View Full Version : Need help to get rid of backdoor Trojan - many thanks
Spybot doesn't seem to be able to help me get rid of Win32.delf.uc and Colorado.ClipboardAdmin. Each time I re-start my computer and run Spybot (in normal mode) they re-appear, even after Spybot has apparently "fixed" them.
I ran e-Trust Antivirus Web Scanner earlier, but the log / report hasn't arrived in my Inbox yet, so am unable to post the log file as yet. I then ran Trend Micro Online Scan, before re-booting in Safe mode and running Spybot until no more items in red were found.
Here is my HijackThis log file. Any help will be very much appreciated. :)
Logfile of HijackThis v1.99.1
Scan saved at 22:54:04, on 19/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\wltray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\admincfg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: DNA - {2DB59DF5-544D-4A1C-8A74-1FD054950140} - c:\dna32v1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ie6] iexplore
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [admincfg.exe] C:\WINDOWS\system32\admincfg.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.astonmartin.com/configurator/db9coupe_load.html
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://joharimusic.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119566567671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165538907578
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - https://ukplay.toontown.com/download/sv1.0.18.27/ttinst.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://88.96.46.110:8000/activex/AMC.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup160.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: atixdaxx - C:\WINDOWS\SYSTEM32\atixdaxx.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
miekiemoes
2007-06-20, 10:33
Hi,
You're having some very nasty infections present, so you have to understand that we cannot solve your issue in one pair of instructions, so you'll have to be patient and perform my instructions in the right order..
First of all, I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
Viewpoint
Viewpoint Manager
Viewpoint Media Player
Then reboot.
After reboot,
Go to this page (http://www.bleepingcomputer.com/submit-malware.php?channel=8).
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file: c:\dna32v1.dll
Select it and click ok:
Then click the Send File button below.
Then, Download haxfix.exe (http://users.telenet.be/marcvn/tools/haxfix.exe).
Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon".
Click "Next".
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
Click "Finish".
A red "dos window" (dos box) will open.
Select option 1. Make logfile by typing 1 and then pressing Enter.
Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt
Copy the contents of that logfile and paste it into this thread.
Many thanks for this. I have followed the instructions you gave, and removed Viewpoint Manager and Viewpoint Media Player; however there was no trace of the file dna32v1.dll anywhere on my PC (did a Search but nothing came up). I wonder whether it's something that I had in the past, but that Sybot or AVG have got rid of since...?
I tried to post my haxfix log file. However, I was unable to submit it as there were in excess of 940,000 characters in it, and apparently the maximum number of characters allowed for one post is 20,000. This would mean submitting the log over 47 posts, which obviously isn't really feasible. Is there any other way I can get the log file to you? Thanks again.
miekiemoes
2007-06-20, 17:41
Hi,
The dna32v1.dll should be on your C:\
Could be possible that it is a hidden file, so do next:
Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.
Concerning the Haxfix log, if you rightclick it, how big is it in filesize?
If you zip it up (rightclick > send to zipped folder) and if it's smaller than 2MB (after being zipped), also upload it here: http://www.bleepingcomputer.com/submit-malware.php?channel=8
In case the zipped logfile is bigger than 2MB, send it to this address:
miekiemoesATmalware-research.co.uk
replace AT with @
Let me know...
Thanks again for the info. I have now located the dna32v1.dll in hidden files, and have submitted to bleeping computer as requested. I have also zipped up the haxlog file (which was smaller than 2MB) and submitted that to bleeping computer also. I await further instructions from you. Many thanks.
miekiemoes
2007-06-20, 19:52
Thanks, I received the files.
One important question - are you doing online banking? This because I had a quick look at the dna32v1.dll you submitted and it is a passwordstealer, it mainly gathers the online banking passwords.
In anyway, we'll try to deal with this asap and once this computer is clean again, then you'll have to change all your passwords asap as well... even though you're not doing online banking.
Don't change them now, because as long as you are infected, it will gather the new passwords as well.
In case you're having another computer which is clean, then you can already change your passwords from there.
Open this folder program files\haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
Close all other open windows since this step requires a reboot.
Select option 2. Run auto fix by typing 2, and then pressing Enter.
If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and then press Enter.
The computer will reboot.
After reboot a logfile will open.
Post the contents of that logfile along with a new hijackthislog.
Then we'll deal with the other infections...
Hi again. Thanks for the advice. I do online bannking, so am worried now! :sick:
I have submitted the haxfix log via Bleeping Computers again as it was another very long text file. Here is my HijackThis log as requested:
Logfile of HijackThis v1.99.1
Scan saved at 19:13:14, on 20/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\admincfg.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: DNA - {2DB59DF5-544D-4A1C-8A74-1FD054950140} - c:\dna32v1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ie6] iexplore
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [admincfg.exe] C:\WINDOWS\system32\admincfg.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.astonmartin.com/configurator/db9coupe_load.html
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://joharimusic.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119566567671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165538907578
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - https://ukplay.toontown.com/download/sv1.0.18.27/ttinst.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://88.96.46.110:8000/activex/AMC.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup160.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
miekiemoes
2007-06-20, 21:18
Hi,
I just received your second log...
Looks like the infection was only partially deleted. We'll have to give it another run, but do next first..
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:
O2 - BHO: DNA - {2DB59DF5-544D-4A1C-8A74-1FD054950140} - c:\dna32v1.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ie6] iexplore
O4 - HKCU\..\Run: [admincfg.exe] C:\WINDOWS\system32\admincfg.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTS...oupe_load.html
* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Then, navigate to and delete next files:
c:\dna32v1.dll
C:\WINDOWS\system32\admincfg.exe
Then, once again..
Open this folder program files\haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
Close all other open windows since this step requires a reboot.
Select option 2. Run auto fix by typing 2, and then pressing Enter.
If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and then press Enter.
The computer will reboot.
After reboot a logfile will open.
Post the contents of that logfile along with a new hijackthislog.
Hi,
I followed instructions down to:
Then, navigate to and delete next files:
c:\\dna32v1.d11
c:\WINDOWS\system32\admincfg.exe
I deleted the dna32v1.d11 file, then opened WINDOWS folder, to find there is nothing at all in it....please HELP! :sad:
miekiemoes
2007-06-20, 22:14
Yes, that's because of the infection you are dealing with. It hides the entire C:\Windows drive..
