Author Topic: Avasts been hijack please help  (Read 82990 times)

0 Members and 1 Guest are viewing this topic.

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #15 on: April 19, 2007, 04:21:51 PM »
Did you install Remote Packet Capture Protocol v.0? yes but can't remember why, going to uninstall it

Have you had a chance to run AVG AntiRootKit? yes and i did the in - depth scan and it didn't find anything

heres the log you ask for

It won't let me post all at once



Deckard's System Scanner v20070411.38
Run by Sean on 2007-04-19 at 14:16:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-04-19 13:16:49 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Sean.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 14:17:34, on 19/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\locator.exe
C:\Documents and Settings\Sean\Desktop\dss.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\HIJACK~1\Sean.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: UKPoker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\UKPoker\client.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O15 - Trusted Zone: img.bleepingcomputer.com
O15 - Trusted Zone: www.bleepingcomputer.com
O15 - Trusted Zone: http://www.bleepingcomputer.com
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
« Last Edit: April 19, 2007, 04:33:40 PM by UK_Sean »

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #16 on: April 19, 2007, 04:23:36 PM »
-- HijackThis Fixed Entries (C:\HIJACK~1\backups\) -----------------------------

backup-20070412-234153-117 O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
backup-20070412-234153-142 O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
backup-20070412-234153-211 O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
backup-20070412-234153-875 O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
backup-20070412-234153-879 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
backup-20070413-000143-106 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
backup-20070413-000143-160 O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
backup-20070413-000143-169 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
backup-20070413-000143-257 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
backup-20070413-000143-326 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
backup-20070413-000143-501 O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
backup-20070413-000143-606 O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
backup-20070413-000143-783 O8 - Extra context menu item: Download by GAS - C:\PROGRA~1\GETASF~1\ie_MenuExt.htm
backup-20070413-000143-828 O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
backup-20070413-000143-926 O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
backup-20070413-032532-314 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
backup-20070413-032532-524 O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
backup-20070413-032532-535 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
backup-20070413-032532-709 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
backup-20070413-032532-856 O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing)
backup-20070413-103537-183 O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
backup-20070413-103537-256 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
backup-20070413-103537-431 O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
backup-20070413-103537-653 O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
backup-20070413-153913-438 O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
backup-20070418-114259-775 O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1"
.txt - Gammadyne DocPad - shell\open\command - "C:\Program Files\DocPad\docpad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Si3112r (Silicon Image SiI 3112 SATARaid Controller) - c:\windows\system32\drivers\si3112r.sys
R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys
R1 ikhfile (File Security Kernel Anti-Spyware Driver) - c:\windows\system32\drivers\ikhfile.sys
R1 ikhlayer (Kernel Anti-Spyware Driver) - c:\windows\system32\drivers\ikhlayer.sys
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys
R2 aslm75 - c:\windows\system32\drivers\aslm75.sys
R2 irda (IrDA Protocol) - c:\windows\system32\drivers\irda.sys
R2 SocketLock (Raw Socket Lock Driver) - c:\windows\system32\socketlock.sys
R2 tmcomm - c:\windows\system32\drivers\tmcomm.sys
R2 wg3n (SyGate for NT, wg3n) - c:\windows\system32\drivers\wg3n.sys
R3 BridgeMP (MAC Bridge Miniport) - c:\windows\system32\drivers\bridge.sys
R3 HCF_MSFT - c:\windows\system32\drivers\hcf_msft.sys
R3 PhilCam8116 (Logitech QuickCam Pro 3000(PID_08B0)) - c:\windows\system32\drivers\camdrl21.sys
R3 Rasirda (WAN Miniport (IrDA)) - c:\windows\system32\drivers\rasirda.sys
R3 ROOTMODEM (Microsoft Legacy Modem Driver) - c:\windows\system32\drivers\rootmdm.sys
R3 SaiMini - c:\windows\system32\drivers\saimini.sys
R3 SaiNtBus - c:\windows\system32\drivers\saintbus.sys

