View Full Version : Problem removing ldcore.dll
adamczykon
2007-11-10, 15:15
I would greatly appreciate any assistance with removing this annoying malware.
Here is my HJT Log (Kaspersky log to follow):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:19 AM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\U3RldmUgQWRhbWN6eWs\command.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\windows\system32\ksdsrngo.exe
C:\Program Files\ASAP\ASAPSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\rwintldq.exe
C:\WINDOWS\SYSTEM32\??pPatch\s?ool32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Steve\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\system32\pmnlmnl.dll (file missing)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {91DA894E-64D9-3C2B-892F-4FE6078408C6} - C:\WINDOWS\system32\xzfyh.dll
O2 - BHO: (no name) - {91F6BC8D-E607-4CDF-8C5E-3CC14FAABF97} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: ASAP Browser Helper Object - {9A2A2BF3-A049-407A-B548-4668E673DCF7} - C:\Program Files\ASAP\ASAPBHO.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: aivskurq.msdn_hlp - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - C:\WINDOWS\system32\aivskurq.dll (file missing)
O2 - BHO: (no name) - {A8FD2B6E-2560-44EA-938F-1AD41B931361} - C:\Program Files\microsoft frontpage\mexoca4444.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SpyGuardPro\bm.exe" dm=http://spyguardpro.com; ad=http://spyguardpro.com
O4 - HKLM\..\Run: [{A4-40-01-12-ZN}] C:\windows\system32\ksdsrngo.exe CHD001
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rwintldq.exe CHD001
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ASAPSvc.exe] "C:\Program Files\ASAP\ASAPSvc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\ksdsrngo.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\rwintldq.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://config.skillcheck.com/onlinetesting/icaclients/win32/8.1.00/onlinetesting.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152571135828
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: pmnlmnl - pmnlmnl.dll (file missing)
O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3RldmUgQWRhbWN6eWs\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\wlsijpur.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe (file missing)
--
End of file - 12233 bytes
adamczykon
2007-11-10, 15:17
Again, any assistance with cleaning this up would be greatly appreciated.
Here is my Kaspersky Log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, November 10, 2007 8:03:23 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/11/2007
Kaspersky Anti-Virus database records: 455723
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 132120
Number of viruses found: 12
Number of infected objects: 54
Number of suspicious objects: 0
Duration of the scan process: 02:37:10
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output\Steve\~Running.ping Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\History\History.IE5\MSHist012007110920071110\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temp\CEMG555077.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\CEMG555077.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Steve\Local Settings\Temp\cmdinst.exe/file1 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\cmdinst.exe/file2 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\cmdinst.exe/file4 Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\cmdinst.exe Inno: infected - 3 skipped
C:\Documents and Settings\Steve\Local Settings\Temp\install_en.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Steve\Local Settings\Temp\k11u72.exe/data0006 Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\Documents and Settings\Steve\Local Settings\Temp\k11u72.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Steve\Local Settings\Temp\NI.UGA6P_0001_N122M2210\setup.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\Perflib_Perfdata_d60.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temp\Perflib_Perfdata_f8c.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~DF146B.tmp Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~uga6psetup.exe/file14 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~uga6psetup.exe/file20 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~uga6psetup.exe/file34 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~uga6psetup.exe/file36 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~uga6psetup.exe Inno: infected - 4 skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\5V5RMFNS\install_en[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\JM1HGTNV\k11u72[1].exe/data0006 Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\JM1HGTNV\k11u72[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\OS37Q1G7\installer[1].exe/file1 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\OS37Q1G7\installer[1].exe/file2 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\OS37Q1G7\installer[1].exe/file4 Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\OS37Q1G7\installer[1].exe Inno: infected - 3 skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\OS37Q1G7\TTC-4444[1].exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\OS37Q1G7\TTC-4444[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\X5JFTQVP\acdt-pid72[1].exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\X5JFTQVP\acdt-pid72[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\X5JFTQVP\installer[1].exe/file1 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\X5JFTQVP\installer[1].exe/file2 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\X5JFTQVP\installer[1].exe/file4 Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\X5JFTQVP\installer[1].exe Inno: infected - 3 skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\YQ8Y37AI\sep_WOO_SCH_MOTO315_black_728x90[1].swf Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\YQ8Y37AI\woo_july_U520_728x90[1].swf Object is locked skipped
C:\Documents and Settings\Steve\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Steve\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ASAP\ASAPBHO_log.html Object is locked skipped
C:\Program Files\Common Files\Yazzle1549OinAdmin.exe Object is locked skipped
C:\Program Files\HP Web Jetadmin\logs\access_log Object is locked skipped
C:\Program Files\HP Web Jetadmin\logs\error_log Object is locked skipped
C:\Program Files\HP Web Jetadmin\logs\ssl_request_log Object is locked skipped
C:\Program Files\microsoft frontpage\mexoca4444.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\microsoft frontpage\mexoca555077.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\microsoft frontpage\mexoca83122.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\Network Monitor\netmon.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Program Files\Temporary\wininstall.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112840.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112841.dll Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112842.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112875.sys Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112876.sys Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112877.dll Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112889.dll Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112892.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112910.exe Infected: not-a-virus:AdWare.Win32.Agent.tb skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112974.dll Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112975.dll Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112976.dll Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112977.dll Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112978.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112979.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112980.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112981.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\change.log Object is locked skipped
C:\Temp\ocli.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\Temp\ocli.exe/data0003 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Temp\ocli.exe/data0004/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Temp\ocli.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Temp\ocli.exe/data0005 Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\Temp\ocli.exe NSIS: infected - 5 skipped
C:\WINDOWS\b122.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\fkwggshm.exe Object is locked skipped
C:\WINDOWS\mrofinu1000106.exe Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\a1\rarndrll2.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\ACEEvent.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\core.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\g2\caws83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\SYSTEM32\g2\caws83122.exe NSIS: infected - 1 skipped
C:\WINDOWS\SYSTEM32\h1\wdb51en.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\ldcore.dll Object is locked skipped
C:\WINDOWS\SYSTEM32\Logfiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\SYSTEM32\Mz08r\Mz08r1099.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\r2\wr31drs.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\winexy32.dll Object is locked skipped
C:\WINDOWS\TTC-4444.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\TTC-4444.exe NSIS: infected - 1 skipped
C:\WINDOWS\U3RldmUgQWRhbWN6eWs\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\U3RldmUgQWRhbWN6eWs\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\wbun.exe Infected: not-a-virus:AdWare.Win32.Agent.tb skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Hello and welcome to the Forums :)
You're quite infected...
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
adamczykon
2007-11-11, 21:23
ComboFix 07-11-08.1 - Steve 2007-11-11 13:37:23.1 - NTFSx86
Running from: C:\Documents and Settings\Steve\Desktop\ComboFix.exe
* Created a new restore point
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\Steve\ResErrors.log
C:\Documents and Settings\Steve\Start Menu\Programs\Startup\ta_start.lnk
C:\Documents and Settings\Steve\Start Menu\Programs\Startup\think-adz.lnk
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\764.exe
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\g2\caws83122.exe
C:\WINDOWS\system32\h1
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ppatch~1
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\v8
C:\WINDOWS\system32\v8\taldrvr11.exe
C:\WINDOWS\system32\xzfyh.dll
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\U3RldmUgQWRhbWN6eWs\asappsrv.dll
C:\WINDOWS\U3RldmUgQWRhbWN6eWs\command.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbun.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FMTR
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\core
((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.