So just proceed with the next instruction, we can delete the c:\WINDOWS\system32\admincfg.exe afterwards (this one is related with the Cellorado popups, which is a different infection and not that nasty)
Hi again. I have submitted the Haxfix log via Bleeping Computers. Here is the latest HijackThis log as requested:
Logfile of HijackThis v1.99.1
Scan saved at 20:50:38, on 20/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {2DB59DF5-544D-4A1C-8A74-1FD054950140} - (no file)
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://joharimusic.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119566567671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165538907578
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - https://ukplay.toontown.com/download/sv1.0.18.27/ttinst.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://88.96.46.110:8000/activex/AMC.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup160.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
miekiemoes
2007-06-20, 23:11
Hi,
Although Haxfix doesn't see the infection anymore, the fact that the log from Haxfix is still huge and the entire C:\Windows folder is still hidden shows that the infection is still present.
It's only the atixdaxx.dll which is present as I see from the log.... and that one may be responsible for hiding the entire Windows folder.
However, I do think that Killbox will be able to see the file, seen that before - just wonder if it will be able to delete it.
So let's try next..
* Download Killbox (http://www.atribune.org/downloads/KillBox.exe).
Click killbox.exe.
Select the option "Delete on reboot".
Now copy the next bold part in the Field:
C:\Windows\System32\atixdaxx.dll
If Killbox sees the file, you'll see it appear below in blue letters.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.
Your computer should reboot now.
After reboot, look if your C:\Windows folder is still hidden..
Let me know.
If it's still hidden, then we'll have to use other tools...
Hi,
I ran Killbox as advised and it displayed the file name in blue letters as you thought it might. I pressed the red button with white cross, and asked Killbox to re-boot, which it did. However, I still can't see any files inside the WINDOWS folder....please advise.
Many thanks.
miekiemoes
2007-06-21, 00:11
Ok, let's use a more powerful tool... We'll cover the other files in there as well, even though some are already deleted. This to make sure..
But first, before we proceed, please backup the documents/files you don't want to loose. Reason I am telling you this is.. when such nasty infections are present, they cause Windows very unstable. And because of that, it may also suddenly happen that your system may not be able to start up anymore. So it's always a good idea to backup any important files when a system is infected, just in case.
Also, I want to make you aware of the fact that, even though we will be able to remove malware manually, you will never be able to trust this system anymore, because this nasty infection has compromised it. That's why I suggest you better don't do any online banking in the future anymore from this computer.
Because that's what you said previously - that you were doing online banking here - :-(
The malware you are dealing with gathers your banking passwords and other passwords... and does a lot of other things as well. You may want to read here with what infection you are dealing with: http://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858
It would be irresponsible from me not telling you this.
Unless you perform a format and a reinstall. Then you can trust this computer again and then you can also do online banking again. So, in this case, the choice is yours how you want to proceed.... If you want to proceed with cleaning this up manually, perform next steps...
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop
2. Now, start The Avenger program by clicking on its icon on your desktop. Under "Script file to execute" choose "Input Script Manually". Now click on the Magnifying Glass icon which will open a new window titled "View/edit script" Copy next text present in the quotebox below and paste it in the View/edit script Window:
Files to delete:
C:\Windows\System32\atixdaxx.dll
C:\Windows\System32\ksl48.bin
C:\Windows\System32\atixdbxx.sys
c:\WINDOWS\system32\admincfg.exe
drivers to unload:
atixdbxx
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Click Done Now click on the Green Light to begin execution of the script Answer "Yes" twice when prompted.
3. The Avenger will automatically do the following: Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.) On reboot, briefly open a black command window on your desktop, this is normal. After the restart, create a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of avenger.txt into your reply and also let me know if your Windows folder is still hidden or not...
OK, I have had a think about this. Please could you let me know whether you think the following plan is a good one:
1. Back-up all files and folders from my C:\ drive onto my other (external) hard drive (G) - please could you let me know whether this would be a suitable alternative to backing-up files onto CDs or DVDs? Thanks.
2. Follow your manual clean-up instructions as per your last post, to get rid of the infection (as a temporary measure).
3. Change my online banking passwords from another computer.
4. Re-format my computer and re-install all programs, files and folders. This is likely to take a long time, and I am away for a few days from tomorrow, so thought that it might be a good idea to do a manual clean-up in the meantime.
Please let me know your thoughts....
Many thanks.
miekiemoes
2007-06-21, 08:10
Hi,
Sorry for the late reply..
Yes, that sounds like a good plan. We can proceed with manual removal and then you can still decide afterwards about the format or not. I mentioned a format here, just because you are doing online banking on this computer. Then I always think what would I do in such cases. If this computer was mainly used for surfing etc.. then I wouldn't talk about a format. If manual removal works, then a format won't really be needed, but with these infections, even though we cleaned it manually, it's better safe than sorry.
Hi,
I haven't yet done the manual clean up you advised in your last post, as I wanted to give you an update on developments first. When I started up my PC this morning, a huge list scrolled down the page, each line saying something like "c:/name of file - File root deleted". This was followed by a scrolling list of file names, saying something like "replacing orphaned files". When it had finished, the PC seemed to boot up normally and my desktop looked the same as it usually does. When I checked the WINDOWS folder all the files had re-appeared.
Since then I have backed up everything on my c:/ drive by copying all files and folders to my external hard drive (G) - that is, everything except my e-mail in Outlook Express, which I need to figure out how to back-up.
Should I still go ahead with the Avenger manual clean-up instructions as advised in your last post?
Many thanks.
miekiemoes
2007-06-21, 23:18
Hi,
So you didn't perform the steps with the Avenger yet? No need to do this now. What I guess what happened here is, the haxfix never properly finished its job. So I guess it ran after reboot and dealed with the files... or it was your AVG dealing with them.. Anyway, the fact that you can see your Windows folder now is good news..
Can you open Haxfix again and choose option 1 for the log.
Then post the log from Haxfix in your next reply.
If your Windows folder is visible now, the log won't be that long. :)
Also, now you should be able to find the file c:\WINDOWS\system32\admincfg.exe and delete it.
Also post a HijackThislog in your next reply.
Hi again,
Sorry for the delayed response; lots going on here as I am going away for few days tomorrow.
I have deleted the admincfg.exe file now.
I have sent my Haxfix log to you via Bleeping Computers again as it is still too long.
I will post my HijackThis log in a new post shortly.
Many thanks.
My HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 01:00:56, on 22/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wltray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {2DB59DF5-544D-4A1C-8A74-1FD054950140} - (no file)
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://joharimusic.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119566567671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165538907578
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - https://ukplay.toontown.com/download/sv1.0.18.27/ttinst.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://88.96.46.110:8000/activex/AMC.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup160.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
miekiemoes
2007-06-22, 09:49
Hi,
Now only your Temporary Internet Files are hidden... This malware is acting weird and now I cannot see from that log if the infection is still present or not..