S3 alcan5wn (Alcatel SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)) - c:\windows\system32\drivers\alcan5wn.sys
S3 alcaudsl (Alcatel Speed Touch ADSL Modem ATM Transport) - c:\windows\system32\drivers\alcaudsl.sys
S3 AvFlt (Antivirus Filter Driver) - c:\windows\system32\drivers\av5flt.sys (file missing)
S3 Bridge (MAC Bridge) - c:\windows\system32\drivers\bridge.sys
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 ES-620 (Edisonsoft ES-620 USB Infrared Adapter) - c:\windows\system32\drivers\es-620.sys
S3 hidgame (Microsoft Hid to Joystick Port Enabler) - c:\windows\system32\drivers\hidgame.sys
S3 nm (Network Monitor Driver) - c:\windows\system32\drivers\nmnt.sys
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys
S3 SaiNtHid - c:\windows\system32\drivers\sainthid.sys
S3 SaiNtSub - c:\windows\system32\drivers\saintsub.sys
S3 SASENUM - c:\program files\superantispyware\sasenum.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Irmon (Infrared Monitor) - c:\windows\system32\svchost.exe -k netsvcs

S3 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe
S3 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe"
S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini"

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #17 on: April 19, 2007, 04:24:44 PM »
-- Scheduled Tasks -------------------------------------------------------------

2006-02-22 15:20:26       298 --a------ C:\WINDOWS\Tasks\XoftSpy.job


-- Files created between 2007-03-19 and 2007-04-19 -----------------------------

2007-04-18 02:28:57         0 d-------- C:\SafeXP
2007-04-16 11:30:15     76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-04-15 12:22:56         0 d-------- C:\A Startup Monitor and Startup Control Panel<ASTART~1>
2007-04-15 12:13:17     49664 --a------ C:\WINDOWS\unvise32.exe
2007-04-15 12:13:12         0 d-------- C:\Program Files\Active Ports<ACTIVE~1>
2007-04-15 12:11:43         0 d-------- C:\Active Ports  monitor<ACTIVE~1>
2007-04-14 17:12:50         0 d-------- C:\WINDOWS\BDOSCAN8
2007-04-14 14:24:44         0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-04-14 14:24:37         0 d-------- C:\Program Files\SUPERAntiSpyware<SUPERA~1>
2007-04-14 14:24:37         0 d-------- C:\Documents and Settings\Sean\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-04-13 22:26:53     43176 --ah----- C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-13 22:26:53     23352 --ah----- C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-13 22:26:52     31560 --ah----- C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-13 22:26:51     94424 --ah----- C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-13 22:26:51     85952 --ah----- C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-13 22:26:46     90112 --ah----- C:\WINDOWS\system32\AVASTSS.scr
2007-04-13 22:26:46    689280 --ah----- C:\WINDOWS\system32\aswBoot.exe
2007-04-13 22:26:43         0 d-------- C:\Program Files\Alwil Software<ALWILS~1>
2007-04-13 13:13:58      3968 --ah----- C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-13 11:21:12         0 d-------- C:\Documents and Settings\Sean\.housecall6.6<HOUSEC~1.6>
2007-04-13 11:19:42         0 d-------- C:\WINDOWS\Sun
2007-04-13 11:18:35         0 d-------- C:\Program Files\Java
2007-04-13 11:18:33         0 d-------- C:\Program Files\Common Files\Java
2007-04-13 11:17:07         0 d-------- C:\Documents and Settings\Sean\Application Data\Sun
2007-04-12 10:58:07  13631488 --a------ C:\Documents and Settings\Sean\ntuser.dat
2007-04-10 21:40:32         0 d-------- C:\Program Files\Lavasoft
2007-04-10 21:10:12         0 d-------- C:\Program Files\CCleaner
2007-04-08 21:12:34         0 d-------- C:\Program Files\Security Task Manager<SECURI~1>
2007-04-08 20:58:10         0 d-------- C:\Process Explorer<PROCES~1>
2007-04-08 20:07:40         0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan<SECTAS~1>
2007-04-08 15:32:15         0 d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2007-04-04 15:51:31         0 d-------- C:\Program Files\Virtual Earth 3D<VIRTUA~1>
2007-03-27 16:37:25         0 d-------- C:\Documents and Settings\Sean\Application Data\vlc
2007-03-27 16:17:48     17556 -----n--- C:\initemp.dat
2007-03-27 16:14:31         0 d-------- C:\Program Files\TVUPlayer<TVUPLA~1>
2007-03-27 16:12:39         0 d-------- C:\WINDOWS\uninstall<UNINST~1>
2007-03-19 20:35:53         0 d-------- C:\Program Files\EA SPORTS<EASPOR~1>
2007-03-19 17:53:09         0 d-------- C:\Program Files\SCi