2007-11-11 13:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-11 13:49 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\SUPERAntiSpyware.com
2007-11-11 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-11 13:31 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-09 20:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-09 20:58 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-11-09 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-09 19:31 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\AVG7
2007-11-09 19:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-09 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-09 19:22 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Viewpoint
2007-11-09 18:57 4 --a------ C:\WINDOWS\SYSTEM32\stfv.bin
2007-11-09 18:56 443,454 --ahs---- C:\WINDOWS\SYSTEM32\wybeg.bak2
2007-11-09 05:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\acespy
2007-11-09 05:23 6,465 --ahs---- C:\WINDOWS\SYSTEM32\wybeg.bak1
2007-11-09 05:20 12 --a------ C:\WINDOWS\SYSTEM32\dpqaqlqx.bin
2007-11-09 05:19 196,680 --a------ C:\WINDOWS\SYSTEM32\rwintldq.exe
2007-11-09 05:18 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\SpyGuardPro
2007-11-09 05:18 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll
2007-11-09 05:18 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2007-11-09 05:16 <DIR> d--hs---- C:\WINDOWS\U3RldmUgQWRhbWN6eWs
2007-11-08 13:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\Mz08r
2007-11-08 13:18 <DIR> d-------- C:\Temp\mZOr
2007-11-08 13:18 <DIR> d-------- C:\Temp
2007-11-08 13:18 507,179 --a------ C:\Temp\ocli.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 18:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 21:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-10 00:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-10 00:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-10 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-09 10:19 --------- d-----w C:\Program Files\microsoft frontpage
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\U3RldmUgQWRhbWN6eWs\oal5xAo0kql1vqhdyqP.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]
C:\WINDOWS\system32\pmnlmnl.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91F6BC8D-E607-4CDF-8C5E-3CC14FAABF97}]
C:\WINDOWS\system32\gebyw.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]
C:\WINDOWS\system32\aivskurq.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FD2B6E-2560-44EA-938F-1AD41B931361}]
2007-08-02 08:43 282624 --a------ C:\Program Files\microsoft frontpage\mexoca4444.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"WinVNC"="C:\Program Files\TightVNC\WinVNC.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-22 18:59]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-03 12:00]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-11 11:55]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 04:00]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-09 19:31]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASAPSvc.exe"="C:\Program Files\ASAP\ASAPSvc.exe" [2006-01-11 22:08]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB6631"=command /c del "C:\WINDOWS\settn.dll_tobedeleted"
"SpybotDeletingD3992"=cmd /c del "C:\WINDOWS\settn.dll_tobedeleted"
"SpybotDeletingB3583"=command /c del "C:\WINDOWS\kvnab.dll_tobedeleted"
"SpybotDeletingD5923"=cmd /c del "C:\WINDOWS\kvnab.dll_tobedeleted"
"SpybotDeletingB4389"=command /c del "C:\WINDOWS\SYSTEM32\wml.exe_tobedeleted"
"SpybotDeletingD8871"=cmd /c del "C:\WINDOWS\SYSTEM32\wml.exe_tobedeleted"
"SpybotDeletingB155"=command /c del "C:\WINDOWS\SYSTEM32\vxddsk.exe_tobedeleted"
"SpybotDeletingD1415"=cmd /c del "C:\WINDOWS\SYSTEM32\vxddsk.exe_tobedeleted"
"SpybotDeletingB8745"=command /c del "C:\WINDOWS\flt.dll_tobedeleted"
"SpybotDeletingD2410"=cmd /c del "C:\WINDOWS\flt.dll_tobedeleted"
"SpybotDeletingB5913"=command /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk_tobedeleted"
"SpybotDeletingD1884"=cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk_tobedeleted"
"SpybotDeletingB3543"=command /c del "C:\WINDOWS\SYSTEM32\drivers\core.sys_tobedeleted"
"SpybotDeletingD3584"=cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.sys_tobedeleted"
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-06-22 10:00:55]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-14 10:28:03]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-09-28 19:44:49]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"= C:\WINDOWS\system32\pmnlmnl.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlmnl]
pmnlmnl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexy32]
winexy32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebyw.dll
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 AsfAlrt;AsfAlrt;\??\C:\WINDOWS\System32\drivers\AsfAlrt.sys
R2 HPWebJetadmin;HP Web Jetadmin;"C:\Program Files\HP Web Jetadmin\hpwebjetd.exe" -k runservice
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 14:05:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-11 14:20:55 - machine was rebooted
.
--- E O F ---
Hi.
You have this aceapy keylogger installed. I'll assume that you haven't installed it on purpose; One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.
Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Make sure there are NO blank lines before Windows Registry Editor Version 5.00
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Open notepad and copy/paste the text in the quotebox below into it:
Folder::
C:\WINDOWS\SYSTEM32\acespy
C:\Documents and Settings\Steve\Application Data\SpyGuardPro
C:\WINDOWS\U3RldmUgQWRhbWN6eWs
C:\WINDOWS\SYSTEM32\Mz08r
C:\Temp\mZOr
File::
C:\WINDOWS\SYSTEM32\stfv.bin
C:\WINDOWS\SYSTEM32\wybeg.bak2
C:\WINDOWS\SYSTEM32\wybeg.bak1
C:\WINDOWS\SYSTEM32\dpqaqlqx.bin
C:\WINDOWS\SYSTEM32\rwintldq.exe
C:\WINDOWS\system32\pmnlmnl.dll
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\aivskurq.dll
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\system32\gebyw.dll
C:\Program Files\microsoft frontpage\mexoca4444.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91F6BC8D-E607-4CDF-8C5E-3CC14FAABF97}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FD2B6E-2560-44EA-938F-1AD41B931361}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"=-
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe"
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlmnl]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexy32]
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
adamczykon
2007-11-15, 01:28
I followed your instructions and came up with the following combofix file (new HJT file to follow):
ComboFix 07-11-08.1 - Steve 2007-11-14 18:12:15.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.768 [GMT -5:00]
Running from: C:\Documents and Settings\Steve\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steve\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\Program Files\microsoft frontpage\mexoca4444.dll
C:\WINDOWS\system32\aivskurq.dll
C:\WINDOWS\SYSTEM32\dpqaqlqx.bin
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\pmnlmnl.dll
C:\WINDOWS\SYSTEM32\rwintldq.exe
C:\WINDOWS\SYSTEM32\stfv.bin
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\SYSTEM32\wybeg.bak1
C:\WINDOWS\SYSTEM32\wybeg.bak2
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Steve\Application Data\SpyGuardPro
C:\Documents and Settings\Steve\Application Data\SpyGuardPro\avtasks.dat
C:\Documents and Settings\Steve\Application Data\SpyGuardPro\Logs\av.log
C:\Documents and Settings\Steve\Application Data\SpyGuardPro\Logs\ga6Support.log
C:\Documents and Settings\Steve\Application Data\SpyGuardPro\Logs\update.log
C:\Documents and Settings\Steve\Application Data\SpyGuardPro\PGE.dat
C:\Program Files\microsoft frontpage\mexoca4444.dll
C:\Temp\mZOr
C:\WINDOWS\SYSTEM32\acespy
C:\WINDOWS\SYSTEM32\acespy\__acelog.ndx
C:\WINDOWS\SYSTEM32\acespy\systune.exe
C:\WINDOWS\SYSTEM32\dpqaqlqx.bin
C:\WINDOWS\SYSTEM32\Mz08r
C:\WINDOWS\SYSTEM32\rwintldq.exe
C:\WINDOWS\SYSTEM32\stfv.bin
C:\WINDOWS\SYSTEM32\wybeg.bak1
C:\WINDOWS\SYSTEM32\wybeg.bak2
C:\WINDOWS\U3RldmUgQWRhbWN6eWs
C:\WINDOWS\U3RldmUgQWRhbWN6eWs\oal5xAo0kql1vqhdyqP.vbs
.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.
2007-11-11 13:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-11 13:49 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\SUPERAntiSpyware.com
2007-11-11 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-11 13:31 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-09 20:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-09 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-09 19:31 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\AVG7
2007-11-09 19:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-09 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-09 19:22 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Viewpoint
2007-11-09 05:18 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll
2007-11-09 05:18 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2007-11-08 13:18 <DIR> d-------- C:\Temp
2007-11-08 13:18 507,179 --a------ C:\Temp\ocli.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 22:41 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-14 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-11 18:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 00:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-10 00:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-10 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
.