First of all, as you said previously, you wanted to know how to back up your mails in Outlook.
Here's a great tutorial: http://www.sitedeveloper.ws/tutorials/outlook.htm
Below is the one for Outlook express.
Before you backup your mails, delete the mails first you don't know and don't want to backup, because most probably you got infected via mail, so you'll have to make sure you don't backup that mail.
Then, * Clean your Cache and Cookies in IE: Close all instances of Outlook Express and Internet Explorer
Go to Control Panel > Internet Options > General tab
Under Browsing History, click "Delete".
Click "Delete Files", "Delete cookies" and "Delete history"
Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed): Go to Tools > Options.
Click Privacy in the menu..
Click the Clear now button below.. A new window will popup what to clear.
Select all and click the Clear button again.
Click OK to close the Options window
* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.
Then, * Download Combofix (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
If the log is huge (since it also uses Catchme), also upload it.
Hi,
Have backed up Outlook Express (thanks for tutorial link) and followed all other instructions (except ones to do with Firefox, as I don't have it). Here is my Combofix log. HijackThis log to follow shortly in next post.
Many thanks.
ComboFix 07-06-18.2 - C:\Documents and Settings\Marie Belsten\Desktop\ComboFix.exe
"Marie Belsten" - 2007-06-22 11:52:28 - Service Pack 2 NTFS
((((((((((((((((((((((((( Files Created from 2007-05-22 to 2007-06-22 )))))))))))))))))))))))))))))))
2007-06-22 11:50 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-22 01:17 <DIR> d--hs---- C:\found.001
2007-06-21 08:05 <DIR> d--hs---- C:\found.000
2007-06-20 21:19 <DIR> d-------- C:\!KillBox
2007-06-20 14:32 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2007-06-20 14:32 9,006 --a------ C:\clean.bat
2007-06-20 14:32 86,528 --a------ C:\WINDOWS\system32\catchme.exe
2007-06-20 14:32 53,248 --a------ C:\WINDOWS\system32\process.exe
2007-06-20 14:32 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-06-20 08:28 74 --a------ C:\WINDOWS\sysInf.dat
2007-06-19 19:44 <DIR> d-------- C:\DOCUME~1\MARIEB~1\.housecall6.6
2007-06-17 13:35 6 --a------ C:\WINDOWS\system32\ng60.bin
2007-06-17 12:51 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-06-17 12:23 <DIR> d-------- C:\WINDOWS\pss
2007-06-17 02:35 23,040 --a------ C:\WINDOWS\system32\sysdrv5.exe
2007-06-17 02:34 122,884 --a------ C:\WINDOWS\system32\sysdrv3.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-22 10:44:16 -------- d-----w C:\Program Files\Plaxo
2007-06-20 12:20:25 -------- d-----w C:\Program Files\Viewpoint
2007-06-04 23:18:03 -------- d-----w C:\Program Files\EAF
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-12 17:37:57 -------- d-----w C:\Program Files\SEP
2007-05-12 17:34:08 516,096 ------w C:\WINDOWS\Setup1.exe
2007-05-12 17:34:05 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-04-25 14:21:15 144,896 ------w C:\WINDOWS\system32\schannel.dll
2007-04-23 13:05:45 -------- d-----w C:\DOCUME~1\MARIEB~1\APPLIC~1\Sonic Foundry
2007-04-23 13:04:52 -------- d-----w C:\Program Files\Sonic Foundry
2007-04-23 13:04:10 -------- d-----w C:\Program Files\Sonic Foundry Setup
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 21:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 21:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-23 05:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 05:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 19:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 15:10 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-10-13 07:01 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-13 09:17 C:\WINDOWS\ALCWZRD.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-22 21:05]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-02-22 22:21]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-23 17:45]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-06 17:34]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-03-01 15:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [2006-11-16 13:42]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-22 11:54:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-22 11:54:54
--- E O F ---
Here is my HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 12:03:47, on 22/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {2DB59DF5-544D-4A1C-8A74-1FD054950140} - (no file)
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://joharimusic.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119566567671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165538907578
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - https://ukplay.toontown.com/download/sv1.0.18.27/ttinst.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://88.96.46.110:8000/activex/AMC.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup160.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Many thanks
miekiemoes
2007-06-22, 14:35
Hi,
The good news is, Catchme doesn't list any hidden files anymore.
Check and fix next leftover in HijackThis:
O2 - BHO: (no name) - {2DB59DF5-544D-4A1C-8A74-1FD054950140} - (no file)
There are still some files I want to analyze, so do next:
* Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.
Paste the following bold part into the Suspicious File Packer window:
C:\WINDOWS\system32\spmsg2.dll
C:\WINDOWS\system32\sysdrv5.exe
C:\WINDOWS\system32\sysdrv3.exe
Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page (http://www.bleepingcomputer.com/submit-malware.php?channel=8).
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files .cab (the * stands for the date and hour).
Then click the Send File button below.
Also, do next.. Please download this tool > http://www.kztechs.com/sreng/sreng2.zip
1. Extract it to Desktop & double click SREng.exe to run it
2. Select 'Smart Scan' & click on the [Scan] button
3. When finished, click on the [Save Reports] button & save the log to Desktop
4. Post the log in your next reply
Hi, have sent the Suspicious File Packer cab file to you via Bleeping Computers as requested.
Here is the SREng log (in 2 posts):
[CODE]
2007-06-22,13:27:40
System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)
Windows XP Professional Service Pack 2 (Build 2600) - Administrative User - Completed Functions Allowed
Follow item(s) have been choosed:
All Boot Items (Including Registry, Startup Folders, Services and so on)
Browser Add-ons
Runing Processes (Including process model information)
File Associations
Winsock Provider
Autorun.Inf
HOSTS File
Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<PlaxoUpdate><C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a> [Plaxo, Inc.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<High Definition Audio Property Page Shortcut><HDAudPropShortcut.exe> [(Verified)Microsoft Windows XP Publisher]
<SoundMan><SOUNDMAN.EXE> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<AlcWzrd><ALCWZRD.EXE> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
<ATIPTA><C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe> [ATI Technologies, Inc.]
<ATICCC><"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime> [N/A]
<AVG7_CC><C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP> [GRISOFT, s.r.o.]
<SunJavaUpdateSched><"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"> [(Verified)"Sun Microsystems, Inc."]
<TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot> [RealNetworks, Inc.]
<RoxioDragToDisc><"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"> [Roxio]
<QuickTime Task><"C:\Program Files\QuickTime\qttask.exe" -atboottime> [Apple Computer, Inc.]