-- Find3M Report ---------------------------------------------------------------

2007-04-19 00:20:12         0 d---s---- C:\Documents and Settings\Sean\Application Data\Microsoft<MICROS~1>
2007-04-18 02:54:42         0 d-------- C:\Program Files\DocPad
2007-04-15 17:19:06         0 d-------- C:\Documents and Settings\Sean\Application Data\uTorrent
2007-04-14 18:32:43    249856 -----n--- C:\WINDOWS\Setup1.exe
2007-04-14 18:32:42     73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-04-14 17:56:44         0 d-------- C:\Program Files\The All-Seeing Eye<THEALL~1>
2007-04-14 14:24:20         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-04-13 20:45:44         0 d-------- C:\Documents and Settings\Sean\Application Data\MailWasherPro<MAILWA~1>
2007-04-13 19:34:23         0 d-------- C:\Program Files\WinAce
2007-04-13 19:24:07         0 d-------- C:\Program Files\QuickSFV
2007-04-13 19:12:55         0 d-------- C:\Program Files\Common Files\Webroot Shared<WEBROO~1>
2007-04-12 21:59:23         0 d-------- C:\Program Files\XoftSpy
2007-04-11 23:22:24         0 d-------- C:\Program Files\HiDownload<HIDOWN~1>
2007-04-10 21:40:47         0 d-------- C:\Documents and Settings\Sean\Application Data\Lavasoft
2007-04-08 23:33:05         0 d-------- C:\Program Files\Quake III Arena<QUAKEI~1>
2007-03-27 17:29:55         0 d-------- C:\Program Files\Blaze Media Pro<BLAZEM~1>
2007-03-27 16:08:14         0 d-------- C:\Documents and Settings\Sean\Application Data\{1B0CC100-80E7-4108-844F-6244F1FCFCC1}<{1B0CC~1>
2007-03-19 20:35:52         0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-15 14:17:56         0 d-------- C:\Documents and Settings\Sean\Application Data\Skype
2007-03-10 16:16:06     43520 --ah----- C:\WINDOWS\system32\CmdLineExt03.dll<CMDLIN~2.DLL>
2007-03-08 15:09:54     98304 --ah----- C:\WINDOWS\system32\CmdLineExt.dll<CMDLIN~1.DLL>
2007-02-27 22:13:06         0 d-------- C:\Documents and Settings\Sean\Application Data\Sean UK<SEANUK~1>
2007-02-27 22:08:53         0 d-------- C:\Program Files\UKPoker
2007-02-22 15:43:47         0 d-------- C:\Documents and Settings\Sean\Application Data\5exy 8east<5EXY8E~1>
2007-02-02 17:55:42       331 --ah----- C:\WINDOWS\system32\zgrvbnzmrv_navps.dat<ZGRVBN~2.DAT>
2007-02-02 17:55:31      4528 --ah----- C:\WINDOWS\system32\zgrvbnzmrv.dat<ZGRVBN~1.DAT>
2007-02-02 17:47:05    264754 --ah----- C:\WINDOWS\system32\zgrvbnzmrv_nav.dat<ZGRVBN~3.DAT>
2007-01-19 13:53:04     51056 --ah----- C:\WINDOWS\system32\sirenacm.dll

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #18 on: April 19, 2007, 04:28:58 PM »
-- Registry Dump ---------------------------------------------------------------