((((((((((((((((((((((((((((( snapshot@2007-11-11_14.07.26.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\11-14-2007\ERDNT.EXE
+ 2007-11-14 22:33:59 4,833,280 ----a-w C:\WINDOWS\erdnt\11-14-2007\Users\00000001\NTUSER.DAT
+ 2007-11-14 22:34:00 12,288 ----a-w C:\WINDOWS\erdnt\11-14-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\2007-11-14\ERDNT.EXE
+ 2007-11-14 23:08:58 4,833,280 ----a-w C:\WINDOWS\erdnt\2007-11-14\Users\00000001\NTUSER.DAT
+ 2007-11-14 23:08:58 12,288 ----a-w C:\WINDOWS\erdnt\2007-11-14\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"WinVNC"="C:\Program Files\TightVNC\WinVNC.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-22 18:59]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-03 12:00]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-11 11:55]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 04:00]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-09 19:31]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASAPSvc.exe"="C:\Program Files\ASAP\ASAPSvc.exe" [2006-01-11 22:08]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-06-22 10:00:55]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-14 10:28:03]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-09-28 19:44:49]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= ???
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 AsfAlrt;AsfAlrt;\??\C:\WINDOWS\System32\drivers\AsfAlrt.sys
R2 HPWebJetadmin;HP Web Jetadmin;"C:\Program Files\HP Web Jetadmin\hpwebjetd.exe" -k runservice
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 18:15:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-14 18:16:34
C:\ComboFix2.txt ... 2007-11-11 18:41
C:\ComboFix3.txt ... 2007-11-11 14:20
.
--- E O F ---
adamczykon
2007-11-15, 01:30
And here's my latest HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:58 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ASAP\ASAPSvc.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Steve\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ASAP Browser Helper Object - {9A2A2BF3-A049-407A-B548-4668E673DCF7} - C:\Program Files\ASAP\ASAPBHO.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ASAPSvc.exe] "C:\Program Files\ASAP\ASAPSvc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://config.skillcheck.com/onlinetesting/icaclients/win32/8.1.00/onlinetesting.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152571135828
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe (file missing)
--
End of file - 8525 bytes
Hi :)
We'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
We'll do this again:
Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Make sure there are NO blank lines before Windows Registry Editor Version 5.00
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
adamczykon
2007-11-17, 06:47
Here's the Drweb.csv file (HJT to follow).
NOTE: I am no longer able to use IE so I'm using Firefox to get to this forum (IE just opens and then immediately closes with no messages). Print spooler is also no longer running and I lost my installed printer.
04802078.FIL;C:\$VAULT$.AVG;Trojan.PurityAd.origin;Incurable.Moved.;
04804281.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.31817;Deleted.;
04805750.FIL;C:\$VAULT$.AVG;Trojan.Click.4740;Deleted.;
04823609.FIL;C:\$VAULT$.AVG;Trojan.Mezzia;Deleted.;
04826343.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.5013;Deleted.;
04826390.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
04828937.FIL;C:\$VAULT$.AVG;Trojan.Click.4740;Deleted.;
04830218.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.36206;Deleted.;
04832812.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.36206;Deleted.;
04833015.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.31817;Deleted.;
04837843.FIL;C:\$VAULT$.AVG;Trojan.EzulaAd;Deleted.;
04840031.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
04840156.FIL;C:\$VAULT$.AVG;Trojan.Click.4740;Deleted.;
04841078.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.31817;Deleted.;
05223171.FIL;C:\$VAULT$.AVG;Trojan.EzulaAd;Deleted.;
33646828.FIL;C:\$VAULT$.AVG;Trojan.Winpop.origin;Incurable.Moved.;
33646984.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.31817;Deleted.;
33647062.FIL;C:\$VAULT$.AVG;Trojan.Mezzia;Deleted.;
33647109.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.5013;Deleted.;
33647187.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.24715;Deleted.;
33647234.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.36206;Deleted.;
33647328.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
33647406.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
39813188.FIL;C:\$VAULT$.AVG;Trojan.Winpop.origin;Incurable.Moved.;
39815860.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
39817579.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.31817;Deleted.;
39817626.FIL;C:\$VAULT$.AVG;Trojan.Click.4740;Deleted.;
39817688.FIL;C:\$VAULT$.AVG;Trojan.EzulaAd;Deleted.;
39820141.FIL\data001;C:\$VAULT$.AVG\39820141.FIL;Adware.MediaTicket.origin;;
39820141.FIL\data002;C:\$VAULT$.AVG\39820141.FIL;Trojan.PurityAd.origin;;
39820141.FIL;C:\$VAULT$.AVG;Archive contains infected objects;Moved.;
39820313.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
39822079.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.31817;Deleted.;
39824610.FIL;C:\$VAULT$.AVG;Trojan.Mezzia;Deleted.;
39827126.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.5013;Deleted.;
39828860.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.24715;Deleted.;
39828938.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.36206;Deleted.;
mexoca555077.dll;C:\Program Files\microsoft frontpage;Adware.Ttc;Moved.;
mexoca83122.dll;C:\Program Files\microsoft frontpage;Adware.Ttc;Moved.;
mexoca4444.dll.vir;C:\qoobox\Quarantine\C\Program Files\microsoft frontpage;Adware.Ttc;Moved.;
rwintldq.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32;Adware.Hotbot.origin;Moved.;
xzfyh.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32;Adware.ClickSpring.origin;Moved.;
asappsrv.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\U3RldmUgQWRhbWN6eWs;Trojan.Proxy.493;Deleted.;
command.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\U3RldmUgQWRhbWN6eWs;Trojan.Proxy.493;Deleted.;
A0112847.exe\data002;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112847.exe;Trojan.DownLoader.origin;;
A0112847.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842;Archive contains infected objects;Moved.;
A0112875.sys;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842;Program.Winfixer - read error;;
A0112876.sys;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842;Program.Winfixer - read error;;
A0112887.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842;Trojan.Fakealert.352;Deleted.;
A0113108.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845;Trojan.DnsChange;Deleted.;
A0113143.dll;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847;Adware.ClickSpring.origin;Moved.;
A0113144.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847;Trojan.Proxy.493;Deleted.;
A0113145.dll;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847;Trojan.Proxy.493;Deleted.;
A0113314.dll;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP852;Adware.Ttc;Moved.;
A0113315.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP852;Adware.Hotbot.origin;Moved.;
adamczykon
2007-11-17, 06:49
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:48, on 2007-11-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\ASAP\ASAPSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Steve\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ASAP Browser Helper Object - {9A2A2BF3-A049-407A-B548-4668E673DCF7} - C:\Program Files\ASAP\ASAPBHO.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ASAPSvc.exe] "C:\Program Files\ASAP\ASAPSvc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [ASAPSvc.exe] "C:\Program Files\ASAP\ASAPSvc.exe" (User '?')
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://config.skillcheck.com/onlinetesting/icaclients/win32/8.1.00/onlinetesting.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152571135828
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe (file missing)
--
End of file - 8358 bytes
Hmm okay we'll do some more research...
Then, please do the following...
To generate a HijackThis Startup list:
1. Open HijackThis by double-clicking the desktop shortcut or HijackThis.exe
2. Click on "Open the Misc Tools Section"
3. Make sure that both boxes to the right of "Generate StartupList Log" are checked:
* List also minor sections (Full)
* List empty sections (Complete)
