Clean?

**el_barto** · 2006-11-20, 11:17

The error I get is Windows can't enable Firewall and that I should try to enable it myself via the control panel. But if I open the firewall-control panel i get an error saying "Because of an unknown problem the configuration can't be displayed" (attn: I have a dutch version of winXP, so it's translated).

But the biggest problem now is that my PC crashes every session. I get a critical stop 0x0000008E (0xc0000005, 0xf4bd39fe, 0xf2a00a28, 0x00000000).

I know this is a memory-problem, but in safe mode I don't encounter this problem.

**el_barto** · 2006-11-20, 11:32

This is my problem: I start up and after some time (5 mins) I hear my fan speed go up and the system crashes. I've monitored my temps during this and no component is overheating.

**LonnyRJones** · 2006-11-20, 23:29

Reboot the pc into safe mode get a startup list reboot back to normal and post it please
While in safe mode
Start Hijackthis click config misc tools >
plcase a check in [X] list also minor sections
and [X] list empty sections, then click gernerate startuplist log.
restart back to a normal windows session and post that log please.

Are you familur with the windows event viewer ?
For now lets just empty the logs, windows control panel > administrative tools > event viewer > hilight the application catagory then go action clear all events no to the save first .

do that for security and system catagories to. we can go back later and look for problems.

For that firewall error try the reg file under Solution for Case 1:
here http://windowsxp.mvps.org/sharedaccess.htm

Also: Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

**el_barto** · 2006-11-22, 10:18

Firewall problem is fixed. -> thx

This is the logfile (in safe mode)

el_barto - 06-11-22 10:17:37,45 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\el_barto\Bureaublad"

((((((((((((((((((((((((((((((( Files Created from 2006-10-22 to 2006-11-22 ))))))))))))))))))))))))))))))))))