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DU Meter"="C:\\Program Files\\DU Meter\\DUMeter.exe"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"ASUS Probe"="C:\\Program Files\\ASUS\\Probe\\AsusProb.exe"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"Run StartupMonitor"="StartupMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sean^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"path"="C:\\Documents and Settings\\Sean\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHost"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Kontiki\\KHost.exe\" -all"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Probe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AsusProb"
"hkey"="HKLM"
"command"="C:\\Program Files\\ASUS\\Probe\\AsusProb.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgemc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gcasServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHost"
"hkey"="HKCU"
"command"="C:\\Program Files\\Kontiki\\KHost.exe -all"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\ImageStudio\\ISStart.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\ImageStudio\\LogiTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LVCOMS"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Logitech\\QCDriver3\\LVCOMS.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sstray"
"hkey"="HKLM"
"command"="sstray.exe /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #19 on: April 19, 2007, 04:29:50 PM »
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Profiler"
"hkey"="HKLM"
"command"="C:\\Program Files\\Saitek\\Software\\Profiler.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"=";\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiSmart]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SaiSmart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Saitek\\Software\\SaiSmart.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="smc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dragdiag"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Alcatel\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSASCui"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=dword:00000002


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoResolveSearch"=dword:00000001
"NoRecentDocsMenu"=dword:00000001
"NoFavoritesMenu"=dword:00000000
"NoSMMyDocs"=dword:00000000
"NoSMMyPictures"=dword:00000000
"NoStartMenuMyMusic"=dword:00000000
"NoRecentDocsHistory"=dword:00000001
"NoRecentDocsNetHood"=dword:00000000
"NoSMHelp"=dword:00000000
"NoRun"=dword:00000000
"NoInstrumentation"=dword:00000000
"NoSimpleStartMenu"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=dword:00000001
"NoFavoritesMenu"=dword:00000000
"NoSMMyDocs"=dword:00000000
"NoSMMyPictures"=dword:00000000
"NoStartMenuMyMusic"=dword:00000000
"NoRecentDocsHistory"=dword:00000001
"ClearRecentDocsOnExit"=dword:00000001
"NoRecentDocsNetHood"=dword:00000000
"NoSMHelp"=dword:00000000
"NoRun"=dword:00000000
"NoUserNameInStartMenu"=dword:00000001
"NoInstrumentation"=dword:00000000
"NoStartMenuPinnedList"=dword:00000000
"ForceStartMenuLogoff"=dword:00000000
"NoSharedDocuments"=dword:00000001
"NoWindowsUpdate"=dword:00000001

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService   REG_MULTI_SZ      Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService   REG_MULTI_SZ      DnsCache\0\0
rpcss   REG_MULTI_SZ      RpcSs\0\0
imgsvc   REG_MULTI_SZ      StiSvc\0\0
termsvcs   REG_MULTI_SZ      TermService\0\0
HTTPFilter   REG_MULTI_SZ      HTTPFilter\0\0
DcomLaunch   REG_MULTI_SZ      DcomLaunch\0TermService\0\0



-- Hosts -----------------------------------------------------------------------

127.0.0.1 194.126.131.100
127.0.0.1 194.126.131.130
127.0.0.1 www.adserver2.adtech.de
127.0.0.1 3.64-62-243.reverse.mccolo.com:8081
127.0.0.1 checkip.sjc.dyndns.org:http
127.0.0.1 checkip.chi.dyndns.com:http
127.0.0.1 64.62.243.3
127.0.0.1 194.67.23.20
127.0.0.1 62.241.163.201
127.0.0.1 209.191.88.247

14616 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-04-19 at 14:17:59 ---------

mauserme

  • Guest
Re: Avasts been hijack please help
« Reply #20 on: April 19, 2007, 06:15:21 PM »
Please scan these files with Virus Total

C:\WINDOWS\unvise32.exe

C:\WINDOWS\Setup1.exe

mauserme

  • Guest
Re: Avasts been hijack please help
« Reply #21 on: April 19, 2007, 07:47:03 PM »
Open Control Panel > Folder Options and click the View tab.

Make sure it is set as follows:

Place a check next to Show hidden files and folder.

Remove checks (if present) from

Hide extensions for known file types and

Hide protected operating system files

Then look for C:\windows\system32\zgrvbnzmrv.exe and scan at Virus Total if found (in addition to the two files mentioned above).