4. Click "Generate StartupListLog"
5. Click "Yes" at the prompt.
6. A Notepad window will open with the contents of the HijackThis Startup list displayed
7. Copy & Paste that log to here
adamczykon
2007-11-18, 17:43
Here's the Startup List Log (too long for one post so I'm splitting it into two parts):
StartupList report, 2007-11-18, 10:40:43
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Steve\Desktop\HiJackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16544)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ASAP\ASAPSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Steve\Desktop\HiJackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Steve\Start Menu\Programs\Startup]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
diagent = "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
UpdReg = C:\WINDOWS\UpdReg.EXE
WinVNC = "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
ATICCC = "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
EPSON Stylus C88 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
eFax 4.3 = "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ASAPSvc.exe = "C:\Program Files\ASAP\ASAPSvc.exe"
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
updateMgr = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
WMPNSCFG = C:\Program Files\Windows Media Player\WMPNSCFG.exe
SUPERAntiSpyware = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
*No values found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
ASAP Browser Helper Object - C:\Program Files\ASAP\ASAPBHO.dll - {9A2A2BF3-A049-407A-B548-4668E673DCF7}
(no name) - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
--------------------------------------------------
Enumerating Task Scheduler jobs:
*No jobs found*
--------------------------------------------------
Enumerating Download Program Files:
[Office Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\OGACheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=58813
[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
[Citrix ICA Client]
InProcServer32 = C:\PROGRA~1\Citrix\icaweb32\WFICA.OCX
CODEBASE = https://config.skillcheck.com/onlinetesting/icaclients/win32/8.1.00/onlinetesting.cab
[{31435657-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
[LinkedIn ContactFinderControl]
InProcServer32 = C:\WINDOWS\DOWNLO~1\LINKED~1.DLL
CODEBASE = http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152571135828
[get_atlcom Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gp.ocx
CODEBASE = http://www.adobe.com/products/acrobat/nos/gp.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx
CODEBASE = http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
--------------------------------------------------
(Part 2 to follow)
adamczykon
2007-11-18, 17:47
Here is part 2 (of 3) of the Startup List Log:
Enumerating Windows NT/2000/XP services
abp480n5: \SystemRoot\System32\DRIVERS\ABP480N5.SYS (disabled)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
adpu160m: \SystemRoot\System32\DRIVERS\adpu160m.sys (disabled)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Compaq AGP Bus Filter: \SystemRoot\System32\DRIVERS\agpCPQ.sys (disabled)
Aha154x: \SystemRoot\System32\DRIVERS\aha154x.sys (disabled)
aic78u2: \SystemRoot\System32\DRIVERS\aic78u2.sys (disabled)
aic78xx: \SystemRoot\System32\DRIVERS\aic78xx.sys (disabled)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AliIde: \SystemRoot\System32\DRIVERS\aliide.sys (disabled)
ALI AGP Bus Filter: \SystemRoot\System32\DRIVERS\alim1541.sys (disabled)
AMD AGP Bus Filter Driver: \SystemRoot\System32\DRIVERS\amdagp.sys (disabled)
amsint: \SystemRoot\System32\DRIVERS\amsint.sys (disabled)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
asc: \SystemRoot\System32\DRIVERS\asc.sys (disabled)
asc3350p: \SystemRoot\System32\DRIVERS\asc3350p.sys (disabled)
asc3550: \SystemRoot\System32\DRIVERS\asc3550.sys (disabled)
ASF Agent: C:\Program Files\Intel\ASF Agent\ASFAgent.exe (autostart)
AsfAlrt: \??\C:\WINDOWS\System32\drivers\AsfAlrt.sys (autostart)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\SYSTEM32\ati2sgag.exe (autostart)
ati2mtag: system32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (autostart)
AVG7 Clean Driver: \SystemRoot\System32\Drivers\avgclean.sys (system)
Belarc SMBios Access: \SystemRoot\System32\Drivers\BANTExt.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
catchme: \??\C:\DOCUME~1\Steve\LOCALS~1\Temp\catchme.sys (manual start)
cbidf: \SystemRoot\System32\DRIVERS\cbidf2k.sys (disabled)
cd20xrnt: \SystemRoot\System32\DRIVERS\cd20xrnt.sys (disabled)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
CmdIde: \SystemRoot\System32\DRIVERS\cmdide.sys (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cpqarray: \SystemRoot\System32\DRIVERS\cpqarray.sys (disabled)
Creative Service for CDROM Access: C:\WINDOWS\System32\CTsvcCDA.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Creative SoundFont Management Device Driver: System32\DRIVERS\ctsfm2k.sys (manual start)
dac2w2k: \SystemRoot\System32\DRIVERS\dac2w2k.sys (disabled)
dac960nt: \SystemRoot\System32\DRIVERS\dac960nt.sys (disabled)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
MS IEEE-1284.4 Driver: System32\DRIVERS\Dot4.sys (manual start)
Print Class Driver for IEEE-1284.4: System32\DRIVERS\Dot4Prt.sys (manual start)
Dot4USB Filter Dot4USB Filter: System32\DRIVERS\dot4usb.sys (manual start)
dpti2o: \SystemRoot\System32\DRIVERS\dpti2o.sys (disabled)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel(R) PRO/1000 Network Connection Driver: System32\DRIVERS\e1000325.sys (manual start)
3Com EtherLink XL 90XB/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Google Updater Service: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
hpn: \SystemRoot\System32\DRIVERS\hpn.sys (disabled)
HP Web Jetadmin: "C:\Program Files\HP Web Jetadmin\hpwebjetd.exe" -k runservice (autostart)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i2omp: \SystemRoot\System32\DRIVERS\i2omp.sys (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV2: System32\DRIVERS\wATV03nt.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
Iap: C:\Program Files\Dell\OpenManage\Client\Iap.exe (autostart)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
ini910u: \SystemRoot\System32\DRIVERS\ini910u.sys (disabled)
IntelIde: \SystemRoot\System32\DRIVERS\intelide.sys (disabled)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
mraid35x: \SystemRoot\System32\DRIVERS\mraid35x.sys (disabled)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Intel NCS NetService: C:\Program Files\Intel\NCS\Sync\NetSvc.exe (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OMCI WDM Device Driver: System32\DRIVERS\omci.sys (system)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Creative OS Services Driver: System32\DRIVERS\ctoss2k.sys (manual start)
Creative SB Live! Series (WDM): system32\drivers\P16X.sys (manual start)
Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
perc2: \SystemRoot\System32\DRIVERS\perc2.sys (disabled)
perc2hib: \SystemRoot\System32\DRIVERS\perc2hib.sys (disabled)
PfModNT: \??\C:\WINDOWS\System32\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: system32\DRIVERS\PxHelp20.sys (system)
ql1080: \SystemRoot\System32\DRIVERS\ql1080.sys (disabled)
Ql10wnt: \SystemRoot\System32\DRIVERS\ql10wnt.sys (disabled)
ql12160: \SystemRoot\System32\DRIVERS\ql12160.sys (disabled)
ql1240: \SystemRoot\System32\DRIVERS\ql1240.sys (disabled)
ql1280: \SystemRoot\System32\DRIVERS\ql1280.sys (disabled)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SASDIFSV: \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (system)
SASENUM: \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS (manual start)
SASKUTIL: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (system)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: \SystemRoot\System32\DRIVERS\sisagp.sys (disabled)
smwdm: system32\drivers\smwdm.sys (manual start)
Sparrow: \SystemRoot\System32\DRIVERS\sparrow.sys (disabled)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{261FF5D6-55B3-4D28-8348-7DBC93E219F0} (manual start)
symc810: \SystemRoot\System32\DRIVERS\symc810.sys (disabled)
symc8xx: \SystemRoot\System32\DRIVERS\symc8xx.sys (disabled)
sym_hi: \SystemRoot\System32\DRIVERS\sym_hi.sys (disabled)
sym_u3: \SystemRoot\System32\DRIVERS\sym_u3.sys (disabled)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
TosIde: \SystemRoot\System32\DRIVERS\toside.sys (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
ultra: \SystemRoot\System32\DRIVERS\ultra.sys (disabled)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: \SystemRoot\System32\DRIVERS\viaagp.sys (disabled)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
VNC Server: "C:\Program Files\TightVNC\WinVNC.exe" -service (manual start)
WMDM PMSP Service: C:\WINDOWS\System32\MsPMSPSv.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: "C:\Program Files\Windows Media Player\WMPNetwk.exe" (autostart)
WpdUsb: System32\Drivers\wpdusb.sys (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (system)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*
--------------------------------------------------
adamczykon
2007-11-18, 17:49
Sorry about making this 3 posts, I didn't realize how big it would be. Anyway, here's the third and final portion:
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*No values found*
--------------------------------------------------
End of report, 38,817 bytes
Report generated in 0.531 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Hi :)
So IE is still not working? When did this begin?
Have you tired re-installing your printer?
adamczykon
2007-11-19, 05:17
IE stopped working after my first Hijack This log post. Whether I click on the shortcut for IE,,use the out of the Start Menu>Programs>IE option, or click on a shortcut of a web page I use often, I get the same response: IE starts and then immediately closes in less than 1 second.
When I try to reinstall a printer driver I get an error that says "Operation could not be completed. The print spooler service is not running"
When I checked Services (Under Administrative Tools in Control Panel) and tried to start the Print Spooler service, I get this error: "Could not start the Print Spooler service on local computer. Error 1068: The dependency service or group failed to start".