2006-11-14 21:15 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-11-14 21:15 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-11-14 21:12 78,336 --a------ C:\WINDOWS\system32\drivers\ssi.sys
2006-11-14 21:12 102,912 --a------ C:\WINDOWS\system32\islzma.dll
2006-11-14 20:33 10,509 -r-h----- C:\WINDOWS\system32\svch14.exe
2006-11-13 02:23 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-13 02:20 <DIR> d-------- C:\WINDOWS\McAfee.com
2006-11-13 02:03 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-13 02:03 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-06 09:28 30,988 --a------ C:\WINDOWS\system32\drivers\scdemu.sys
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-23 14:47 99,840 --a------ C:\WINDOWS\system32\drivers\ACEDRV06.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-11-22 10:13 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-20 18:27 -------- d-------- C:\Program Files\Trillian
2006-11-20 16:48 -------- d-------- C:\Documents and Settings\el_barto\Application Data\OpenOffice.org2
2006-11-20 14:55 -------- d-------- C:\Program Files\Windows Defender
2006-11-20 14:55 -------- d-------- C:\Program Files\Microsoft AntiSpyware
2006-11-20 14:55 -------- d-------- C:\Program Files\Hijackthis
2006-11-20 14:54 -------- d-------- C:\Program Files\SpeedFan
2006-11-20 10:47 -------- d-------- C:\Program Files\Mozilla Thunderbird
2006-11-16 16:55 -------- d-------- C:\Program Files\rename tools
2006-11-16 03:33 -------- d-------- C:\Program Files\MSXML 4.0
2006-11-16 03:33 -------- d-------- C:\Program Files\Internet Explorer
2006-11-16 03:32 -------- d-------- C:\Documents and Settings\el_barto\Application Data\uTorrent
2006-11-16 02:40 -------- d-------- C:\Program Files\Microsoft Office
2006-11-15 11:32 -------- d-------- C:\Program Files\Spyware Doctor
2006-11-15 01:29 -------- d-------- C:\Program Files\Zylom Games
2006-11-15 01:29 -------- d-------- C:\Documents and Settings\el_barto\Application Data\Zylom
2006-11-15 00:05 -------- d-------- C:\Documents and Settings\el_barto\Application Data\Google
2006-11-14 23:01 -------- d-------- C:\Program Files\Hitman Pro
2006-11-14 22:12 -------- d-------- C:\Program Files\DVD Profiler
2006-11-14 21:17 -------- d-------- C:\Program Files\SpywareBlaster
2006-11-14 21:15 -------- d-------- C:\Documents and Settings\el_barto\Application Data\PC Tools
2006-11-14 21:12 -------- d-------- C:\Documents and Settings\el_barto\Application Data\Webroot
2006-11-13 23:38 -------- d-------- C:\Program Files\PCPitstop
2006-11-13 02:27 -------- d-------- C:\Documents and Settings\el_barto\Application Data\AVG7
2006-11-13 02:23 -------- d-------- C:\Program Files\Grisoft
2006-11-13 02:03 816672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-13 02:03 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-11-13 02:03 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-13 02:03 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-12 23:12 -------- d-------- C:\Program Files\Windows NT
2006-11-12 16:45 -------- d-------- C:\Program Files\PowerISO
2006-11-10 17:49 -------- d-------- C:\Program Files\hj splitter
2006-11-09 21:50 -------- d-------- C:\Program Files\Binary News Reaper
2006-11-09 18:59 -------- d-------- C:\Program Files\Steam
2006-11-09 17:45 -------- d-------- C:\Program Files\Java
2006-10-27 11:58 -------- d-------- C:\Program Files\Soulseek
2006-10-24 16:31 -------- d-------- C:\Program Files\DC++
2006-10-23 22:15 -------- d-------- C:\Program Files\wintrack7
2006-10-23 01:00 -------- d-------- C:\Program Files\Google
2006-10-19 17:48 79272 --a------ C:\Documents and Settings\el_barto\Application Data\GDIPFONTCACHEV1.DAT
2006-10-13 13:41 144384 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-11 12:10 1682 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-10-04 14:54 -------- d-------- C:\Program Files\safediskhider
2006-10-02 17:55 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-02 17:55 -------- d-------- C:\Program Files\Codemasters
2006-09-29 09:02 -------- d-------- C:\Program Files\EA SPORTS
2006-09-26 20:27 -------- d-------- C:\Program Files\FolderSizes
2006-09-25 21:23 -------- d-------- C:\Program Files\BitComet
2006-09-25 20:54 -------- d-------- C:\Program Files\Azureus
2006-09-25 20:54 -------- d-------- C:\Documents and Settings\el_barto\Application Data\Azureus
2006-09-24 14:28 5248 --a------ C:\WINDOWS\system32\speedfan.sys
2006-09-23 12:20 19915 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2006-09-23 12:20 -------- d-------- C:\Program Files\RALINK
2006-09-13 06:07 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 16:51 617472 --a------ C:\WINDOWS\system32\comctl32.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"WireLessMouse"="C:\\Program Files\\Mouse Driver\\StartAutorun.exe MouseDrv.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mijn huidige introductiepagina"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,e2,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,e2,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Preloader van browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Cache-daemon voor onderdeelcategorieën"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Start\\Programma's\\Opstarten\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Start\\Programma's\\Opstarten\\Adobe Reader Snelle start.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Snelle start.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Snelle start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^BlueSoleil.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Start\\Programma's\\Opstarten\\BlueSoleil.lnk"
"backup"="C:\\WINDOWS\\pss\\BlueSoleil.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\IVTCOR~1\\BLUESO~1\\BLUESO~1.EXE "
"item"="BlueSoleil"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Start\\Programma's\\Opstarten\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^el_barto^Menu Start^Programma's^Opstarten^ms.exe]
"path"="C:\\Documents and Settings\\el_barto\\Menu Start\\Programma's\\Opstarten\\ms.exe"
"backup"="C:\\WINDOWS\\pss\\ms.exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\el_barto\\Menu Start\\Programma's\\Opstarten\\ms.exe"
"item"="ms"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^el_barto^Menu Start^Programma's^Opstarten^OpenOffice.org 1.9.125.lnk]
"path"="C:\\Documents and Settings\\el_barto\\Menu Start\\Programma's\\Opstarten\\OpenOffice.org 1.9.125.lnk"
"backup"="C:\\WINDOWS\\pss\\OpenOffice.org 1.9.125.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\OPENOF~1.125\\program\\QUICKS~1.EXE "
"item"="OpenOffice.org 1.9.125"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3.tmp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="3"
"hkey"="HKLM"
"command"="C:\\DOCUME~1\\el_barto\\LOCALS~1\\Temp\\3.tmp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4.tmp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="4"
"hkey"="HKLM"
"command"="C:\\DOCUME~1\\el_barto\\LOCALS~1\\Temp\\4.tmp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AGRSMMSG"
"hkey"="HKLM"
"command"="AGRSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntivirusRegistration]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EzAntivirusRegistrationCheck"
"hkey"="HKLM"
"command"="C:\\Program Files\\Excid.com Aps\\eTrust Antivirus Registration\\EzAntivirusRegistrationCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atlnl32.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atlnl32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\atlnl32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetLimiter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NetLimiter"
"hkey"="HKLM"
"command"="C:\\Program Files\\NetLimiter\\NetLimiter.exe /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCMService"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Home Cinema\\PowerCinema\\PCMService.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PWRISOVM"
"hkey"="HKLM"
"command"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Realtime Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realmon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\CA\\ETRUST~1\\realmon.exe -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Snelkoppeling naar eigenschappenvenster voor High Definition Audio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HDAudPropShortcut"
"hkey"="HKLM"
"command"="HDAudPropShortcut.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeper"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /0"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="steam"
"hkey"="HKCU"
"command"="\"c:\\program files\\steam\\steam.exe\" -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Telemeter 3.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="telemeter3"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Telemeter 3.0\\telemeter3.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wined.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wined"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\wined.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winlogons.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winlogons"
"hkey"="HKLM"
"command"="C:\\Program Files\\Free KGB Key Logger\\winlogons.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
".dpip29a"=dword:00000003