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #22 on: April 19, 2007, 10:02:38 PM »
hi guys

I couldnt find zgrvbnzmrv.exe 

only  zgrvbnzmrv.dat ,  zgrvbnzmrv_nav.dat ,  zgrvbnzmrv_navps.dat .


Below are the scan for C:\WINDOWS\unvise32.exe  and   C:\WINDOWS\Setup1.exe


STATUS: FINISHEDComplete scanning result of "unvise32.exe", received in VirusTotal at 04.19.2007, 21:35:34 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.19.1 04.19.2007  no virus found
AntiVir 7.3.1.53 04.19.2007  no virus found
Authentium 4.93.8 04.18.2007  no virus found
Avast 4.7.981.0 04.19.2007  no virus found
AVG 7.5.0.464 04.19.2007  no virus found
BitDefender 7.2 04.19.2007  no virus found
CAT-QuickHeal 9.00 04.19.2007  no virus found
ClamAV devel-20070416 04.19.2007  no virus found
DrWeb 4.33 04.19.2007  no virus found
eSafe 7.0.15.0 04.19.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3579 04.19.2007  no virus found
Ewido 4.0 04.19.2007  no virus found
FileAdvisor 1 04.19.2007  no virus found
Fortinet 2.85.0.0 04.19.2007  no virus found
F-Prot 4.3.2.48 04.18.2007  no virus found
F-Secure 6.70.13030.0 04.19.2007  no virus found
Ikarus T3.1.1.5 04.19.2007  no virus found
Kaspersky 4.0.2.24 04.19.2007  no virus found
McAfee 5013 04.19.2007  no virus found
Microsoft 1.2405 04.19.2007  no virus found
NOD32v2 2205 04.19.2007  no virus found
Norman 5.80.02 04.19.2007  no virus found
Panda 9.0.0.4 04.19.2007  no virus found
Prevx1 V2 04.19.2007  no virus found
Sophos 4.16.0 04.17.2007  no virus found
Sunbelt 2.2.907.0 04.14.2007  no virus found
Symantec 10 04.19.2007  no virus found
TheHacker 6.1.6.095 04.15.2007  no virus found
VBA32 3.11.3 04.19.2007  no virus found
VirusBuster 4.3.7:9 04.19.2007  no virus found
Webwasher-Gateway 6.0.1 04.19.2007 no virus found


Aditional Information
File size: 49664 bytes
MD5: 97f2dd09b050989617b14d1a87f2f64d
SHA1: 18f0b41a12b6b99971de1aad18a53e74ed99895b
packers: ASPACK
packers: Aspack





STATUS: FINISHEDComplete scanning result of "Setup1.exe", received in VirusTotal at 04.19.2007, 21:42:16 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.19.1 04.19.2007  no virus found
AntiVir 7.3.1.53 04.19.2007  no virus found
Authentium 4.93.8 04.18.2007  no virus found
Avast 4.7.981.0 04.19.2007  no virus found
AVG 7.5.0.464 04.19.2007  no virus found
BitDefender 7.2 04.19.2007  no virus found
CAT-QuickHeal 9.00 04.19.2007  no virus found
ClamAV devel-20070416 04.19.2007  no virus found
DrWeb 4.33 04.19.2007  no virus found
eSafe 7.0.15.0 04.19.2007  no virus found
eTrust-Vet 30.7.3579 04.19.2007  no virus found
Ewido 4.0 04.19.2007  no virus found
FileAdvisor 1 04.19.2007  No threat detected
Fortinet 2.85.0.0 04.19.2007  no virus found
F-Prot 4.3.2.48 04.18.2007  no virus found
F-Secure 6.70.13030.0 04.19.2007  no virus found
Ikarus T3.1.1.5 04.19.2007  no virus found
Kaspersky 4.0.2.24 04.19.2007  no virus found
McAfee 5013 04.19.2007  no virus found
Microsoft 1.2405 04.19.2007  no virus found
NOD32v2 2205 04.19.2007  no virus found
Norman 5.80.02 04.19.2007  no virus found
Panda 9.0.0.4 04.19.2007  no virus found
Prevx1 V2 04.19.2007  no virus found
Sophos 4.16.0 04.17.2007  no virus found
Sunbelt 2.2.907.0 04.14.2007  no virus found
Symantec 10 04.19.2007  no virus found
TheHacker 6.1.6.095 04.15.2007  no virus found
VBA32 3.11.3 04.19.2007  no virus found
VirusBuster 4.3.7:9 04.19.2007  no virus found
Webwasher-Gateway 6.0.1 04.19.2007 no virus found