BTW: Some additional issues I've noted and assumed were associated with this problem include no active programs being displayed on my taskbar even though they are definitely open (for example, I've currently got this web page open as well as my Control panel, but there's no control panel or web page showing on my taskbar). I have to Alt+Tab or minimize one to switch between active programs because I can't switch between them using the taskbar.
I really do not want to have to wipe and reload so I'm hoping you can help me fix this problem.
OK another scan...
Please run a GMER Rootkit scan:
Download GMER's application from here:
http://www.gmer.net/gmer.zip
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.
adamczykon
2007-11-19, 23:02
Here's the GMER log:
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-11-19 16:01:59
Windows 5.1.2600 Service Pack 2
---- Devices - GMER 1.0.13 ----
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F79B7404] avg7rsw.sys
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE A7DB7C8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE A7DB47C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ A7DB060A
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE A7DB0AED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION A7DBB958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION A7DBE821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA A7DC738A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA A7DC6D49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS A7DC0BBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION A7DC1331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION A7DCF4F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL A7DB7B37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL A7DB3948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL A7DBD46B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN A7DCE79D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL A7DCDC4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP A7DB42FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP A7DCE1DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible A7DC91F9
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F79B7404] avg7rsw.sys
---- Registry - GMER 1.0.13 ----
Reg \Registry\USER\S-1-5-21-2558107475-2740083912-10409753-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3385B8B6-8D7F-BF80-03FD-C1913C7D4040}@iaaeofnojddomkonkm 0x69 0x61 0x63 0x70 ...
Reg \Registry\USER\S-1-5-21-2558107475-2740083912-10409753-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3385B8B6-8D7F-BF80-03FD-C1913C7D4040}@hageidngaflkmngi 0x6B 0x61 0x6A 0x6F ...
---- EOF - GMER 1.0.13 ----
Ok some research..
Download an unzip Registry Search (http://www.xs4all.nl/~fstaal01/regsearch-us.html) by Bobbi Flekman
Unzip it to your desktop.
Doubleclick the file regsearch.exe
Type the following to the first white box:
Print Spooler
Hit the OK button and the scan begins.
Wait for a textfile to open and paste the contents to here :bigthumb:
adamczykon
2007-11-22, 05:24
Here's the Text file for the RegSearch utility:
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0
; Results at 2007-11-21 22:17:53 for strings:
; 'print spooler'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPOOLER\0000]
"DeviceDesc"="Print Spooler"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Spooler]
"DisplayName"="Print Spooler"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPOOLER\0000]
"DeviceDesc"="Print Spooler"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Spooler]
"DisplayName"="Print Spooler"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SPOOLER\0000]
"DeviceDesc"="Print Spooler"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Spooler]
"DisplayName"="Print Spooler"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPOOLER\0000]
"DeviceDesc"="Print Spooler"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]
"DisplayName"="Print Spooler"
; End Of The Log...
Hi :)
Okay...You're logged in with an administrator account?
You could try this:
1. Uninstall your current printer
2. Restart the pc and check that is the print spooler running - if it is not, try to start it
Let me know :bigthumb:
adamczykon
2007-11-26, 05:57
Hi :)
Okay...You're logged in with an administrator account?
You could try this:
1. Uninstall your current printer
2. Restart the pc and check that is the print spooler running - if it is not, try to start it
Let me know :bigthumb:
1. There is no printer to uninstall. The printer that was installed is no longer installed. I had only one login account on my computer (account name: Steve). After noticing the virus (or whatever it is), I rebooted to find a new account called Admin. I deleted that one, but had to activate the Windows default Administrator account to do so. Now I have twp accounts: Administrator and Steve, both of which have full administrative rights.
2. Restarted the pc and the print spooler is not running. Tried to start it and get the following error: "Could not start the Print Spooler service on Local Computer. Error: 1068. The dependency service or group failed to start.". Note that I am able to start and stop other services without any problems.
Are you making any headway on the core virus/trojan that seems to have my computer messed up? I'm not sure if it's gone or dormant or what but I've not had any more pop-up ads or other invasive problems (though the task bar still does not show active applications that I have open). None of the anti-virus tools I've used have been able to find a virus or malware either.
Hello :)
You still have this HP Web Jetadmin software running. It could be related to the problem too. Would be worth a try to uninstall it and see. (There are other with this Error: 1068in Google but haven't yet found any solution to it)
Also I can't see any signs of an infection....
Do you mean task bar ar the task manager?
adamczykon
2007-11-28, 05:40
Tonight, I booted up my computer, logged into this forum and checked for a response to my last post. I read your post and I uninstalled HP JetAdmin. I then tried to start the Print Spooler service with no luck (same error as before).
Regarding the task bar, I am referring to the blue bar at the bottom of the Windows XP screen that contains your system tray as well as your START button. Normally, when you have open applications, they appear in the task bar. However, none of my open programs show up in the task bar. I have to CTRL+Tab in order to switch between open applications.
Also, whenever I click on Internet Explorer, I still get the quick flash of the IE browser window as IE opens and then immediately closes. As such, I still am unable to use IE.
I think I will try to repair my XP installation using the XP repair function packaged with XP's installation disk and see if that resolves the Print Spooler and task bar issues.
I'm glad that you cannot see any infections but these remaining issues are annoying. Should I post another HJT Log?
Thanks for all the assistance so far. I really appreciate the expertise.
Hello :)
OK let's try this fix for the taskbar. Please download and run this script -> xp_taskbar_desktop_fixall (http://www.kellys-korner-xp.com/regs_edits/xp_taskbar_desktop_fixall.vbs)Allow to run it if promted.
Restart the pc and see if the taskbar works now.
Then the printer issue. Please create a new user account with admin rights. Log in and see if the printer spooler is running on this account. If not I'd like to see another log...
Make a new folder in the C:\drive called silentrunners
Download 'silent runners" from here: (direct download)
http://www.silentrunners.org/Silent%20Runners.vbs
Save it to your silentrunners folder.
Click start> run> type cmd and hit enter
Type the following exactly and hit enter after each line.
cd c:\silentrunners and hit enter
"silent runners.vbs" -all and hit enter
Wait until it pops up saying its completed, then post the resulting logfile here
It will be very large. You may need several posts to include everything
adamczykon
2007-12-01, 03:26
So...I tried to run the Silent Runner script using your instructions and all that happens after I type:
"silent runners.vbs" -all
is that I immediately get returned to my command prompt:
C:\Documents and Settings\Steve>cd c:\silentrunners
C:\silentrunners>"Silent Runners.vbs" -all
C:\silentrunners>
Also, when I create another user account, that account does not have access to the taskbar (taskbar does not display at all) so I cannot select Start>Control Panel to get to printers or Services.
The XP_Taskbar_Desktop_Fixall.vbs did not appear to have any effect and I still do not see any active application icons in my taskbar.
Am I doing something wrong with the VB scripts? How can I tell if they even run?
Hi :)
Do you have the Silent Runners.vbs file in the folder C:\silentrunners ?
What happens if you doubleclick on the file Silent Runners.vbs?
adamczykon
2007-12-06, 01:00
Hi :)
Do you have the Silent Runners.vbs file in the folder C:\silentrunners ?
What happens if you doubleclick on the file Silent Runners.vbs?
Yes, I have "Silent Runners.vbs" (spelled exactly as I have it inside the quotes) in the folder "C:\silentrunners" (spelled exactly as I have it inside the quotes).
If I double click on the file Silent Runners.vbs, nothing at all appears to happen. The cursor briefly (e.g. less than 1 second) changes to an hour glass, then back to its normal pointer.
Ok we'll use another tool then...
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
adamczykon
2007-12-07, 05:25
Here is part 1 of 3 of the Main.txt log:
Deckard's System Scanner v20071014.68
Run by Steve on 2007-12-06 22:16:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Unable to create WMI object; The operation completed successfully.
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Steve.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:PM, on 2007-12-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\ASAP\ASAPSvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Steve\Desktop\dss.exe
C:\DOCUME~1\Steve\Desktop\Steve.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ASAP Browser Helper Object - {9A2A2BF3-A049-407A-B548-4668E673DCF7} - C:\Program Files\ASAP\ASAPBHO.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [ASAPSvc.exe] "C:\Program Files\ASAP\ASAPSvc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [ASAPSvc.exe] "C:\Program Files\ASAP\ASAPSvc.exe" (User '?')