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-11-22 10:19:04.57
C:\ComboFix.txt ... 06-11-22 10:19
C:\ComboFix2.txt ... 06-11-14 00:37

**LonnyRJones** · 2006-11-22, 11:10

Download
http://www.uploads.ejvindh.net/rustbfix.exe
...and save it to your desktop.
Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found,
you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while,
and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt).
Post the content of these logfiles along with a new HijackThis log.

Also go here http://www.virustotal.com/flash/index_en.html
and submit each of these files, let us know if anything was found
C:\WINDOWS\system32\islzma.dll
C:\WINDOWS\system32\svch14.exe

**el_barto** · 2006-11-23, 11:43

The file "C:\WINDOWS\system32\svch14.exe" contained a trojan which seems to be a variant of "Win32/TrojanDownloader.Agent.AEF". The DLL file was clean.

**el_barto** · 2006-11-23, 11:58

************************* Rustock.b-fix -- By ejvindh *************************
do 23/11/2006 11:54:57,28

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 70806
Total size: 70806 bytes.
Attempting to remove ADS...
system32: deleted 70806 bytes in 1 streams.

******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No streams found.

******************************* End of Logfile ********************************

**el_barto** · 2006-11-23, 12:04

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\knkaoeev

*******************

Script file located at: \??\C:\WINDOWS\system32\scebmkbu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

**LonnyRJones** · 2006-11-23, 12:05

C:\WINDOWS\system32\svch14.exe < delete, any problems ?

=====
C:\WINDOWS\system32\islzma.dll attach this file here please
http://www.thespykiller.co.uk/forum/index.php?board=1.0

**el_barto** · 2006-11-23, 12:06

svch14.exe was detected and moved by bitdefender.

After doing those last two steps, my computer hasn't rebooted (yet).

Let's wait and see.

Once again, thanx for all the help.

Thread: Clean?

Thread Tools

Display

Posting Permissions