Aditional Information
File size: 249856 bytes
MD5: 5365986bd88284801b2e9099a1436574
SHA1: d3d3982279b2172b0189c9e73afaf2d4861afdbf
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=5365986bd88284801b2e9099a1436574


mauserme

  • Guest
Re: Avasts been hijack please help
« Reply #23 on: April 19, 2007, 10:18:35 PM »
Hi Sean,

I think I see files related to a rootkit in the DSS log.  Give F-Secure BlackLight a try and post the log it generates

http://www.f-secure.com/blacklight/

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
The best things in life are free.

UK_Sean

  • Guest
Re: Avasts been hijack please help
« Reply #25 on: April 20, 2007, 12:40:34 AM »
Hi

Rootkit scanners I've used
AVG Anti-Rootkit    found nothing
 


F-Secure BlackLight Rootkit

04/19/07 22:29:02 [Info]: BlackLight Engine 1.0.61 initialized
04/19/07 22:29:02 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/19/07 22:29:02 [Note]: 7019 4
04/19/07 22:29:02 [Note]: 7005 0
04/19/07 22:29:05 [Note]: 7006 0
04/19/07 22:29:06 [Note]: 7011 648
04/19/07 22:29:06 [Note]: 7026 0
04/19/07 22:29:06 [Note]: 7026 0
04/19/07 22:29:10 [Note]: FSRAW library version 1.7.1021
04/19/07 22:40:20 [Note]: 2000 1012
04/19/07 22:40:20 [Note]: 2000 1012
04/19/07 22:40:22 [Note]: 2000 1012
04/19/07 22:41:29 [Note]: 7007 0



+----------------------------------------------------
| Trend Micro RootkitBuster 1.6 Beta.
| Module version: 1.6.0.1052
+----------------------------------------------------


--== Dump Hidden File on C:\ ==--
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
No hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.



RootkitRevealer

HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6\ProductName   08/09/2004 13:48   58 bytes   Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Hagel\DU Meter\Totals   24/03/2005 22:20   64 bytes   Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName   08/09/2004 13:51   58 bytes   Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\a347scsi\Config\jdgg40   08/09/2004 15:04   0 bytes   Hidden from Windows API.
SYSTEM   01/01/1601 00:00   0 bytes   Error dumping hive: Internal error.


it found 7 things but there was an error when trying to save it ,  tried another three times but just leaves an empty txt file

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re: Avasts been hijack please help
« Reply #26 on: April 20, 2007, 02:55:30 AM »
HKLM\SOFTWARE\Hagel\DU Meter\Totals   24/03/2005 22:20   64 bytes   Data mismatch between Windows API and raw hive data.
I just know that this is clean.
The best things in life are free.

mauserme

  • Guest
Re: Avasts been hijack please help
« Reply #27 on: April 20, 2007, 02:55:49 AM »
Can you type the other items found, or post a screen shot?

Also, right click the file C:\WINDOWS\unvise32.exe and click properties.  Then click the  Version tab.  Is anything shown across from Copyright?

If you click Company, Internal Name, Original File Name, and Product Name in the lower left pane (if these are present), what's shown in lower right pane?


EDIT:  Has anyone but you had direct physical access to this computer?
« Last Edit: April 20, 2007, 03:06:07 AM by mauserme »

mauserme

  • Guest
Re: Avasts been hijack please help
« Reply #28 on: April 20, 2007, 02:57:11 AM »
HKLM\SOFTWARE\Hagel\DU Meter\Totals   24/03/2005 22:20   64 bytes   Data mismatch between Windows API and raw hive data.
I just know that this is clean.
And this seems related to Alcohol120

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName   08/09/2004 13:51   58 bytes   Data mismatch between Windows API and raw hive data.

mauserme

  • Guest