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://config.skillcheck.com/onlinetesting/icaclients/win32/8.1.00/onlinetesting.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152571135828
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe (file missing)
--
End of file - 7351 bytes
-- HijackThis Fixed Entries (C:\DOCUME~1\Steve\Desktop\backups\) ---------------
backup-20071116-192022-129 O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
2 AsfAlrt - c:\windows\system32\drivers\asfalrt.sys <Not Verified; Intel Corporation; Intel Alert on LAN® 2>
1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
3 catchme - c:\docume~1\steve\locals~1\temp\catchme.sys (file missing)
4 cbidf - c:\windows\system32\drivers\cbidf2k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
4 dac2w2k - c:\windows\system32\drivers\dac2w2k.sys <Not Verified; Mylex Corporation; Mylex Disk Array Controller Driver>
3 dot4 (MS IEEE-1284.4 Driver) - c:\windows\system32\drivers\dot4.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
3 Dot4Print (Print Class Driver for IEEE-1284.4) - c:\windows\system32\drivers\dot4prt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
3 dot4usb (Dot4USB Filter Dot4USB Filter) - c:\windows\system32\drivers\dot4usb.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
3 E1000 (Intel(R) PRO/1000 Network Connection Driver) - c:\windows\system32\drivers\e1000325.sys <Not Verified; Intel Corporation; Intel(R) PRO/1000 Adapter>
3 EL90XBC (3Com EtherLink XL 90XB/C Adapter Driver) - system32\drivers\el90xbc5.sys (file missing)
3 i81x - c:\windows\system32\drivers\i81xnt5.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
3 iAimFP0 - c:\windows\system32\drivers\wadv01nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
3 iAimFP1 - c:\windows\system32\drivers\wadv02nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
3 iAimFP2 - c:\windows\system32\drivers\wadv05nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
3 iAimFP3 - c:\windows\system32\drivers\wsiintxx.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
3 iAimFP4 - c:\windows\system32\drivers\wvchntxx.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
3 iAimTV0 - c:\windows\system32\drivers\watv01nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
3 iAimTV1 - c:\windows\system32\drivers\watv02nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
3 iAimTV2 - system32\drivers\watv03nt.sys (file missing)
3 iAimTV3 - c:\windows\system32\drivers\watv04nt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
3 iAimTV4 - c:\windows\system32\drivers\wch7xxnt.sys <Not Verified; Intel(R) Corporation; Intel(R) Graphics Accelerator Drivers for Windows NT(R)>
1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>
3 WpdUsb - c:\windows\system32\drivers\wpdusb.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
adamczykon
2007-12-07, 05:26
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
2 aawservice (Ad-Aware 2007 Service) - c:\program files\lavasoft\ad-aware 2007\aawservice.exe
2 ASFAgent (ASF Agent) - c:\program files\intel\asf agent\asfagent.exe <Not Verified; Intel Corporation; Intel® PRO Alerting Suite ASF 1.0 and ASF 2.0 Compatible>
2 Iap - c:\program files\dell\openmanage\client\iap.exe <Not Verified; Dell Computer Corporation; OpenManage Client Instrumentation>
3 winvnc (VNC Server) - c:\program files\tightvnc\winvnc.exe (file missing)
-- Device Manager: Disabled ----------------------------------------------------
Unable to create WMI object.
-- Files created between 2007-11-06 and 2007-12-06 -----------------------------
2007-12-06 22:11:31 0 d-------- C:\WINDOWS\LastGood
2007-12-06 16:18:13 10752 -----n--- C:\WINDOWS\system32\smtpapi.dll <Not Verified; Microsoft Corporation; Internet Information Services>
2007-12-06 16:18:13 9728 -----n--- C:\WINDOWS\system32\rwnh.dll <Not Verified; Microsoft Corporation; Internet Information Services>
2007-12-06 14:30:06 351232 --a------ C:\WINDOWS\system32\winhttp.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-06 14:30:06 18944 --a------ C:\WINDOWS\system32\qmgrprxy.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-06 11:31:55 0 d-------- C:\Program Files\Lavasoft
2007-12-06 11:31:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-05 20:19:40 382464 --a------ C:\WINDOWS\system32\qmgr.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:08:19 45568 --a------ C:\WINDOWS\system32\safrslv.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:08:18 29696 --a------ C:\WINDOWS\system32\safrdm.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:08:18 43520 --a------ C:\WINDOWS\system32\safrcdlg.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:08:18 43520 --a------ C:\WINDOWS\system32\racpldlg.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:08:17 32768 --a------ C:\WINDOWS\system32\mnmsrvc.exe <Not Verified; Microsoft Corporation; Windows® NetMeeting®>
2007-12-05 19:08:17 32768 --a------ C:\WINDOWS\system32\isrdbg32.dll <Not Verified; Intel Corporation; ISRDBG32.DLL>
2007-12-05 19:08:16 48128 --a------ C:\WINDOWS\system32\inetres.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:08:15 65536 --a------ C:\WINDOWS\system32\icwphbk.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:08:15 73728 --a------ C:\WINDOWS\system32\icwdial.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:08:14 81920 --a------ C:\WINDOWS\system32\isign32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:08:14 274432 --a------ C:\WINDOWS\system32\inetcfg.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:08:02 239104 --a------ C:\WINDOWS\system32\srrstr.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:08:01 170496 --a------ C:\WINDOWS\system32\srsvc.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:08:01 67584 --a------ C:\WINDOWS\system32\srclient.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:08:01 73472 --a------ C:\WINDOWS\system32\drivers\sr.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:08:00 28672 --a------ C:\WINDOWS\system32\nmmkcert.dll <Not Verified; Microsoft Corporation; Windows® NetMeeting®>
2007-12-05 19:08:00 69632 --a------ C:\WINDOWS\system32\msconf.dll <Not Verified; Microsoft Corporation; Windows® NetMeeting®>
2007-12-05 19:08:00 34560 --a------ C:\WINDOWS\system32\mnmdd.dll <Not Verified; Microsoft Corporation; Windows® NetMeeting®>
2007-12-05 19:08:00 81920 --a------ C:\WINDOWS\system32\ils.dll <Not Verified; Microsoft Corporation; Windows® NetMeeting®>
2007-12-05 19:07:56 105984 --a------ C:\WINDOWS\system32\msoert2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:07:56 252928 --a------ C:\WINDOWS\system32\msoeacct.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:07:56 678400 --a------ C:\WINDOWS\system32\inetcomm.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:07:55 190976 --a------ C:\WINDOWS\system32\schedsvc.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:07:55 12288 --a------ C:\WINDOWS\system32\mstinit.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:07:55 274944 --a------ C:\WINDOWS\system32\mstask.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:29 131584 --a------ C:\WINDOWS\system32\sndrec32.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:29 345088 --a------ C:\WINDOWS\system32\hypertrm.dll <Not Verified; Hilgraeve, Inc.; Microsoft® Windows® Operating System>
2007-12-05 19:06:29 183808 --a------ C:\WINDOWS\system32\accwiz.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:28 11776 --a------ C:\WINDOWS\system32\xolehlp.dll <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2007-12-05 19:06:28 67072 --a------ C:\WINDOWS\system32\rdshost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:28 20480 --a------ C:\WINDOWS\system32\qprocess.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:28 90112 --a------ C:\WINDOWS\system32\mtxoci.dll <Not Verified; Microsoft Corporation; COM Services>
2007-12-05 19:06:28 161280 --a------ C:\WINDOWS\system32\msdtcuiu.dll <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2007-12-05 19:06:28 949248 --a------ C:\WINDOWS\system32\msdtctm.dll <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2007-12-05 19:06:28 21896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:28 12040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:27 58880 --a------ C:\WINDOWS\system32\msdtclog.dll <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2007-12-05 19:06:27 6144 --a------ C:\WINDOWS\system32\msdtc.exe <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2007-12-05 19:06:26 540160 --a------ C:\WINDOWS\system32\comuid.dll <Not Verified; Microsoft Corporation; COM Services>
2007-12-05 19:06:26 82432 --a------ C:\WINDOWS\system32\comrepl.dll <Not Verified; Microsoft Corporation; COM Services>
2007-12-05 19:06:26 62464 --a------ C:\WINDOWS\system32\colbact.dll <Not Verified; Microsoft Corporation; COM Services>
