PLAYA-659760DB5\Cookies\playa@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\playa.PLAYA-659760DB5\Cookies\playa@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.75:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Adocean : Cleaned.
:mozilla.78:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Adocean : Cleaned.
:mozilla.116:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\playa.PLAYA-659760DB5\Cookies\playa@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\playa.PLAYA-659760DB5\Cookies\playa@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.32:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.33:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.34:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.35:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.36:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.41:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.42:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.43:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.18:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\playa.PLAYA-659760DB5\Cookies\playa@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.23:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.29:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.76:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Gemius : Cleaned.
:mozilla.77:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Gemius : Cleaned.
:mozilla.111:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\playa.PLAYA-659760DB5\Cookies\playa@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
:mozilla.79:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.80:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.113:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.73:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.74:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.31:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.103:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.93:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.94:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.95:C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

[calione]

here's the ComboFix log:

"playa" - 07-04-17 2:03:37 Service Pack 2
ComboFix 07-04-16.3.V - Running from: C:\Program Files\Mozilla Firefox\


((((((((((((((((((((((((((((((( Files Created from 2007-03-17 to 2007-04-17 ))))))))))))))))))))))))))))))))))


2007-04-17 01:19 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-16 21:32 23,524 --a------ C:\WINDOWS\system32\drivers\GVTDrv.sys
2007-04-16 21:32 13,440 --a------ C:\WINDOWS\GPCIDrv.sys
2007-04-16 18:39 19,456 --a------ C:\WINDOWS\system32\Partizan.exe
2007-04-16 18:35 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
2007-04-16 18:35 (2) -rahs-ot- C:\WINDOWS\winstart.bat
2007-04-16 18:33 <DIR> d-------- C:\Program Files\Greatis
2007-04-16 14:15 <DIR> d-------- C:\Program Files\QuickTime
2007-04-16 12:38 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-04-16 12:38 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-16 12:38 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-16 12:38 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-04-16 12:38 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-16 12:38 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-04-16 00:41 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-04-16 00:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\SUPERAntiSpyware.com
2007-04-16 00:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-04-16 00:31 <DIR> d-------- C:\DOCUME~1\PLAYA~1.PLA\APPLIC~1\SUPERAntiSpyware.com
2007-04-15 23:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\SecTaskMan
2007-04-15 23:17 <DIR> d-------- C:\Program Files\Recuva
2007-04-15 22:44 <DIR> d-------- C:\DOCUME~1\PLAYA~1.PLA\APPLIC~1\Uniblue
2007-04-15 20:15 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-04-15 20:15 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-04-15 20:15 4,974,624 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-04-15 20:15 29,984 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-04-15 16:08 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\TEMP
2007-04-15 15:39 3,224 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-14 22:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2007-04-14 21:17 <DIR> d-------- C:\Program Files\Trojan Remover
2007-04-14 21:17 <DIR> d-------- C:\DOCUME~1\PLAYA~1.PLA\APPLIC~1\Simply Super Software
2007-04-14 19:11 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-14 18:33 50,080 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2007-04-14 18:33 29,472 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2007-04-14 18:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\F-Secure
2007-04-14 18:31 <DIR> d-------- C:\Program Files\F-Secure
2007-04-14 18:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\fssg
2007-04-13 16:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Kaspersky Lab
2007-04-12 13:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Azureus


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-17 01:51 -------- d-------- C:\DOCUME~1\PLAYA~1.PLA\APPLIC~1\skype
2007-04-16 20:22 -------- d-------- C:\Program Files\emule
2007-04-16 12:16 -------- d-------- C:\Program Files\spyware doctor
2007-04-15 20:17 -------- d-------- C:\Program Files\kaspersky lab
2007-04-13 12:18 -------- d-------- C:\Program Files\soulseek
2007-04-12 13:50 -------- d-------- C:\Program Files\software
2007-04-12 13:18 -------- d-------- C:\Program Files\azureus
2007-04-10 16:36 3350 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2007-04-09 19:47 -------- d-------- C:\Program Files\filezilla
2007-03-14 01:15 108144 --a------ C:\WINDOWS\system32\cmdlineext.dll
2007-03-14 01:15 -------- dr-h----- C:\DOCUME~1\PLAYA~1.PLA\APPLIC~1\securom
2007-03-14 01:00 -------- d-------- C:\Program Files\atari
2007-02-18 18:14 -------- d-------- C:\Program Files\corel
2007-02-18 18:08 56 -r-hs---- C:\WINDOWS\system32\15f939f3f1.sys
2007-01-29 23:04 200768 --a------ C:\WINDOWS\system32\klogon.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll [x]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"GrooveMonitor"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"VGAUtil"="C:\\Program Files\\GigaByte\\VGA Utility Manager\\G-VGA.exe"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"TrojanScanner"="C:\\Program Files\\Trojan Remover\\Trjscan.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl]
"Operation"=dword:00000001
"Target"="\\??\\C:\\WINDOWS\\SYSTEM32\\DRIVERS\\GVTDRV.SYS"
"Source"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\1]
"Operation"=dword:00000001
"Target"="C:\\WINDOWS\\GPCIDRV.SYS"
"Source"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"
"{F552DDE6-2090-4bf4-B924-6141E87789A5}"="RegRun Script Checker Shell Hook DLL"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\
Notification Packages REG_MULTI_SZ scecli\


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVG_ANTI-SPYWARE_DRIVER
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVG_ANTI-SPYWARE_GUARD

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-17 2:06:55
C:\ComboFix-quarantined-files.txt ... 07-04-17 02:06

[calione]

here's the activescan report:


Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\playa.PLAYA-659760DB5\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\playa.PLAYA-659760DB5\Cookies\playa@2o7[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\playa.PLAYA-659760DB5\Cookies\playa@atdmt[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\playa.PLAYA-659760DB5\Cookies\playa@microsofteup.112.2o7[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\playa.PLAYA-659760DB5\Desktop\ComboFix.exe[ComboFixT\nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\playa.PLAYA-659760DB5\Local Settings\Application Data\Mozilla\Firefox\Profiles\4tl55ky5.default\Cache\C2152591d01[ComboFixT\nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

[rridgely]

You can go ahead and delete this folder:
C:\SDFix

A couple of things we can try to speed things up.
1. Go to start>run and enter "SFC /SCANNOW" without the quotes.
2. Disable all real time security programs and then uninstall and reinstall kaspersky. Uninstall any programs that are trial versions(you should keep avg and Super though because they can be used pass their trials to update and scan).

Let me know if things get better.

[calione]

deleting SDFix, reinstalling kaspersky, and uninstalling other security programs didn't help.... 'm just wondering what a c:\WINODWS\system32\Partizan.exe file is? i got this stuff running...

[rridgely]

Did you install this?
http://www.greatis.c...ty/Partizan.htm

Thats what it is.

[calione]

oh, i did install the regrun, so it belongs to it.... damn, i'm starting to think about formating my hard disk... it's really impossible to work with a pc that runs so slow...