<iTunesHelper><"C:\Program Files\iTunes\iTunesHelper.exe"> [(Verified)"Apple Computer, Inc."]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
<WinlogonNotify: WgaLogon><WgaLogon.dll> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
<IE7 Uninstall Stub><C:\WINDOWS\system32\ieudinit.exe> [Microsoft Corporation]
==================================
Startup Folders
[Adobe Gamma Loader]
<C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk --> C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [Adobe Systems, Inc.]><N>
[Adobe Reader Speed Launch]
<C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk --> C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [Adobe Systems Incorporated]><N>
[ATI CATALYST System Tray]
<C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk --> C:\PROGRA~1\ATITEC~1\ATI.ACE\CLI.exe [ATI Technologies Inc.]><N>
[Sonic CinePlayer Quick Launch]
<C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sonic CinePlayer Quick Launch.lnk --> C:\PROGRA~1\COMMON~1\SONICS~1\CineTray.exe [Sonic Solutions]><N>
[Office Startup]
<C:\Documents and Settings\Marie Belsten\Start Menu\Programs\Startup\Office Startup.lnk --> C:\PROGRA~1\MICROS~2\Office\OSA.EXE [N/A]><N>
==================================
Services
[Ati HotKey Poller / Ati HotKey Poller][Running/Auto Start]
<C:\WINDOWS\system32\Ati2evxx.exe><ATI Technologies Inc.>
[ATI Smart / ATI Smart][Stopped/Auto Start]
<C:\WINDOWS\system32\ati2sgag.exe><>
[AVG7 Alert Manager Server / Avg7Alrt][Running/Auto Start]
<C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe><GRISOFT, s.r.o.>
[AVG7 Update Service / Avg7UpdSvc][Running/Auto Start]
<C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe><GRISOFT, s.r.o.>
[AVG E-mail Scanner / AVGEMS][Running/Auto Start]
<C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe><GRISOFT, s.r.o.>
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[InstallDriver Table Manager / IDriverT][Stopped/Manual Start]
<"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"><Macrovision Corporation>
[iPod Service / iPod Service][Running/Manual Start]
<"C:\Program Files\iPod\bin\iPodService.exe"><Apple Computer, Inc.>
[SmartLinkService / SLService][Running/Auto Start]
<slserv.exe><Smart Link>
[Broadcom Wireless LAN Tray Service / wltrysvc][Running/Auto Start]
<C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe><N/A>
==================================
Drivers
[abp480n5 / abp480n5][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\ABP480N5.SYS><Microsoft Corporation>
[adpu160m / adpu160m][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\adpu160m.sys><Microsoft Corporation>
[AEGIS Protocol (IEEE 802.1x) v3.2.0.3 / AegisP][Running/Auto Start]
<system32\DRIVERS\AegisP.sys><Meetinghouse Data Communications>
[Aha154x / Aha154x][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\aha154x.sys><Microsoft Corporation>
[aic78u2 / aic78u2][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\aic78u2.sys><Microsoft Corporation>
[aic78xx / aic78xx][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\aic78xx.sys><Microsoft Corporation>
[AliIde / AliIde][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\aliide.sys><Acer Laboratories Inc.>
[AMD AGP Bus Filter Driver / amdagp][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\amdagp.sys><Advanced Micro Devices, Inc.>
[ASAPIW2K / ASAPIW2K][Running/Manual Start]
<System32\Drivers\ASAPIW2K.sys><Pinnacle Systems GmbH>
[asc / asc][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\asc.sys><Advanced System Products, Inc.>
[asc3350p / asc3350p][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\asc3350p.sys><Microsoft Corporation>
[asc3550 / asc3550][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\asc3550.sys><Advanced System Products, Inc.>
[ati2mtag / ati2mtag][Running/Manual Start]
<system32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[AVG7 Kernel / Avg7Core][Running/System Start]
<\SystemRoot\System32\Drivers\avg7core.sys><GRISOFT, s.r.o.>
[AVG7 Wrap Driver / Avg7RsW][Running/System Start]
<\SystemRoot\System32\Drivers\avg7rsw.sys><GRISOFT, s.r.o.>
[AVG7 Resident Driver XP / Avg7RsXP][Running/System Start]
<\SystemRoot\System32\Drivers\avg7rsxp.sys><GRISOFT, s.r.o.>
[AVG7 Clean Driver / AvgClean][Running/System Start]
<\SystemRoot\System32\Drivers\avgclean.sys><GRISOFT, s.r.o.>
[AVG Network Redirector / AvgTdi][Running/Auto Start]
<\SystemRoot\System32\Drivers\avgtdi.sys><GRISOFT, s.r.o.>
[cd20xrnt / cd20xrnt][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\cd20xrnt.sys><Microsoft Corporation>
[cdrdrv / cdrdrv][Running/Manual Start]
<System32\Drivers\Cdrdrv.sys><Pinnacle Systems GmbH>
[CmdIde / CmdIde][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\cmdide.sys><CMD Technology, Inc.>
[dac2w2k / dac2w2k][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\dac2w2k.sys><Mylex Corporation>
[Team MFP Comm Driver / DgiVecp][Running/Auto Start]
<System32\Drivers\DgiVecp.sys><DeviceGuys, Inc.>
[dpti2o / dpti2o][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\dpti2o.sys><Microsoft Corporation>
[Intel(R) PRO Adapter Driver / E100B][Stopped/Manual Start]
<system32\DRIVERS\e100b325.sys><Intel Corporation>
[GEAR CDRom Filter / GEARAspiWDM][Running/Manual Start]
<SYSTEM32\DRIVERS\GEARAspiWDM.sys><GEAR Software Inc.>
[Microsoft UAA Function Driver for High Definition Audio Service / HdAudAddService][Stopped/Manual Start]
<system32\drivers\HdAudio.sys><Windows (R) Server 2003 DDK provider>
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus][Running/Manual Start]
<system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[hpn / hpn][Stopped/Boot Start]
<\SystemRoot\system32\DRIVERS\hpn.sys><N/A>
[ini910u / ini910u][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\ini910u.sys><Microsoft Corporation>
[Service for Realtek HD Audio (WDM) / IntcAzAudAddService][Running/Manual Start]
<system32\drivers\RtkHDAud.sys><Realtek Semiconductor Corp.>
[mraid35x / mraid35x][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\mraid35x.sys><American Megatrends Inc.>
[Mtlmnt5 / Mtlmnt5][Running/Manual Start]
<system32\DRIVERS\Mtlmnt5.sys><Smart Link>
[Mtlstrm / Mtlstrm][Stopped/Manual Start]
<system32\DRIVERS\Mtlstrm.sys><Smart Link>
[NtMtlFax / NtMtlFax][Stopped/Manual Start]