2007-12-05 19:06:26 110080 --a------ C:\WINDOWS\system32\clbcatex.dll <Not Verified; Microsoft Corporation; COM Services>
2007-12-05 19:06:26 85504 --a------ C:\WINDOWS\system32\catsrvps.dll <Not Verified; Microsoft Corporation; COM Services>
2007-12-05 19:06:26 229888 --a------ C:\WINDOWS\system32\catsrv.dll <Not Verified; Microsoft Corporation; COM Services>
2007-12-05 19:06:25 501248 --a------ C:\WINDOWS\system32\clbcatq.dll <Not Verified; Microsoft Corporation; COM Services>
2007-12-05 19:06:21 56320 --a------ C:\WINDOWS\system32\servdeps.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:21 17408 --a------ C:\WINDOWS\system32\mmfutil.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:21 185344 --a------ C:\WINDOWS\system32\cmprops.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:20 343040 --a------ C:\WINDOWS\system32\mspaint.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:20 123392 --a------ C:\WINDOWS\system32\mplay32.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:20 102912 --a------ C:\WINDOWS\system32\clipbrd.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:19 6656 --a------ C:\WINDOWS\system32\wuauserv.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:19 93696 --a------ C:\WINDOWS\system32\tscfgwmi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:19 538624 --a------ C:\WINDOWS\system32\spider.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:19 139400 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:18 44544 --a------ C:\WINDOWS\system32\tscupgrd.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:18 295424 --a------ C:\WINDOWS\system32\termsrv.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:18 140800 --a------ C:\WINDOWS\system32\sessmgr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:18 60416 --a------ C:\WINDOWS\system32\remotepg.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:18 13824 --a------ C:\WINDOWS\system32\rdsaddin.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:18 87176 --a------ C:\WINDOWS\system32\rdpwsx.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:18 19968 --a------ C:\WINDOWS\system32\rdpsnd.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:18 62464 --a------ C:\WINDOWS\system32\rdpclip.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:18 147968 --a------ C:\WINDOWS\system32\rdchost.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:18 655360 --a------ C:\WINDOWS\system32\mstscax.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:18 407552 --a------ C:\WINDOWS\system32\mstsc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:18 11264 --a------ C:\WINDOWS\system32\icaapi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:18 38912 --a------ C:\WINDOWS\system32\cfgbkend.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:06:17 425472 --a------ C:\WINDOWS\system32\msdtcprx.dll <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2007-12-05 19:06:17 1251840 --a------ C:\WINDOWS\system32\comsvcs.dll <Not Verified; Microsoft Corporation; COM Services>
2007-12-05 19:06:17 628224 --a------ C:\WINDOWS\system32\catsrvut.dll <Not Verified; Microsoft Corporation; COM Services>
2007-12-05 19:06:12 58880 --a------ C:\WINDOWS\system32\licwmi.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:05:04 6400 --a------ C:\WINDOWS\system32\drivers\splitter.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:05:01 52864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 19:04:31 57472 --a------ C:\WINDOWS\system32\drivers\redbook.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 18:58:11 40840 --a------ C:\WINDOWS\system32\drivers\termdd.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 18:58:09 196864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 18:56:10 24661 --a------ C:\WINDOWS\system32\spxcoins.dll <Not Verified; Perle Systems Ltd.; Specialix Multi-port Serial Device Class CoInstaller>
2007-12-05 18:56:10 13312 --a------ C:\WINDOWS\system32\irclass.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 18:56:10 11264 --a------ C:\WINDOWS\system32\drivers\irenum.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 18:56:09 74752 --a------ C:\WINDOWS\system32\storprop.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-12-05 13:46:17 0 d-------- C:\WINDOWS\java
2007-11-30 19:48:36 0 d-------- C:\silentrunners
2007-11-30 19:43:38 0 d-------- C:\Documents and Settings\Steven\Application Data\Real
2007-11-30 19:41:52 0 d--h----- C:\Documents and Settings\Steven\Templates
2007-11-30 19:41:52 0 dr------- C:\Documents and Settings\Steven\Start Menu
2007-11-30 19:41:52 0 dr-h----- C:\Documents and Settings\Steven\SendTo
2007-11-30 19:41:52 0 dr-h----- C:\Documents and Settings\Steven\Recent
2007-11-30 19:41:52 0 d--h----- C:\Documents and Settings\Steven\PrintHood
2007-11-30 19:41:52 0 d--h----- C:\Documents and Settings\Steven\NetHood
2007-11-30 19:41:52 0 dr------- C:\Documents and Settings\Steven\My Documents
2007-11-30 19:41:52 0 d--h----- C:\Documents and Settings\Steven\Local Settings
2007-11-30 19:41:52 0 dr------- C:\Documents and Settings\Steven\Favorites
2007-11-30 19:41:52 0 d-------- C:\Documents and Settings\Steven\Desktop
2007-11-30 19:41:52 0 d--hs---- C:\Documents and Settings\Steven\Cookies
2007-11-30 19:41:52 0 dr-h----- C:\Documents and Settings\Steven\Application Data
2007-11-30 19:41:52 0 d-------- C:\Documents and Settings\Steven\Application Data\Sun
2007-11-30 19:41:52 0 d---s---- C:\Documents and Settings\Steven\Application Data\Microsoft
2007-11-30 19:41:52 0 d-------- C:\Documents and Settings\Steven\Application Data\Identities
2007-11-30 19:41:51 786432 --ah----- C:\Documents and Settings\Steven\NTUSER.DAT
2007-11-16 19:35:23 0 d-------- C:\Documents and Settings\Steve\DoctorWeb
2007-11-11 13:49:59 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-11 13:49:10 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-11-11 13:49:10 0 d-------- C:\Documents and Settings\Steve\Application Data\SUPERAntiSpyware.com
2007-11-09 20:58:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-09 20:58:35 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-09 19:22:33 0 d-------- C:\Documents and Settings\Steve\Application Data\Viewpoint
2007-11-09 05:26:01 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2007-11-09 05:25:31 0 dr------- C:\Documents and Settings\LocalService\Favorites
adamczykon
2007-12-07, 05:27
-- Find3M Report ---------------------------------------------------------------
2007-12-06 16:15:20 0 d-------- C:\Program Files\Movie Maker
2007-12-06 16:15:07 0 d-------- C:\Program Files\Windows NT
2007-12-06 16:12:21 250032 -rahs---- C:\ntldr
2007-12-06 11:31:20 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-05 19:30:20 0 d--h----- C:\Program Files\WindowsUpdate
2007-12-05 19:06:58 23348 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-11-16 23:33:43 0 d-------- C:\Program Files\microsoft frontpage
2007-11-10 21:16:27 0 d-------- C:\Program Files\Common Files
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01:AM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00:AM]
"WinVNC"="C:\Program Files\TightVNC\WinVNC.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-22 06:59:PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-03 12:00:PM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 02:43:PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-11 11:55:AM]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 04:00:AM]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21:PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASAPSvc.exe"="C:\Program Files\ASAP\ASAPSvc.exe" [2006-01-11 10:08:PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:56:AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 03:45:PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 07:05:PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 02:06:PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 01:55:PM 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 01:41:PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ComPlusSetup]
C:\WINDOWS\System32\catsrvut.dll 2004-08-04 12:56:AM 628224 C:\WINDOWS\SYSTEM32\catsrvut.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= ???
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a
-- End of Deckard's System Scanner: finished at 2007-12-06 22:17:08 ------------
adamczykon
2007-12-07, 05:28
Here's the Extra.txt log:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Unable to create WMI object.
Architecture: X86; Language: English
Percentage of Memory in Use: 25%
Physical Memory (total/avail): 1278.98 MiB / 957.53 MiB
Pagefile Memory (total/avail): 3054 MiB / 2901.04 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1949.58 MiB
C: is Fixed (NTFS) - 37.2 GiB total, 16.88 GiB free.
D: is CDROM (No Media)
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.
Unable to create WMI object.