<system32\DRIVERS\NtMtlFax.sys><Smart Link>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[PxHelp20 / PxHelp20][Running/Boot Start]
<\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>
[ql1080 / ql1080][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\ql1080.sys><QLogic Corporation>
[Ql10wnt / Ql10wnt][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\ql10wnt.sys><Microsoft Corporation>
[ql12160 / ql12160][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\ql12160.sys><QLogic Corporation>
[ql1280 / ql1280][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\ql1280.sys><QLogic Corporation>
[RecAgent / RecAgent][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\RecAgent.sys><Smart Link>
[Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver / RTL8023][Stopped/Manual Start]
<system32\DRIVERS\Rtlnic51.sys><Realtek Semiconductor Corporation>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>
[SIS AGP Bus Filter / sisagp][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\sisagp.sys><Silicon Integrated Systems Corporation>
[Smart Link 56K Modem Driver / Slntamr][Running/Manual Start]
<system32\DRIVERS\slntamr.sys><Smart Link>
[SlNtHal / SlNtHal][Stopped/Manual Start]
<system32\DRIVERS\Slnthal.sys><Smart Link>
[SlWdmSup / SlWdmSup][Running/Manual Start]
<system32\DRIVERS\SlWdmSup.sys><Smart Link>
[Sparrow / Sparrow][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\sparrow.sys><Adaptec, Inc.>
[STEC3 / STEC3][Running/Auto Start]
<\??\C:\WINDOWS\system32\STEC3.sys><AntiCracking>
[symc810 / symc810][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\symc810.sys><Symbios Logic Inc.>
[symc8xx / symc8xx][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\symc8xx.sys><LSI Logic>
[sym_hi / sym_hi][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\sym_hi.sys><LSI Logic>
[sym_u3 / sym_u3][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\sym_u3.sys><LSI Logic>
[TosIde / TosIde][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\toside.sys><Microsoft Corporation>
[ultra / ultra][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\ultra.sys><Promise Technology, Inc.>
[ViaIde / ViaIde][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\viaide.sys><Microsoft Corporation>
[VOBID / VOBID][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\vobid.sys><Pinnacle Systems>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
<system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
==================================
Browser Add-ons
[Java Plug-in 1.6.0_01]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll, Sun Microsystems, Inc.>
[]
{e2e2dd38-d088-4134-82b7-f2ba38496583} <%windir%\Network Diagnostic\xpnetdiag.exe, N/A>
[Messenger]
{FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[Microsoft Office Template and Media Control]
{02BCC737-B171-4746-94C9-0D8A0B2C0089} <C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL, >
[QuickTime Object]
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} <C:\Program Files\QuickTime\QTPlugin.ocx, Apple Computer, Inc.>
[PlxInstall Class]
{08BEF711-06DA-48B2-9534-802ECAA2E4F9} <C:\WINDOWS\Downloaded Program Files\PlaxoInstall.dll, Plaxo Inc.>
[Shockwave ActiveX Control]
{166B1BCA-3F9C-11CF-8075-444553540000} <C:\WINDOWS\system32\macromed\Director\SwDir.dll, Macromedia, Inc.>
[Windows Genuine Advantage Validation Tool]
{17492023-C23A-453E-A040-C7C580BBF700} <C:\WINDOWS\system32\legitcheckcontrol.dll, Microsoft Corporation>
[MSN Photo Upload Tool]
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} <C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll, Microsoft® Corporation>
[WUWebControl Class]
{6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[MUWebControl Class]
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} <C:\WINDOWS\system32\muweb.dll, Microsoft Corporation>
[WScanCtl Class]
{7B297BFD-85E4-4092-B2AF-16A91B2EA103} <C:\WINDOWS\Downloaded Program Files\webscan.dll, CA>
[Java Plug-in 1.6.0_01]
{8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll, Sun Microsystems, Inc.>
[MessengerStatsClient Class]
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} <C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll, Microsoft Corporation>
[MsnMessengerSetupDownloadControl Class]
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} <C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx, Microsoft Corporation>
[Toontown Installer ActiveX Control]
{C02226EB-A5D7-4B1F-BD7E-635E46C2288D} <C:\WINDOWS\Downloaded Program Files\ttinst.dll, Walt Disney Co.>
[Java Plug-in 1.5.0_04]
{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.5.0_06]
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.5.0_09]
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.6.0_01]
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.6.0_01]
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll, Sun Microsystems, Inc.>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
[AxisMediaControlEmb Class]
{DE625294-70E6-45ED-B895-CFFA13AEB044} <C:\Program Files\Axis Communications\AXIS Media Control Embedded\AxisMediaControlEmb.dll, Axis Communications>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>
==================================
Running Processes
[PID: 724][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 772][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 804][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\Ati2evxx.dll] [ATI Technologies Inc., 6.14.10.4113]
[C:\WINDOWS\system32\WgaLogon.dll] [Microsoft Corporation, 1.7.0018.5]
[C:\WINDOWS\System32\BCMLogon.dll] [Broadcom Corporation, 3.100.40.4]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 856][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 868][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1048][C:\WINDOWS\system32\Ati2evxx.exe] [ATI Technologies Inc., 6.14.10.4113]
[C:\WINDOWS\system32\Ati2edxx.dll] [ATI Technologies, Inc., 6, 14, 10, 2496]
[PID: 1068][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1148][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1248][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\wups2.dll] [Microsoft Corporation, 7.0.6000.374 (winmain(wmbla).070416-2057)]
[PID: 1352][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1512][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1708][C:\WINDOWS\System32\wltrysvc.exe] [N/A, ]
[PID: 1720][C:\WINDOWS\System32\bcmwltry.exe] [BT Voyager Corporation, 3.100.40.4]
[C:\WINDOWS\System32\AegisE5.dll] [Meetinghouse Data Communications, 3, 0, 2, 29]
[C:\WINDOWS\System32\wltrynt.dll] [Broadcom Corporation, 3.100.40.4]
[PID: 1832][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
[C:\WINDOWS\system32\clpa1lmk.dll] [Samsung Electronics., 1.1.1.0]
[C:\WINDOWS\System32\spool\PRTPROCS\W32X86\filterpipelineprintproc.dll] [Microsoft Corporation, 6.0.5824.16384 (winmain(wmbla).060911-0725)]
[PID: 1892][C:\WINDOWS\system32\Ati2evxx.exe] [ATI Technologies Inc., 6.14.10.4113]
[C:\WINDOWS\system32\Ati2edxx.dll] [ATI Technologies, Inc., 6, 14, 10, 2496]
[PID: 1960][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\Program Files\Plaxo\2.12.1.1\plx_hook.dll] [Plaxo, Inc., 2.12.1.1]
[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll] [Adobe Systems, Inc., 7.0.0.0]
[C:\WINDOWS\system32\msadp32.acm] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 496][C:\WINDOWS\SOUNDMAN.EXE] [Realtek Semiconductor Corp., 1, 0, 0, 14]
[PID: 420][C:\WINDOWS\ALCWZRD.EXE] [RealTek Semicoductor Corp., 1.1.0.14]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 588][C:\Program Files\ATI Technologies\ATI.ACE\cli.exe] [ATI Technologies Inc., 1.1.1879.40242]
[C:\WINDOWS\system32\mscoree.dll] [Microsoft Corporation, 2.0.50727.42 (RTM.050727-4200)]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll] [Microsoft Corporation, 1.1.4322.2032]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\fusion.dll] [Microsoft Corporation, 1.1.4322.2032]
[c:\windows\microsoft.net\framework\v1.1.4322\mscorlib.dll] [Microsoft Corporation, 1.1.4322.2032]
[c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_7786467d\mscorlib.dll] [N/A, ]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll] [Microsoft Corporation, 1.1.4322.573]
[c:\program files\ati technologies\ati.ace\log.foundation.dll] [ATI Technologies Inc., 1.1.1879.39991]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MSCORJIT.DLL] [Microsoft Corporation, 1.1.4322.2032]
[c:\program files\ati technologies\ati.ace\cli.foundation.dll] [ATI Technologies Inc., 1.1.1879.39992]
[c:\program files\ati technologies\ati.ace\log.foundation.service.dll] [ATI Technologies Inc., 1.1.1879.40236]
[c:\program files\ati technologies\ati.ace\log.foundation.shared.dll] [ATI Technologies Inc., 1.1.1879.40001]
[c:\windows\assembly\gac\system.runtime.remoting\1.0.5000.0__b77a5c561934e089\system.runtime.remoting.dll] [Microsoft Corporation, 1.1.4322.2032]
[c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll] [Microsoft Corporation, 1.1.4322.2032]
[c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_3398a8d7\system.dll] [N/A, ]
[c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll] [Microsoft Corporation, 1.1.4322.2032]
[c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_8ee29ade\system.windows.forms.dll] [N/A, ]
[c:\program files\ati technologies\ati.ace\cli.foundation.xmanifestation.dll] [ATI Technologies Inc., 1.1.1879.40159]
[c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll] [Microsoft Corporation, 1.1.4322.2032]
[c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_3fbef339\system.xml.dll] [N/A, ]
[c:\program files\ati technologies\ati.ace\cli.component.runtime.dll] [ATI Technologies Inc., 1.1.1879.40237]
[c:\program files\ati technologies\ati.ace\aem.foundation.dll] [ATI Technologies Inc., 1.1.1879.39992]
[c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll] [Microsoft Corporation, 1.1.4322.2032]
[c:\windows\assembly\gac\accessibility\1.0.5000.0__b03f5f7f11d50a3a\accessibility.dll] [Microsoft Corporation, 1.1.4322.573]
[C:\Program Files\Plaxo\2.12.1.1\plx_hook.dll] [Plaxo, Inc., 2.12.1.1]
[c:\program files\ati technologies\ati.ace\cli.caste.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40003]
[c:\program files\ati technologies\ati.ace\cli.component.runtime.shared.dll] [ATI Technologies Inc., 1.1.1879.40000]
[c:\program files\ati technologies\ati.ace\cli.caste.graphics.runtime.shared.dll] [ATI Technologies Inc., 1.1.1879.39999]
[c:\program files\ati technologies\ati.ace\cli.caste.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.39993]
[c:\program files\ati technologies\ati.ace\dem.foundation.dll] [ATI Technologies Inc., 1.1.1879.39992]
[c:\program files\ati technologies\ati.ace\dem.graphics.displaysmanager.shared.dll] [ATI Technologies Inc., 1.1.1879.39992]
[c:\program files\ati technologies\ati.ace\dem.graphics.demosinfo.dll] [ATI Technologies Inc., 1.1.1879.39999]
[c:\program files\ati technologies\ati.ace\dem.graphics.demosadapterinfo.dll] [ATI Technologies Inc., 1.1.1879.39993]
[c:\program files\ati technologies\ati.ace\dem.graphics.dematiadapterinfo.dll] [ATI Technologies Inc., 1.1.1879.39993]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdriversettings.dll] [ATI Technologies Inc., 1.1.1879.39993]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\perfcounter.dll] [Microsoft Corporation, 1.1.4322.2032]
[C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_perf.dll] [Microsoft Corporation, 2.0.50727.42 (RTM.050727-4200)]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll] [Microsoft Corporation, 1.1.4322.2032]
[c:\windows\assembly\gac\system.web\1.0.5000.0__b03f5f7f11d50a3a\system.web.dll] [Microsoft Corporation, 1.1.4322.2037]
[c:\program files\ati technologies\ati.ace\atidemgr.dll] [ATI Technologies Inc., 1.1.1879.40159]
[c:\program files\ati technologies\ati.ace\dem.graphics.demosmodeinfo.dll] [ATI Technologies Inc., 1.1.1879.40000]
[c:\program files\ati technologies\ati.ace\dem.graphics.dematidisplaysmanagersettings.dll] [ATI Technologies Inc., 1.1.1879.39993]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdisplayscoloursettings.dll] [ATI Technologies Inc., 1.1.1879.40000]
[c:\program files\ati technologies\ati.ace\dem.graphics.demvideooverlaysettings.dll] [ATI Technologies Inc., 1.1.1879.40020]
[c:\program files\ati technologies\ati.ace\dem.graphics.demsmartgartsettings.dll] [ATI Technologies Inc., 1.1.1879.40020]
[c:\program files\ati technologies\ati.ace\dem.graphics.demumaframebuffersettings.dll] [ATI Technologies Inc., 1.1.1879.40020]
[c:\program files\ati technologies\ati.ace\dem.graphics.dempowerplaysettings.dll] [ATI Technologies Inc., 1.1.1879.40018]
[c:\program files\ati technologies\ati.ace\dem.graphics.demoverdrivesettings.dll] [ATI Technologies Inc., 1.1.1879.40018]
[c:\program files\ati technologies\ati.ace\dem.graphics.demoverdrive3settings.dll] [ATI Technologies Inc., 1.1.1879.40001]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdisplaysmanageroptionssettings.dll] [ATI Technologies Inc., 1.1.1879.40021]
[c:\program files\ati technologies\ati.ace\dem.graphics.workstationsettings.dll] [ATI Technologies Inc., 1.1.1879.40021]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdevicecommonsettings.dll] [ATI Technologies Inc., 1.1.1879.40019]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdevicecrtsettings.dll] [ATI Technologies Inc., 1.1.1879.40018]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdevicecomponentvideosettings.dll] [ATI Technologies Inc., 1.1.1879.39993]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdevicetvsettings.dll] [ATI Technologies Inc., 1.1.1879.40019]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdevicedfpsettings.dll] [ATI Technologies Inc., 1.1.1879.40018]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdevicelcdsettings.dll] [ATI Technologies Inc., 1.1.1879.40018]
[c:\program files\ati technologies\ati.ace\dem.graphics.demvpurecoverinfo.dll] [ATI Technologies Inc., 1.1.1879.40019]
[c:\program files\ati technologies\ati.ace\dem.graphics.mmoverlaysettings.dll] [ATI Technologies Inc., 1.1.1879.40017]
[c:\program files\ati technologies\ati.ace\dem.graphics.mmdeintlacingsettings.dll] [ATI Technologies Inc., 1.1.1879.40018]
[c:\program files\ati technologies\ati.ace\dem.graphics.demvideotheatermodesettings.dll] [ATI Technologies Inc., 1.1.1879.40007]
[c:\program files\ati technologies\ati.ace\dem.graphics.demdevicetv2settings.dll] [ATI Technologies Inc., 1.1.1879.40021]
[c:\windows\assembly\gac\system.management\1.0.5000.0__b03f5f7f11d50a3a\system.management.dll] [Microsoft Corporation, 1.1.4322.2032]
[C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\WMINet_Utils.dll] [Microsoft Corporation, 1.1.4322.2032]
[c:\program files\ati technologies\ati.ace\cli.aspect.radeon3d.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40190]
[c:\program files\ati technologies\ati.ace\cli.aspect.radeon3dlegacy.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40190]
[c:\program files\ati technologies\ati.ace\cli.aspect.radeon3dlegacy.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40001]
[c:\program files\ati technologies\ati.ace\cli.aspect.displayscolour.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40019]
[c:\program files\ati technologies\ati.ace\cli.aspect.displayscolour.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.39999]
[c:\program files\ati technologies\ati.ace\cli.aspect.videooverlay.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40067]
[c:\program files\ati technologies\ati.ace\cli.aspect.videooverlay.graphics.runtime.shared.dll] [ATI Technologies Inc., 1.1.1879.40021]
[c:\program files\ati technologies\ati.ace\dem.graphics.videooverlay.shared.dll] [ATI Technologies Inc., 1.1.1879.40000]
[c:\program files\ati technologies\ati.ace\cli.aspect.smartgart.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40115]
[c:\program files\ati technologies\ati.ace\cli.aspect.vpurecover.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40115]
[c:\program files\ati technologies\ati.ace\cli.aspect.vpurecover.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40019]
[c:\program files\ati technologies\ati.ace\cli.aspect.workstationconfig.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40109]
[c:\program files\ati technologies\ati.ace\cli.aspect.devicecrt.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40078]
[c:\program files\ati technologies\ati.ace\cli.aspect.devicelcd.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40159]
[c:\program files\ati technologies\ati.ace\cli.aspect.devicecv.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40171]
[c:\program files\ati technologies\ati.ace\cli.aspect.devicecv.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40000]
[c:\program files\ati technologies\ati.ace\cli.aspect.devicetv.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40236]
[c:\program files\ati technologies\ati.ace\cli.aspect.devicedfp.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40236]
[c:\program files\ati technologies\ati.ace\cli.aspect.overdrive3.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40160]
[c:\program files\ati technologies\ati.ace\cli.aspect.overdrive3.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40018]
[c:\program files\ati technologies\ati.ace\cli.aspect.overdrive2.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40054]
[c:\program files\ati technologies\ati.ace\cli.aspect.powerplay3.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40055]
[c:\program files\ati technologies\ati.ace\cli.aspect.powerplay3.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40000]
[c:\program files\ati technologies\ati.ace\cli.aspect.displaysoptions.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40138]
[c:\program files\ati technologies\ati.ace\cli.aspect.integratedumaframebuffer.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40077]
[c:\program files\ati technologies\ati.ace\cli.aspect.infocentre.graphics.runtime.dll] [ATI Technologies Inc., 1.1.1879.40022]
[c:\program files\ati technologies\ati.ace\cli.aspect.infocentre.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40021]
[c:\program files\ati technologies\ati.ace\cli.aspect.radeon3d.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40007]
[c:\program files\ati technologies\ati.ace\cli.aspect.videooverlay.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40020]
[c:\program files\ati technologies\ati.ace\cli.aspect.deviceproperty.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.39993]
[c:\program files\ati technologies\ati.ace\cli.aspect.devicecrt.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40020]
[c:\program files\ati technologies\ati.ace\cli.aspect.devicetv.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40001]
[c:\program files\ati technologies\ati.ace\cli.aspect.devicedfp.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40001]
[c:\program files\ati technologies\ati.ace\cli.aspect.displaysoptions.graphics.shared.dll] [ATI Technologies Inc., 1.1.1879.40019]
[c:\program files\ati technologies\ati.ace\apm.foundation.dll] [ATI Technologies Inc., 1.1.1879.40021]
[PID: 600][C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe] [GRISOFT, s.r.o., 7.5.0.460]
[C:\PROGRA~1\Grisoft\AVGFRE~1\AvgTMgr.dll] [GRISOFT, s.r.o., 7.5.0.458]
[C:\PROGRA~1\Grisoft\AVGFRE~1\AvgCtrl.dll] [GRISOFT, s.r.o., 7.5.0.458]
[C:\WINDOWS\system32\MFC71.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\PROGRA~1\Grisoft\AVGFRE~1\AvgAbout.dll] [GRISOFT, s.r.o., 7.5.0.458]
[C:\PROGRA~1\Grisoft\AVGFRE~1\AvgTest.dll] [GRISOFT, s.r.o., 7.5.0.458]
[C:\PROGRA~1\Grisoft\AVGFRE~1\AvgTRes.dll] [GRISOFT, s.r.o., 7.5.0.458]
[C:\PROGRA~1\Grisoft\AVGFRE~1\AvgSet.dll] [, ]
[C:\WINDOWS\system32\MFC71ENU.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\PROGRA~1\Grisoft\AVGFRE~1\avglog.dll] [GRISOFT, s.r.o., 7.5.0.429]
[C:\Program Files\Grisoft\AVG Free\avgcfg.dll] [GRISOFT, s.r.o., 7.5.0.460]
[C:\Program Files\Grisoft\AVG Free\avgklib.dll] [GRISOFT, s.r.o., 7.5.0.458]
[C:\Program Files\Grisoft\AVG Free\avglng.dll] [GRISOFT, s.r.o., 7.5.0.429]
[C:\Program Files\Plaxo\2.12.1.1\plx_hook.dll] [Plaxo, Inc., 2.12.1.1]
[C:\Program Files\Grisoft\AVG Free\avgf.dll] [N/A, ]
[C:\Program Files\Grisoft\AVG Free\AVGRES.DLL] [N/A, ]
[C:\Program Files\Grisoft\AVG Free\avgcckrn.dll] [GRISOFT, s.r.o., 7.5.0.460]
[C:\Program Files\Grisoft\AVG Free\avgvault.dll] [GRISOFT, s.r.o., 7.5.0.458]
[C:\Program Files\Grisoft\AVG Free\avgrep.dll] [GRISOFT, s.r.o., 7.5.0.448]
[C:\Program Files\Grisoft\AVG Free\avgunarc.dll] [GRISOFT, s.r.o., 7.5.0.449]
[C:\PROGRA~1\Grisoft\AVGFRE~1\avgemsui.dll] [GRISOFT, s.r.o., 7.5.0.458]
[C:\PROGRA~1\Grisoft\AVGFRE~1\avgemcps.dll] [GRISOFT, s.r.o., 7.5.0.420]
[PID: 764][C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe] [Sun Microsystems, Inc., 6.0.10.6]
[C:\Program Files\Java\jre1.6.0_01\bin\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[PID: 928][C:\Program Files\Common Files\Real\Update_OB\realsched.exe] [RealNetworks, Inc., 0.1.0.3292]
[PID: 920][C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe] [Roxio, 7.1.0.220 ]
[C:\WINDOWS\system32\CDRTC.DLL] [Roxio, 7.1.0.220 ]
[C:\WINDOWS\system32\cdral.DLL] [Roxio, 7.1.0.220 ]
[C:\Program Files\Common Files\Roxio Shared\DLLShared\apm.dll] [, 1, 0, 0, 1]
[C:\Program Files\Plaxo\2.12.1.1\plx_hook.dll] [Plaxo, Inc., 2.12.1.1]
[PID: 1188][C:\Program Files\QuickTime\qttask.exe] [Apple Computer, Inc., 7.1.3]
[PID: 1368][C:\Program Files\iTunes\iTunesHelper.exe] [Apple Computer, Inc., 7.0.2.16]
[C:\Program Files\iTunes\iTunesHelper.Resources\en.lproj\iTunesHelperLocalized.DLL] [Apple Computer, Inc., 7.0.2.16]
[C:\Program Files\iTunes\iTunesHelper.Resources\iTunesHelper.DLL] [Apple Computer, Inc., 7.0.2.16]
[PID: 1380][C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe] [Plaxo, Inc., 2.12.1.1]
[C:\Program Files\Plaxo\2.12.1.1\plx_hook.dll] [Plaxo, Inc., 2.12.1.1]
[PID: 2044][C:\Program Files\Common Files\Sonic Shared\CineTray.exe] [Sonic Solutions, 2.1.00.0041]
[C:\WINDOWS\system32\MFC70.DLL] [Microsoft Corporation, 7.00.9466.0]
[C:\WINDOWS\system32\MSVCR70.dll] [Microsoft Corporation, 7.00.9466.0]
[C:\WINDOWS\system32\MSVCP70.dll] [Microsoft Corporation, 7.00.9466.0]
[C:\Program Files\Plaxo\2.12.1.1\plx_hook.dll] [Plaxo, Inc., 2.12.1.1]
[PID: 180][C:\Program Files\Microsoft Office\Office\OSA.EXE] [N/A, ]
[C:\Program Files\Microsoft Office\Office\MSO97.DLL] [, ]
[C:\Program Files\Microsoft Office\Office\osaintl.dll] [Microsoft Corporation, 8.0]
[PID: 2964][C:\WINDOWS\system32\NOTEPAD.EXE] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Plaxo\2.12.1.1\plx_hook.dll] [Plaxo, Inc., 2.12.1.1]
[PID: 3936][C:\Program Files\internet explorer\iexplore.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Plaxo\2.12.1.1\plx_hook.dll] [Plaxo, Inc., 2.12.1.1]
[C:\WINDOWS\system32\msacm32.drv] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\system32\msadp32.acm] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx] [Adobe Systems, Inc., 9,0,28,0]
[C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll] [Adobe Systems, Inc., 7.0.0.0]
[PID: 2012][C:\Documents and Settings\Marie Belsten\Desktop\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[C:\Program Files\Plaxo\2.12.1.1\plx_hook.dll] [Plaxo, Inc., 2.12.1.1]
==================================
File Associations
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock Provider
N/A
==================================
Autorun.Inf
N/A
==================================
HOSTS File
127.0.0.1 localhost
==================================
API HOOK
N/A
==================================
Hidden Process
N/A
==================================
[/CODE]
miekiemoes
2007-06-22, 15:54
As far as I can see, the SRENG log looks OK.
C:\WINDOWS\system32\spmsg2.dll is OK as well.
But.. the other two files are related with the malware you were dealing with, so delete next files:
C:\WINDOWS\system32\sysdrv5.exe
C:\WINDOWS\system32\sysdrv3.exe
Let me know afterwards how everything is behaving now..
It is good that you made a backup - you should do this once in a while, just in case you get reinfected again and your system won't boot etc etc...
Hi,
I have deleted those two files as advised. Everything seems to be running OK at the moment. Do you think I should still re-format my PC now?
Many, many thanks for all your time and help with this. I really do appreciate it! :bigthumb:
miekiemoes
2007-06-22, 16:09
It looks like the malware should be gone now.... But as I said previously, especially with this variant of infection, you cannot trust this computer anymore for 100%.
If everything works OK and you don't notice any problems anymore, then leave it as it is.
As an extra addition, just to be sure, install Keyscrambler:
http://www.qfxsoftware.com/products.htm
This will give you extra protection while you do your online banking, because it encrypts your keystrokes. You may want to read this:
http://www.bleepingcomputer.com/securityblog/2006/11/30/protecting-your-login-information-with-keyscrambler/
Glad I could help. :)
Please read my Prevention page (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html).
Happy Surfing again!