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Steve\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BIGGERDELL
ComSpec=C:\WINDOWS\system32\cmd.exe
DXSDK_DIR=C:\Program Files\Microsoft DirectX 9.0 SDK (October 2004)\
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Steve
LOGONSERVER=\\BIGGERDELL
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\ATI Technologies\ATI.ACE
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Steve\LOCALS~1\Temp
TMP=C:\DOCUME~1\Steve\LOCALS~1\Temp
USERDOMAIN=BIGGERDELL
USERNAME=Steve
USERPROFILE=C:\Documents and Settings\Steve
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
Steve (admin)
Steven (new local)
Administrator (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> "C:\Program Files\Creative\SBLive\Program\Ctzapxx.EXE" /X /U /S /R
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48E3A9E6-FA13-11D5-8CC9-00A0C98192B6}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51F5239C-197B-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7337A45-3FE5-4392-ABBB-26B794D060C9}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
ASAP --> MsiExec.exe /I{0BC218E9-BEDD-4AC7-9610-6189AEB88140}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{6877BB34-2631-46DA-AD62-3DE601E8D7BE}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HydraVision --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
Belarc Advisor 6.1 --> C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
Canasis Games (Aug 27 2006) --> "C:\Program Files\Canasis\unins000.exe"
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
eFax Messenger 4.3 --> C:\Program Files\eFax Messenger 4.3\Uninstall.exe
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EVE-ONLINE (remove only) --> C:\Program Files\CCP\EVE\Uninstall.exe
getPlus(R)_ocx --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Documents and Settings\Steve\Desktop\HijackThis.exe" /uninstall
HP Download Manager --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\Uninstrq.isu
HP LaserJet 2200 Uninstaller --> C:\Program Files\Hewlett-Packard\LaserJet All-in-one\Uninstall\2200\setup.exe uninst22.ini
Intel (R) Pro Alerting Agent --> MsiExec.exe /I{3C50A915-DD33-4802-B83B-9EA997D3337B}
Intel(R) PRO Network Connections Drivers --> Prounstl.exe
Intel(R) PROSet --> MsiExec.exe /I{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Journal Macro 1.77 --> C:\Program Files\Journal Macro\Uninstall.exe
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft DirectX 9.0 SDK Update (October 2004) --> MsiExec.exe /I{EE03B0F1-7579-4CDD-BA63-BA37A8B9E2DB}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Outlook Web Access S/MIME --> MsiExec.exe /X{6CF08AD2-00C5-4A63-B74B-2EFFFAFEBE1A}
Microsoft Producer for Microsoft Office PowerPoint 2003 --> MsiExec.exe /I{155FBB0D-0EE9-42D1-9E41-15E08F691033}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
NVIDIA Display Driver --> C:\WINDOWS\System32\nvudisp.exe Uninstall C:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display Driver
OMCI --> MsiExec.exe /X{73F1BDB7-11E1-11D5-9DC6-00C04F2FC33B}
Online Testing Web Client --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sound Blaster Live! --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{96E16100-A77F-4B31-B9AD-FFBA040EE1BD}\setup.exe" -l0x9
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symtrax Web 5250 v1.2.03 --> C:\PROGRA~1\Symtrax\SYMTRA~1\UNWISE.EXE C:\PROGRA~1\Symtrax\SYMTRA~1\Install.log
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Rights Management Client Backwards Compatibility SP2 --> MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2 --> MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
-- Application Event Log -------------------------------------------------------
Event Record #/Type86 / Error
Event Submitted/Written: 12/05/2007 08:46:51 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 21955421.
Event Record #/Type85 / Error
Event Submitted/Written: 12/05/2007 08:46:43 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2800.1106, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Event Record #/Type44 / Error
Event Submitted/Written: 12/05/2007 07:09:35 PM
Event ID/Source: 4101 / VSS
Event Description:
Volume Shadow Copy Service error: Cannot obtain the collection 'Applications' from the COM+ catalog [0x8004e00f].
Event Record #/Type43 / Error
Event Submitted/Written: 12/05/2007 07:09:35 PM
Event ID/Source: 4691 / COM+
Event Description:
The run-time environment was unable to initialize for transactions required to support transactional components. Make sure that MS-DTC is running. (DtcGetTransactionManagerEx(): hr = 0x8004d01b)
Event Record #/Type42 / Warning
Event Submitted/Written: 12/05/2007 07:09:30 PM
Event ID/Source: 4353 / EventSystem
Event Description:
The COM+ Event System attempted to fire the EventObjectChange::ChangedSubscription event but received a bad return code. HRESULT was 80040201.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type26171 / Error
Event Submitted/Written: 12/06/2007 04:09:07 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {4991D34B-80A1-4291-83B6-3328366B9097} did not register with DCOM within the required timeout.
Event Record #/Type26170 / Error
Event Submitted/Written: 12/06/2007 04:08:37 PM
Event ID/Source: 7024 / Service Control Manager
Event Description:
The Background Intelligent Transfer Service service terminated with service-specific error 2147943764 (0x80070554).
Event Record #/Type26167 / Error
Event Submitted/Written: 12/06/2007 04:08:37 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {4991D34B-80A1-4291-83B6-3328366B9097} did not register with DCOM within the required timeout.
Event Record #/Type26166 / Error
Event Submitted/Written: 12/06/2007 04:08:07 PM
Event ID/Source: 7024 / Service Control Manager
Event Description:
The Background Intelligent Transfer Service service terminated with service-specific error 2147943764 (0x80070554).
Event Record #/Type26163 / Error
Event Submitted/Written: 12/06/2007 04:08:07 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {4991D34B-80A1-4291-83B6-3328366B9097} did not register with DCOM within the required timeout.
-- End of Deckard's System Scanner: finished at 2007-12-06 22:17:08 ------------
adamczykon
2007-12-07, 05:35
Ok.. I just posted the Main.txt (had to break it into 3 parts to adhere to the 20,000 character posting limit) and the extra.txt which I thought would take 2 posts but only took one.
One thing to note: I got impatient (my computer has been sick for 3 weeks now) and used the repair function that came with my XP install disk. After I did that I noticed that everything "seemed" to be working correctly, even my task bar and print spooler were working fine. I then installed XP service pack 2. Now I seem to have all the same problems I had before (cannot start services again, task bar doesn't show open applications and dialog boxes, cryptographic service is stopped and I cannot start it, etc.).
I wonder if that info helps you narrow down what the problem might be. I know it's not XP's SP2 so the infection is having an adverse effect on the system when I install SP2.
This is really frustrating so I am hoping that you can work some magic and help me fix this mess without losing everything I have on my computer.
Thanks,
Steve
Hello :)
I wonder if that info helps you narrow down what the problem might be. I know it's not XP's SP2 so the infection is having an adverse effect on the system when I install SP2.If you google, you're not the only one having these similar problems after SP2 install. There are no signs of any infections on your pc. It is possible that something went wrong with the SP2 installation...
Let's see if the logs say anything.
Go to C:\Windows and look for the following files:
Setupapi.log
Svcpack.log
Spuninst.log
Then add those to your post here as an attachment. Or alternatively you could upload the files to eg Rapidshare (http://rapidshare.com/) and then post a link to your log to me :bigthumb:
adamczykon
2007-12-15, 20:23
Here are the links to my SP2 install logs per your request, using RapidShare.
Setupapi.log:
http://rapidshare.com/files/76794592/setupapi.log.html
Svcpack.log:
http://rapidshare.com/files/76794593/svcpack.log.html
I am unable to use the search feature of XP and do not see the Spuninst.log file anywhere in my C:\Windows directory.
Good luck!
Steve
Hi again :)
Ok I've now checked the logs, your SP2 didn't install properly. This doesn't seem to be malware related (as you pc seems to be clean) and I'm sorry but these kind of issues really aren't my cup of tea.
So I think that it is best that I'll recommend the CastleCops (www.castlecops.com) forums for you. They have eg this Windows NT/2000/2003/XP (http://www.castlecops.com/f134-Windows_NT_2000_2003_XP.html) section. I think you'd get more experienced help to the issue there...
Also here is a what-to-do-before-SP2 (http://www3.telus.net/dandemar/spackins.htm) list, it is worth checking too.
:bigthumb: