View Full Version : Can't get rid of PWS.LDPinchIE
Hello,
I have a winxp sp3 with a virus I can't get rid of. MSAutomatic Updates are enabled, and I am using FireFox's most current version. I Believe it started from a hijacked web site. There were initially several infections. I used AVG, Spybot, RootAlyzer, unhookexec.inf in trying to clean this up, running most in Safe Mode and Standard mode. I believe all is cleaned up with the exception of PWS.LDPinchIE. At least that is all I can see traces of. The machine is now off the net, so is not getting reinfected.
Cleaned down to the following things constantly recurring on reboot:
- reported by Spybot:
Hidden registry key PWS.LDPinchIE
- reported by rootalyzer:
(4) Hidden Files with cryptic names in c:\windows\system32
(three of them cannot be deleted)
(1) Hidden file with a cryptic name in c:\windows\system32\drivers
No matter what I try, these files come back after reboot. Here is my HijackThis after a fresh reboot. Please help.
Thanks,
Steve
===============
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:58 AM, on 5/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Executor\executor.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
G:\AWC (Auto Wallpaper Changer)\AWC.exe
C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: C:\WINDOWS\system32\afnoinkdsfe.dll - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\afnoinkdsfe.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
O4 - Startup: Sins of a Solar Empire Launcher.lnk = D:\Games\Sins of a Solar Empire\Stardock Games\Sins of a Solar Empire\SINS_Launcher.exe
O4 - Startup: Ventrilo Server.lnk = C:\Program Files\Ventrilo\Ventrilo Server\ventrilo_srv.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tuvuuss - tuvuuss.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\afnoinkdsfe.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
--
End of file - 5908 bytes
Hi and welcome to the Forums :)
You're infected.
Disable Spybot S&D Teatimer.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer
We will begin with ComboFix.
Please download ComboFix from one of these locations:
Link 1 (http://subs.geekstogo.com/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Hi Mr_JAk3
Thanks for helping with this problem. I have not used combofix before so I don't know if this is normal or not, but near the end, it blue screened to a physical memory dump that took about 20 minutes to complete. I left it alone and it rebooted on its own.
Here are the logs. Did combofix clean it up, or is there more?
Steve
------------------------
ComboFix 09-05-21.01 - Steve 05/21/2009 19:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1589 [GMT -5:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Common Files\fnts~1
c:\program files\Common Files\ystem3~1
c:\program files\INSTALL.LOG
c:\windows\system32\afnoinkdsfe.dll
c:\windows\system32\b3
c:\windows\system32\bkmoopob.exe
c:\windows\system32\CID
c:\windows\system32\drivers\ovfsthdhberunpppqjtkrdqimylcfyhtpkcbfa.sys
c:\windows\system32\e9
c:\windows\system32\Ijl11.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\olizezim.ini
c:\windows\system32\ovfstheuposgxodxgbmcnmkjawoinysysxtrpg.dat
c:\windows\system32\ovfsthoexqsdnrniyyxyfkkjygtwtjlfjkdsxc.dll
c:\windows\system32\ovfsthokvbxvihlxhdejojsrmrqwyvkxxljxwb.dat
c:\windows\system32\ovfsthqbtipejuamkumlrsdnvkffqtmddqhudu.dll
c:\windows\system32\ovfsthvhptehqbgkpdtfpphqkwyrvrdrccrukd.dll
c:\windows\system32\p2
c:\windows\system32\p2hhr.bat
c:\windows\system32\pac.txt
c:\windows\system32\qpqss.ini
c:\windows\system32\qpqss.ini2
c:\windows\system32\SvcNm
c:\windows\system32\t8
c:\windows\system32\url1
c:\windows\system32\url2
c:\windows\system32\url3
c:\windows\system32\win32hlp.cnf
c:\windows\system32\winsrc.dll.tmp
c:\windows\system32\wscmp.dll.tmp
c:\windows\system32\z0
c:\windows\system32\z0\vetzcomz22.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk
-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_NTLOAD
-------\Legacy_OULTRAF
-------\Service_oUltraf
((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.
2009-05-20 05:32 . 2009-05-20 05:32 -------- d-----w c:\program files\Trend Micro
2009-05-20 04:30 . 2009-05-20 04:31 -------- d-----w c:\program files\RegBackup ERUNT
2009-05-20 04:25 . 2009-05-20 05:34 -------- d-----w c:\program files\Hijack this
2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w c:\documents and settings\Steve\Application Data\Malwarebytes
2009-05-19 02:47 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-19 02:47 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-19 02:46 . 2009-05-19 02:46 -------- d-----w c:\documents and settings\Steve\Application Data\Safer Networking
2009-05-19 02:24 . 2009-05-19 02:45 -------- d-----w c:\program files\Safer Networking
2009-05-19 00:42 . 2009-05-19 00:42 -------- d-----w c:\program files\ProcessExplorer
2009-05-17 21:35 . 2009-05-17 21:35 -------- d--h--w c:\windows\system32\GroupPolicy
2009-05-17 21:35 . 2009-05-17 21:35 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-16 21:48 . 2009-05-16 21:57 -------- d-----w c:\windows\SxsCaPendDel
2009-05-15 22:01 . 2008-04-14 05:42 26112 ----a-w c:\windows\system32\USERINIT.EXE
2009-05-13 22:17 . 2009-05-13 22:17 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
2009-05-13 21:53 . 2009-05-14 00:55 -------- d-----w c:\documents and settings\Steve\Application Data\ptidle
2009-05-13 20:41 . 2009-05-13 21:00 -------- d-----w c:\documents and settings\All Users\Application Data\SimCity Societies
2009-05-13 11:42 . 2009-05-13 11:42 390664 ----a-w c:\documents and settings\Steve\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-12 02:57 . 2009-05-12 02:57 -------- d-----w c:\windows\system32\KB905474
2009-05-12 02:57 . 2009-03-11 03:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-05-12 02:57 . 2009-03-11 03:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-05-11 00:06 . 2009-05-11 00:28 98304 ----a-w c:\documents and settings\Steve\Application Data\Soldat\BattlEye\BEClient.dll
2009-05-11 00:06 . 2009-05-11 00:06 -------- d-----w c:\documents and settings\Steve\Application Data\Soldat
2009-05-11 00:06 . 2009-03-29 00:52 94208 ----a-w c:\documents and settings\Steve\Application Data\Soldat\BattlEye\BEServer.dll
2009-05-04 23:10 . 2009-05-04 23:10 -------- d-----w c:\documents and settings\All Users\Application Data\Ironclad Games
2009-04-30 21:25 . 2009-05-10 19:58 -------- d-----w c:\documents and settings\Steve\Application Data\Mumble
2009-04-22 05:20 . 2009-04-22 05:20 14311680 ----a-w c:\windows\system32\xlive.dll
2009-04-22 05:20 . 2009-04-22 05:20 13642496 ----a-w c:\windows\system32\xlivefnt.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-22 00:24 . 2009-03-29 22:46 -------- d-----w c:\program files\Mozilla Sunbird
2009-05-20 01:46 . 2009-03-08 22:28 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-17 15:23 . 2004-09-22 14:40 90328 ----a-w c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-13 13:31 . 2008-12-13 16:32 -------- d-----w c:\program files\Stardock Games
2009-05-05 20:23 . 2007-03-13 20:38 64 ----a-w c:\windows\popcinfot.dat
2009-05-03 18:08 . 2009-03-08 22:46 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-03 18:08 . 2009-03-08 22:46 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-03 18:08 . 2009-03-08 22:46 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-03 18:08 . 2009-03-08 22:46 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-27 03:19 . 2008-02-12 19:09 -------- d-----w c:\documents and settings\Steve\Application Data\WTablet
2009-04-25 20:20 . 2009-02-17 18:36 -------- d-----w c:\documents and settings\Steve\Application Data\Winamp
2009-04-23 01:30 . 2008-08-16 13:46 1 ----a-w c:\documents and settings\Steve\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-04-23 01:30 . 2008-08-07 00:46 -------- d-----w c:\documents and settings\Steve\Application Data\OpenOffice.org2
2009-04-19 16:07 . 2007-09-15 21:17 189072 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-14 23:29 . 2009-04-14 23:29 3638 ----a-r c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\NewShortcut11_12BC79CA813840C5870CC7F821C0C143.exe
2009-04-14 23:29 . 2009-04-14 23:29 3638 ----a-r c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\NewShortcut1_12BC79CA813840C5870CC7F821C0C143.exe
2009-04-14 23:29 . 2009-04-14 23:29 10134 ----a-r c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\ARPPRODUCTICON.exe
2009-03-30 22:54 . 2009-03-17 22:30 43520 ----a-w c:\windows\system32\CmdLineExt03.dll
2009-03-25 23:10 . 2007-09-15 21:17 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-25 23:10 . 2007-09-15 21:17 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-03-21 21:31 . 2004-07-29 01:10 80058 ----a-w c:\windows\War3Unin.dat
2009-03-10 17:09 . 2004-07-26 22:15 1725 ----a-w c:\windows\eReg.dat
2009-03-06 14:22 . 2004-08-04 05:56 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 05:56 826368 ----a-w c:\windows\system32\wininet.dll
2008-03-23 19:04 . 2008-03-23 19:04 0 ----a-w c:\program files\temp01
2005-04-16 16:11 . 2005-04-16 16:11 0 ----a-w c:\program files\error.dat
2003-12-18 17:33 . 2004-11-01 00:44 20102 ----a-w c:\program files\Readme.txt
2003-09-03 13:46 . 2004-11-01 00:44 10960 ----a-w c:\program files\EULA.txt
2003-07-29 06:15 . 2009-02-06 03:54 307200 ----a-w c:\program files\internet explorer\plugins\djvu0407.dll
2003-07-29 06:15 . 2009-02-06 03:54 303104 ----a-w c:\program files\internet explorer\plugins\djvu0409.dll
2003-07-29 06:15 . 2009-02-06 03:54 311296 ----a-w c:\program files\internet explorer\plugins\djvu040c.dll
2003-07-29 06:15 . 2009-02-06 03:54 299008 ----a-w c:\program files\internet explorer\plugins\djvu0411.dll
2003-07-29 06:15 . 2009-02-06 03:54 299008 ----a-w c:\program files\internet explorer\plugins\djvu0412.dll
2003-07-29 06:15 . 2009-02-06 03:54 290816 ----a-w c:\program files\internet explorer\plugins\djvu0804.dll
2003-07-29 06:15 . 2009-02-06 03:54 122880 ----a-w c:\program files\internet explorer\plugins\DjVuCntl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="d:\games\steam\steam.exe" [2009-03-12 1410296]
"Executor"="c:\program files\Executor\executor.exe" [2008-05-19 1052672]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-04 185896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]
c:\documents and settings\Steve\Start Menu\Programs\Startup\
AWC.lnk - g:\awc (auto wallpaper changer)\AWC.exe [2009-4-1 1261568]
ImpulseNow.lnk - c:\program files\Stardock\Impulse\Now\ImpulseNow.exe [2009-5-4 356352]
Mozilla Sunbird.lnk - c:\program files\Mozilla Sunbird\sunbird.exe [2009-3-29 6354540]
Shortcut to Ut3 Map TO DOs.lnk - c:\documents and settings\Steve\Desktop\TO DO.txt [2008-8-13 5980]
Sins of a Solar Empire Launcher.lnk - d:\games\Sins of a Solar Empire\Stardock Games\Sins of a Solar Empire\SINS_Launcher.exe [2008-1-18 587992]
Ventrilo Server.lnk - c:\program files\Ventrilo\Ventrilo Server\ventrilo_srv.exe [2007-11-19 274432]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-12-14 528384]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 18:08 11952 ----a-w c:\windows\system32\avgrsstx.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= ctwdm32.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPMe7f9c16d
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Diagnostic Manager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e4caf2f1
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DGPN"=2 (0x2)
"TabletServiceWacom"=2 (0x2)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Brother XP spl Service"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Games\\Steam\\SteamApps\\battlebotv82\\counter-strike source\\hl2.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo Server\\ventrilo_srv.exe"=
"d:\\Games\\WarHammer 40,000 Dawn of War\\Dark Crusade\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"d:\\Games\\Earth 2160\\Earth2160_NO_SSE.exe"=
"d:\\Games\\Earth 2160\\Earth2160_SSE.exe"=
"d:\\Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"d:\\Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Games\\World in Conflict\\wic.exe"=
"d:\\Games\\World in Conflict\\wic_online.exe"=
"d:\\Games\\World in Conflict\\wic_ds.exe"=
"d:\\Games\\Quake Wars - Enemy Territory\\etqwded.exe"=
"d:\\Games\\Quake Wars - Enemy Territory\\etqw.exe"=
"d:\\Games\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"d:\\Games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"g:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
"g:\\Games\\Mass Effect\\MassEffectLauncher.exe"=
"g:\\Games\\Universe At War Earth Assault\\UAWEA.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\brothers in arms earned in blood\\System\\EiB.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\prey\\prey.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\stalker shadow of chernobyl\\bin\\XR_3DA.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\prince of persia the warrior within\\PrinceOfPersia.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\roboblitz\\Binaries\\RoboLaunch.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\eets\\Eets.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\ghost recon advanced warfighter\\graw.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\ghost recon\\GhostRecon.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\empire total war demo\\Empire.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\ghost recon advanced warfighter 2\\graw2.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\multiwinia\\multiwinia.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\tom clancy's h.a.w.x - demo\\HAWX.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\wallace and gromit demo\\WallaceGromitDemo.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\osmos igf demo\\OsmosDemo.exe"=
"g:\\Games\\Spellforce 2 - Shadow Wars\\spellforce2.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\company of heroes\\RelicCOH.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\titan quest immortal throne\\Tqit.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\titan quest immortal throne\\help.htm"=
"d:\\Games\\Steam\\SteamApps\\common\\titan quest\\help.htm"=
"d:\\Games\\Sins of a Solar Empire\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\flock demo\\Flock.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/8/2009 5:46 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/8/2009 5:46 PM 108552]
R1 cdawdm;CDAWDM;c:\windows\system32\drivers\cdawdm.sys [11/22/2002 5:58 PM 48111]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/8/2009 5:45 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/8/2009 5:45 PM 298776]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [12/14/2006 4:50 PM 2368]
S0 oconlgyl;oconlgyl;c:\windows\system32\drivers\rjzeagsc.dat --> c:\windows\system32\drivers\rjzeagsc.dat [?]
S1 usbstorr;usbstorr;c:\windows\system32\drivers\usbstorr.sys --> c:\windows\system32\drivers\usbstorr.sys [?]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2/10/2008 1:49 PM 23040]
S3 Vsp;Vsp;\??\c:\windows\System32\drivers\Vsp.sys --> c:\windows\System32\drivers\Vsp.sys [?]
S4 DGPN;Security Service;c:\windows\system32\svcd\svchost.exe --> c:\windows\system32\svcd\svchost.exe [?]
S4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2/12/2008 2:08 PM 1373480]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
2005-08-07 c:\windows\Tasks\cleanup-test.job
- d:\data\cleanup.bat [2004-09-07 02:12]
2009-05-04 c:\windows\Tasks\cleanup.job
- d:\data\cleanup.bat [2004-09-07 02:12]
2009-05-12 c:\windows\Tasks\DataOnly.job
- c:\windows\system32\ntbackup.exe [2004-08-04 00:12]
2009-05-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 03:18]
.
- - - - ORPHANS REMOVED - - - -
BHO-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - c:\windows\system32\afnoinkdsfe.dll
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
SharedTaskScheduler-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - c:\windows\system32\afnoinkdsfe.dll
Notify-tuvuuss - tuvuuss.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wrinsiders.com/Teens/?RP=SignIn
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\
FF - prefs.js: browser.startup.homepage - file:///d:/Data/HomePage/index.html
FF - component: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll
FF - plugin: g:\gametap\bin\Release\npgametaptool.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 19:24
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\oconlgyl]
"ImagePath"="system32\drivers\rjzeagsc.dat"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-725345543-764733703-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"????????????????????????"=hex:63,a2,df,ea,77,f0,95,25,eb,6c,dc,66,29,e5,12,1d,
2c,29,70,2c,5c,5c,25,f7,2c,2c,5c,d1,25,c3,2e,2e,00,00,00,00,00,00,00,00,00,\
"???n"=hex:67,c5,3f,af,2f,06,f4,bd,6a,bc,3c,06,c9,a8,f3,94,cf,fc,28,65,23,1f,
51,a4,66,c3,ff,fd,10,6b,09,b0,09,00,c0,46,db,0a,6f,85,96,63,1a,e5,64,d4,d7,\
"?????"=hex:9b,9d,a9,7e,82,9e,bf,2c,e9,55,17,f0,77,5c,30,60
"???n"=hex:ca,7f,b1,85,35,af,19,95,9b,a8,37,7a,99,ab,d7,56,38,b0,d3,96,72,26,
af,0f,16,9e,d6,36,d2,33,4f,56,ef,d6,90,a9,11,dc,dd,ab,e0,b9,e6,2f,ab,b3,26,\
"??"=hex:1b,ee,fb,ee,5e,a8,db,76,e9,8e,a8,56,0f,22,bd,59,a7,f5,31,8b,68,3d,0d,
66,8f,a9,af,3a,cd,97,dd,26,b6,8f,e0,00,53,f0,17,e0,33,21,7c,c4,ec,bb,45,d6,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
[HKEY_USERS\S-1-5-21-725345543-764733703-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:60,0d,47,33,43,d6,05,78,97,20,41,75,fe,20,a2,c4,e6,c4,14,cd,72,
bc,80,4a,7f,c2,b8,b7,b8,67,45,6b,87,24,7d,2b,e6,ac,26,26,0f,b6,9f,85,ba,26,\
"rkeysecu"=hex:65,d6,a2,52,b5,22,4b,f2,49,55,2b,25,75,bf,64,56
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(224)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\MSVCP71.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\UAService7.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2009-05-22 19:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-22 00:28
Pre-Run: 11,541,295,104 bytes free
Post-Run: 12,496,691,200 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
336 --- E O F --- 2009-05-16 21:42
-----------------------------------------------
-----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:36 PM, on 5/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Executor\executor.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
G:\AWC (Auto Wallpaper Changer)\AWC.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
O4 - Startup: Sins of a Solar Empire Launcher.lnk = D:\Games\Sins of a Solar Empire\Stardock Games\Sins of a Solar Empire\SINS_Launcher.exe
O4 - Startup: Ventrilo Server.lnk = C:\Program Files\Ventrilo\Ventrilo Server\ventrilo_srv.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
--
End of file - 5189 bytes
------------------------------------------------------------
Hello :)
Looks better but not clean yet.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
DirLook::
c:\windows\system32\svcd
File::
c:\windows\system32\svcd\svchost.exe
c:\windows\system32\drivers\rjzeagsc.dat
c:\windows\system32\drivers\usbstorr.sys
Driver::
oconlgyl
usbstorr
DGPN
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Ok, I ran what you said. Here are my logs from combofix and hijackthis. How's it look now?
Steve
=============================
ComboFix 09-05-22.05 - Steve 05/22/2009 18:49.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1508 [GMT -5:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FILE ::
c:\windows\system32\drivers\rjzeagsc.dat
c:\windows\system32\drivers\usbstorr.sys
c:\windows\system32\svcd\svchost.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_DGPN
-------\Legacy_OCONLGYL
-------\Legacy_USBSTORR
-------\Service_DGPN
-------\Service_oconlgyl
-------\Service_usbstorr
((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.
2009-05-22 17:47 . 2009-05-03 18:08 2051864 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-22 17:47 . 2009-05-03 18:08 3399960 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-05-22 17:47 . 2009-05-03 18:08 2302232 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-05-22 17:47 . 2009-05-03 18:08 3288344 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-22 17:47 . 2009-05-03 18:08 424472 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-22 17:47 . 2009-05-03 18:08 312088 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-22 17:47 . 2009-05-03 18:08 177432 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-22 17:47 . 2009-05-03 18:08 486168 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-22 17:45 . 2009-05-03 18:07 1437464 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-22 17:45 . 2009-05-03 18:07 755992 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-22 00:37 . 2009-05-22 00:37 -------- d-----w c:\program files\Hijack This
2009-05-20 05:32 . 2009-05-20 05:32 -------- d-----w c:\program files\Trend Micro
2009-05-20 04:30 . 2009-05-20 04:31 -------- d-----w c:\program files\RegBackup ERUNT
2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w c:\documents and settings\Steve\Application Data\Malwarebytes
2009-05-19 02:47 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-19 02:47 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-19 02:46 . 2009-05-19 02:46 -------- d-----w c:\documents and settings\Steve\Application Data\Safer Networking
2009-05-19 02:24 . 2009-05-19 02:45 -------- d-----w c:\program files\Safer Networking
2009-05-19 00:42 . 2009-05-19 00:42 -------- d-----w c:\program files\ProcessExplorer
2009-05-17 21:35 . 2009-05-17 21:35 -------- d--h--w c:\windows\system32\GroupPolicy
2009-05-17 21:35 . 2009-05-17 21:35 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-16 21:48 . 2009-05-16 21:57 -------- d-----w c:\windows\SxsCaPendDel
2009-05-15 22:01 . 2008-04-14 05:42 26112 ----a-w c:\windows\system32\USERINIT.EXE
2009-05-13 22:17 . 2009-05-13 22:17 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
2009-05-13 21:53 . 2009-05-14 00:55 -------- d-----w c:\documents and settings\Steve\Application Data\ptidle
2009-05-13 20:41 . 2009-05-13 21:00 -------- d-----w c:\documents and settings\All Users\Application Data\SimCity Societies
2009-05-13 11:42 . 2009-05-13 11:42 390664 ----a-w c:\documents and settings\Steve\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-12 02:57 . 2009-05-12 02:57 -------- d-----w c:\windows\system32\KB905474
2009-05-12 02:57 . 2009-03-11 03:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-05-12 02:57 . 2009-03-11 03:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-05-11 00:06 . 2009-05-11 00:28 98304 ----a-w c:\documents and settings\Steve\Application Data\Soldat\BattlEye\BEClient.dll
2009-05-11 00:06 . 2009-05-11 00:06 -------- d-----w c:\documents and settings\Steve\Application Data\Soldat
2009-05-11 00:06 . 2009-03-29 00:52 94208 ----a-w c:\documents and settings\Steve\Application Data\Soldat\BattlEye\BEServer.dll
2009-05-04 23:10 . 2009-05-04 23:10 -------- d-----w c:\documents and settings\All Users\Application Data\Ironclad Games
2009-04-30 21:25 . 2009-05-10 19:58 -------- d-----w c:\documents and settings\Steve\Application Data\Mumble
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-22 23:53 . 2009-03-29 22:46 -------- d-----w c:\program files\Mozilla Sunbird
2009-05-22 00:36 . 2009-02-01 02:50 -------- d-----w c:\program files\Spybot
2009-05-20 01:46 . 2009-03-08 22:28 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-17 15:23 . 2004-09-22 14:40 90328 ----a-w c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-13 13:31 . 2008-12-13 16:32 -------- d-----w c:\program files\Stardock Games
2009-05-05 20:23 . 2007-03-13 20:38 64 ----a-w c:\windows\popcinfot.dat
2009-05-03 18:08 . 2009-03-08 22:46 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-03 18:08 . 2009-03-08 22:46 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-03 18:08 . 2009-03-08 22:46 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-03 18:08 . 2009-03-08 22:46 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-27 03:19 . 2008-02-12 19:09 -------- d-----w c:\documents and settings\Steve\Application Data\WTablet
2009-04-25 20:20 . 2009-02-17 18:36 -------- d-----w c:\documents and settings\Steve\Application Data\Winamp
2009-04-23 01:30 . 2008-08-16 13:46 1 ----a-w c:\documents and settings\Steve\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-04-23 01:30 . 2008-08-07 00:46 -------- d-----w c:\documents and settings\Steve\Application Data\OpenOffice.org2
2009-04-22 05:20 . 2009-04-22 05:20 14311680 ----a-w c:\windows\system32\xlive.dll
2009-04-22 05:20 . 2009-04-22 05:20 13642496 ----a-w c:\windows\system32\xlivefnt.dll
2009-04-19 16:07 . 2007-09-15 21:17 189072 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-14 23:29 . 2009-04-14 23:29 3638 ----a-r c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\NewShortcut11_12BC79CA813840C5870CC7F821C0C143.exe
2009-04-14 23:29 . 2009-04-14 23:29 3638 ----a-r c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\NewShortcut1_12BC79CA813840C5870CC7F821C0C143.exe
2009-04-14 23:29 . 2009-04-14 23:29 10134 ----a-r c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\ARPPRODUCTICON.exe
2009-03-30 22:54 . 2009-03-17 22:30 43520 ----a-w c:\windows\system32\CmdLineExt03.dll
2009-03-25 23:10 . 2007-09-15 21:17 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-25 23:10 . 2007-09-15 21:17 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-03-21 21:31 . 2004-07-29 01:10 80058 ----a-w c:\windows\War3Unin.dat
2009-03-10 17:09 . 2004-07-26 22:15 1725 ----a-w c:\windows\eReg.dat
2009-03-06 14:22 . 2004-08-04 05:56 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 05:56 826368 ----a-w c:\windows\system32\wininet.dll
2008-03-23 19:04 . 2008-03-23 19:04 0 ----a-w c:\program files\temp01
2005-04-16 16:11 . 2005-04-16 16:11 0 ----a-w c:\program files\error.dat
2003-12-18 17:33 . 2004-11-01 00:44 20102 ----a-w c:\program files\Readme.txt
2003-09-03 13:46 . 2004-11-01 00:44 10960 ----a-w c:\program files\EULA.txt
2003-07-29 06:15 . 2009-02-06 03:54 307200 ----a-w c:\program files\internet explorer\plugins\djvu0407.dll
2003-07-29 06:15 . 2009-02-06 03:54 303104 ----a-w c:\program files\internet explorer\plugins\djvu0409.dll
2003-07-29 06:15 . 2009-02-06 03:54 311296 ----a-w c:\program files\internet explorer\plugins\djvu040c.dll
2003-07-29 06:15 . 2009-02-06 03:54 299008 ----a-w c:\program files\internet explorer\plugins\djvu0411.dll
2003-07-29 06:15 . 2009-02-06 03:54 299008 ----a-w c:\program files\internet explorer\plugins\djvu0412.dll
2003-07-29 06:15 . 2009-02-06 03:54 290816 ----a-w c:\program files\internet explorer\plugins\djvu0804.dll
2003-07-29 06:15 . 2009-02-06 03:54 122880 ----a-w c:\program files\internet explorer\plugins\DjVuCntl.dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\system32\svcd ----
((((((((((((((((((((((((((((( SnapShot@2009-05-22_00.25.26 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="d:\games\steam\steam.exe" [2009-05-22 1217784]
"Executor"="c:\program files\Executor\executor.exe" [2008-05-19 1052672]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-04 185896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]
c:\documents and settings\Steve\Start Menu\Programs\Startup\
AWC.lnk - g:\awc (auto wallpaper changer)\AWC.exe [2009-4-1 1261568]
ImpulseNow.lnk - c:\program files\Stardock\Impulse\Now\ImpulseNow.exe [2009-5-4 356352]
Mozilla Sunbird.lnk - c:\program files\Mozilla Sunbird\sunbird.exe [2009-3-29 6354540]
Shortcut to Ut3 Map TO DOs.lnk - c:\documents and settings\Steve\Desktop\TO DO.txt [2008-8-13 5980]
Sins of a Solar Empire Launcher.lnk - d:\games\Sins of a Solar Empire\Stardock Games\Sins of a Solar Empire\SINS_Launcher.exe [2008-1-18 587992]
Ventrilo Server.lnk - c:\program files\Ventrilo\Ventrilo Server\ventrilo_srv.exe [2007-11-19 274432]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-12-14 528384]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 18:08 11952 ----a-w c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvuuss]
[BU]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= ctwdm32.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DGPN"=2 (0x2)
"TabletServiceWacom"=2 (0x2)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Brother XP spl Service"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Games\\Steam\\SteamApps\\battlebotv82\\counter-strike source\\hl2.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo Server\\ventrilo_srv.exe"=
"d:\\Games\\WarHammer 40,000 Dawn of War\\Dark Crusade\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"d:\\Games\\Earth 2160\\Earth2160_NO_SSE.exe"=
"d:\\Games\\Earth 2160\\Earth2160_SSE.exe"=
"d:\\Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"d:\\Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Games\\World in Conflict\\wic.exe"=
"d:\\Games\\World in Conflict\\wic_online.exe"=
"d:\\Games\\World in Conflict\\wic_ds.exe"=
"d:\\Games\\Quake Wars - Enemy Territory\\etqwded.exe"=
"d:\\Games\\Quake Wars - Enemy Territory\\etqw.exe"=
"d:\\Games\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"d:\\Games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"g:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
"g:\\Games\\Mass Effect\\MassEffectLauncher.exe"=
"g:\\Games\\Universe At War Earth Assault\\UAWEA.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\brothers in arms earned in blood\\System\\EiB.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\prey\\prey.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\stalker shadow of chernobyl\\bin\\XR_3DA.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\prince of persia the warrior within\\PrinceOfPersia.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\roboblitz\\Binaries\\RoboLaunch.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\eets\\Eets.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\ghost recon advanced warfighter\\graw.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\ghost recon\\GhostRecon.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\empire total war demo\\Empire.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\ghost recon advanced warfighter 2\\graw2.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\multiwinia\\multiwinia.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\tom clancy's h.a.w.x - demo\\HAWX.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\wallace and gromit demo\\WallaceGromitDemo.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\osmos igf demo\\OsmosDemo.exe"=
"g:\\Games\\Spellforce 2 - Shadow Wars\\spellforce2.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\company of heroes\\RelicCOH.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\titan quest immortal throne\\Tqit.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\titan quest immortal throne\\help.htm"=
"d:\\Games\\Steam\\SteamApps\\common\\titan quest\\help.htm"=
"d:\\Games\\Sins of a Solar Empire\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\flock demo\\Flock.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\necrovision - demo\\Bin\\NecroVisioN.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/8/2009 5:46 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/8/2009 5:46 PM 108552]
R1 cdawdm;CDAWDM;c:\windows\system32\drivers\cdawdm.sys [11/22/2002 5:58 PM 48111]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/8/2009 5:45 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/8/2009 5:45 PM 298776]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [12/14/2006 4:50 PM 2368]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2/10/2008 1:49 PM 23040]
S3 Vsp;Vsp;\??\c:\windows\System32\drivers\Vsp.sys --> c:\windows\System32\drivers\Vsp.sys [?]
S4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2/12/2008 2:08 PM 1373480]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
2005-08-07 c:\windows\Tasks\cleanup-test.job
- d:\data\cleanup.bat [2004-09-07 02:12]
2009-05-04 c:\windows\Tasks\cleanup.job
- d:\data\cleanup.bat [2004-09-07 02:12]
2009-05-12 c:\windows\Tasks\DataOnly.job
- c:\windows\system32\ntbackup.exe [2004-08-04 00:12]
2009-05-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 03:18]
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-procexp90.Sys
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wrinsiders.com/Teens/?RP=SignIn
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\
FF - prefs.js: browser.startup.homepage - file:///d:/Data/HomePage/index.html
FF - component: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll
FF - plugin: g:\gametap\bin\Release\npgametaptool.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-22 18:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-725345543-764733703-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"????????????????????????"=hex:63,a2,df,ea,77,f0,95,25,eb,6c,dc,66,29,e5,12,1d,
2c,29,70,2c,5c,5c,25,f7,2c,2c,5c,d1,25,c3,2e,2e,00,00,00,00,00,00,00,00,00,\
"???n"=hex:67,c5,3f,af,2f,06,f4,bd,6a,bc,3c,06,c9,a8,f3,94,cf,fc,28,65,23,1f,
51,a4,66,c3,ff,fd,10,6b,09,b0,09,00,c0,46,db,0a,6f,85,96,63,1a,e5,64,d4,d7,\
"?????"=hex:9b,9d,a9,7e,82,9e,bf,2c,e9,55,17,f0,77,5c,30,60
"???n"=hex:ca,7f,b1,85,35,af,19,95,9b,a8,37,7a,99,ab,d7,56,38,b0,d3,96,72,26,
af,0f,16,9e,d6,36,d2,33,4f,56,ef,d6,90,a9,11,dc,dd,ab,e0,b9,e6,2f,ab,b3,26,\
"??"=hex:1b,ee,fb,ee,5e,a8,db,76,e9,8e,a8,56,0f,22,bd,59,a7,f5,31,8b,68,3d,0d,
66,8f,a9,af,3a,cd,97,dd,26,b6,8f,e0,00,53,f0,17,e0,33,21,7c,c4,ec,bb,45,d6,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
[HKEY_USERS\S-1-5-21-725345543-764733703-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:60,0d,47,33,43,d6,05,78,97,20,41,75,fe,20,a2,c4,e6,c4,14,cd,72,
bc,80,4a,7f,c2,b8,b7,b8,67,45,6b,87,24,7d,2b,e6,ac,26,26,0f,b6,9f,85,ba,26,\
"rkeysecu"=hex:65,d6,a2,52,b5,22,4b,f2,49,55,2b,25,75,bf,64,56
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3424)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\MSVCP71.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\UAService7.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-22 18:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-22 23:57
ComboFix2.txt 2009-05-22 00:28
Pre-Run: 12,269,916,160 bytes free
Post-Run: 12,240,506,880 bytes free
Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
309 --- E O F --- 2009-05-16 21:42
===============================================
===============================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:10:30 PM, on 5/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\games\steam\steam.exe
C:\Program Files\Executor\executor.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
G:\AWC (Auto Wallpaper Changer)\AWC.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
O4 - Startup: Sins of a Solar Empire Launcher.lnk = D:\Games\Sins of a Solar Empire\Stardock Games\Sins of a Solar Empire\SINS_Launcher.exe
O4 - Startup: Ventrilo Server.lnk = C:\Program Files\Ventrilo\Ventrilo Server\ventrilo_srv.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tuvuuss - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
--
End of file - 5090 bytes
==============================================
Hi again, looking much better :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
==================
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O20 - Winlogon Notify: tuvuuss - C:\WINDOWS\
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Run Kaspersky Online AV Scanner
Right click on your favourite web browser (Internet Explorer, Firefox, etc) and select Run As Administrator to run it.
Go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan and then put the kettle on!
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Restart the computer.
================
When you're ready, please post the following logs to here:
- Kaspersky's report
- a fresh HijackThis log
- let me know how the pc is running
Hi Mr_Jak3
I followed your instructions, and here are the scan and hijackthis logs. How's it looking now?
Steve
=============================
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, May 24, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 24, 2009 16:28:49
Records in database: 2234316
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan statistics:
Files scanned: 565085
Threat name: 13
Infected objects: 34
Suspicious objects: 0
Duration of the scan: 06:13:23
File name / Threat name / Threats count
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-4a03e20f Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-7a73e55c Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-148d63e7 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\6.0\52\7c5dd1b4-72dc4052 Infected: Trojan.Java.ClassLoader.ao 1
C:\Documents and Settings\Steve\Desktop\AV Tools\regtools.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1
C:\Documents and Settings\Steve\Desktop\To Sort Later\Anti-Spyware\backups\backup-20080113-173930-245-source.html Infected: Trojan-Clicker.HTML.IFrame.dn 1
C:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\BattleBotv8.2 - Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.b 1
C:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.b 1
C:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.q 1
C:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.q 1
C:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx Infected: Email-Worm.Win32.Bagle.ai 2
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthdhberunpppqjtkrdqimylcfyhtpkcbfa.sys.vir Infected: Trojan.Win32.Tdss.aalf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthoexqsdnrniyyxyfkkjygtwtjlfjkdsxc.dll.vir Infected: Trojan.Win32.Tdss.aalc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthqbtipejuamkumlrsdnvkffqtmddqhudu.dll.vir Infected: Trojan.Win32.Tdss.aalg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthvhptehqbgkpdtfpphqkwyrvrdrccrukd.dll.vir Infected: Trojan.Win32.Tdss.aald 1
C:\System Volume Information\_restore{2D1BCA4F-B413-410A-8075-A3EFB933AE76}\RP205\A0064885.dll Infected: Trojan.Win32.Tdss.aalc 1
C:\System Volume Information\_restore{2D1BCA4F-B413-410A-8075-A3EFB933AE76}\RP205\A0064886.dll Infected: Trojan.Win32.Tdss.aalg 1
C:\System Volume Information\_restore{2D1BCA4F-B413-410A-8075-A3EFB933AE76}\RP205\A0064887.dll Infected: Trojan.Win32.Tdss.aald 1
C:\System Volume Information\_restore{81DEB3A1-32F6-47DA-814F-CC9817B6BB5D}\RP266\A0210613.sys Infected: Trojan.Win32.Tdss.aalf 1
C:\System Volume Information\_restore{81DEB3A1-32F6-47DA-814F-CC9817B6BB5D}\RP266\A0210614.dll Infected: Trojan.Win32.Tdss.aalc 1
C:\System Volume Information\_restore{81DEB3A1-32F6-47DA-814F-CC9817B6BB5D}\RP266\A0210615.dll Infected: Trojan.Win32.Tdss.aalg 1
C:\System Volume Information\_restore{81DEB3A1-32F6-47DA-814F-CC9817B6BB5D}\RP266\A0210616.dll Infected: Trojan.Win32.Tdss.aald 1
C:\WINDOWS\system32\pofegohu(junk).dllllll Infected: Packed.Win32.Krap.q 1
E:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-11267197.zip Infected: Exploit.Java.Gimsh.b 1
E:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-400827c9.zip Infected: Exploit.Java.Gimsh.b 1
E:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\BattleBotv8.2 - Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.b 1
E:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.b 1
E:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.q 1
E:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.q 1
E:\Documents and Settings\Steve\Local Settings\Application Data\Identities\{4CB4FC00-E9AC-4FF0-AED9-D91ADB30B9EC}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx Infected: Email-Worm.Win32.Bagle.ai 2
H:\regtools.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1
The selected area was scanned.
================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:51 PM, on 5/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\games\steam\steam.exe
C:\Program Files\Executor\executor.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
G:\AWC (Auto Wallpaper Changer)\AWC.exe
C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Stardock\Impulse\Impulse.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
O4 - Startup: Sins of a Solar Empire Launcher.lnk = D:\Games\Sins of a Solar Empire\Stardock Games\Sins of a Solar Empire\SINS_Launcher.exe
O4 - Startup: Ventrilo Server.lnk = C:\Program Files\Ventrilo\Ventrilo Server\ventrilo_srv.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
--
End of file - 5078 bytes
==========================================
Ok the Kaspersky findings are just leftovers.
Delete everything inside this folder:
C:\Documents and Settings\Steve\Application Data\Sun\Java\Deployment\cache
Delete this file if found:
C:\WINDOWS\system32\pofegohu(junk).dllllll
Then you should clean up your Outlook Express email folders as you have some infected emails there.
You don't seem to have a third-party firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) installed. You must install one firewall.
It is possible that you're using the Windows XP firewall. That is of course better than nothing but I recommend that you install a more advanced firewall that gives more protection. Windows firewall doesn't eg protect your computer from inbound threats. This means that any malware on your computer is free to "phone home" for more instructions. Remember to use only one firewall at the same time. I'll give you a few alternatives if you want to install a third-party firewall:
These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Comodo (http://www.personalfirewall.comodo.com)
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
First remove the older versions:
Click Start
Go to Control Panel
Go to Add/Remove Programs
Find and click Remove for each version of Java that is present
Download JavaRa (http://sourceforge.net/project/downloading.php?groupname=javara&filename=JavaRa.zip&use_mirror=osdn) and unzip it to your desktop.
Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.
Now let's download and install the newest version:
Download Java SE Runtime Environment (JRE) 6 Update 12 from here: http://java.sun.com/javase/downloads/index.jsp
As Platform select your operating system, agree to the License Agreement and click Continue.
Now click on the link under Windows Offline Installation and download the installer to your desktop.
Close any programs you may have running - especially your web browser.
Then from your desktop double-click on the download to install the newest version.
Reboot your computer.
If there are no problems - we'll remove all used tools
Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.
Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Now lets uninstall ComboFix:
* Click START then RUN
* Now type Combofix /u in the runbox and click OK
You may uninstall MBAM via Control Panel
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
All is working well! Thanks, Mr_Jak3. :bigthumb: Your help saved a reformat (never any fun):D:. This is the first time I've had to come to this site for help. I really appreciate it.
Steve
:oops: I spoke too soon. Today I was using Firefox and went to Google. About 1 in three links took me to the wrong site. Each time it was different. I ran Spybot and it reported Virtumonde.sci and Virtumonde.sdn. It cleaned these up, but there must still be something hiding. What's next?
Steve
Hiya :)
Okay let's see what we have there. Please post a fresh HijackThis log...
Here's the log after a fresh boot.
-----------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:05 PM, on 6/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\games\steam\steam.exe
C:\Program Files\Executor\executor.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
G:\AWC (Auto Wallpaper Changer)\AWC.exe
C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Spybot - Search & Destroy.lnk = C:\Program Files\Spybot\SpybotSD.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tuvuuss - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
--
End of file - 5544 bytes
Ok this is going to look like a replay but something came back....
We will begin with ComboFix. (again :))
Please download ComboFix from one of these locations:
Link 1 (http://subs.geekstogo.com/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Here's my logs.
Steve
---------------------------
ComboFix 09-06-07.02 - Steve 06/07/2009 16:38.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1503 [GMT -5:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((( Files Created from 2009-05-07 to 2009-06-07 )))))))))))))))))))))))))))))))
.
2009-06-07 01:51 . 1999-03-23 05:00 401484 ----a-w- c:\windows\system32\msvcrtd.dll
2009-06-03 23:03 . 2009-06-03 23:03 -------- d-----w- c:\program files\GameTap Web Player
2009-06-03 23:03 . 2009-06-03 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\GameTap Web Player
2009-06-03 23:03 . 2009-05-06 00:05 462848 ----a-w- c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\GameTap@gametap.com\plugins\npGameTapWebUpdater.dll
2009-06-01 17:53 . 2009-06-01 17:53 390664 ----a-w- c:\documents and settings\Steve\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-24 15:36 . 2009-05-24 15:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-20 05:32 . 2009-05-20 05:32 -------- d-----w- c:\program files\Trend Micro
2009-05-20 04:30 . 2009-05-20 04:31 -------- d-----w- c:\program files\RegBackup ERUNT
2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2009-05-19 02:47 . 2009-04-06 20:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-19 02:47 . 2009-04-06 20:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-19 02:47 . 2009-05-19 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-19 02:46 . 2009-05-19 02:46 -------- d-----w- c:\documents and settings\Steve\Application Data\Safer Networking
2009-05-19 02:24 . 2009-05-19 02:45 -------- d-----w- c:\program files\Safer Networking
2009-05-19 00:42 . 2009-05-19 00:42 -------- d-----w- c:\program files\ProcessExplorer
2009-05-17 21:35 . 2009-05-17 21:35 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-05-17 21:35 . 2009-05-17 21:35 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-16 21:48 . 2009-05-16 21:57 -------- d-----w- c:\windows\SxsCaPendDel
2009-05-15 22:01 . 2008-04-14 05:42 26112 ----a-w- c:\windows\system32\USERINIT.EXE
2009-05-13 22:17 . 2009-05-13 22:17 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
2009-05-13 21:53 . 2009-05-14 00:55 -------- d-----w- c:\documents and settings\Steve\Application Data\ptidle
2009-05-13 20:41 . 2009-05-13 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SimCity Societies
2009-05-12 02:57 . 2009-05-12 02:57 -------- d-----w- c:\windows\system32\KB905474
2009-05-12 02:57 . 2009-03-11 03:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-05-12 02:57 . 2009-03-11 03:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2009-05-11 00:06 . 2009-05-11 00:28 98304 ----a-w- c:\documents and settings\Steve\Application Data\Soldat\BattlEye\BEClient.dll
2009-05-11 00:06 . 2009-05-11 00:06 -------- d-----w- c:\documents and settings\Steve\Application Data\Soldat
2009-05-11 00:06 . 2009-03-29 00:52 94208 ----a-w- c:\documents and settings\Steve\Application Data\Soldat\BattlEye\BEServer.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-07 21:23 . 2009-03-29 22:46 -------- d-----w- c:\program files\Mozilla Sunbird
2009-06-07 01:52 . 2005-01-30 21:40 246 ----a-w- c:\windows\PowerReg.dat
2009-06-07 01:50 . 2004-07-25 12:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-05 16:42 . 2007-06-17 22:30 98304 ----a-w- c:\windows\System32CmdLineExt.dll
2009-06-04 23:06 . 2007-03-13 20:38 64 ----a-w- c:\windows\popcinfot.dat
2009-06-03 22:24 . 2004-09-22 14:40 84592 ----a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 13:48 . 2009-02-01 02:50 -------- d-----w- c:\program files\Spybot
2009-05-27 23:37 . 2008-08-07 00:46 -------- d-----w- c:\documents and settings\Steve\Application Data\OpenOffice.org2
2009-05-27 23:36 . 2008-08-16 13:46 1 ----a-w- c:\documents and settings\Steve\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-05-27 23:35 . 2008-01-25 01:18 -------- d-----w- c:\program files\MSECACHE
2009-05-20 01:46 . 2009-03-08 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-13 13:31 . 2008-12-13 16:32 -------- d-----w- c:\program files\Stardock Games
2009-05-10 19:58 . 2009-04-30 21:25 -------- d-----w- c:\documents and settings\Steve\Application Data\Mumble
2009-05-04 23:10 . 2009-05-04 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Ironclad Games
2009-05-03 18:08 . 2009-03-08 22:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-03 18:08 . 2009-03-08 22:46 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-03 18:08 . 2009-03-08 22:46 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-03 18:08 . 2009-03-08 22:46 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-27 03:19 . 2008-02-12 19:09 -------- d-----w- c:\documents and settings\Steve\Application Data\WTablet
2009-04-25 20:20 . 2009-02-17 18:36 -------- d-----w- c:\documents and settings\Steve\Application Data\Winamp
2009-04-22 05:20 . 2009-04-22 05:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-22 05:20 . 2009-04-22 05:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2009-04-19 16:07 . 2007-09-15 21:17 189072 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-04-14 23:29 . 2009-04-14 23:29 3638 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\NewShortcut11_12BC79CA813840C5870CC7F821C0C143.exe
2009-04-14 23:29 . 2009-04-14 23:29 3638 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\NewShortcut1_12BC79CA813840C5870CC7F821C0C143.exe
2009-04-14 23:29 . 2009-04-14 23:29 10134 ----a-r- c:\documents and settings\Steve\Application Data\Microsoft\Installer\{12BC79CA-8138-40C5-870C-C7F821C0C143}\ARPPRODUCTICON.exe
2009-03-30 22:54 . 2009-03-17 22:30 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-03-25 23:10 . 2007-09-15 21:17 138920 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-03-25 23:10 . 2007-09-15 21:17 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-03-21 21:31 . 2004-07-29 01:10 80058 ----a-w- c:\windows\War3Unin.dat
2009-03-10 17:09 . 2004-07-26 22:15 1725 ----a-w- c:\windows\eReg.dat
2008-03-23 19:04 . 2008-03-23 19:04 0 ----a-w- c:\program files\temp01
2005-04-16 16:11 . 2005-04-16 16:11 0 ----a-w- c:\program files\error.dat
2003-12-18 17:33 . 2004-11-01 00:44 20102 ----a-w- c:\program files\Readme.txt
2003-09-03 13:46 . 2004-11-01 00:44 10960 ----a-w- c:\program files\EULA.txt
2003-07-29 06:15 . 2009-02-06 03:54 307200 ----a-w- c:\program files\internet explorer\plugins\djvu0407.dll
2003-07-29 06:15 . 2009-02-06 03:54 303104 ----a-w- c:\program files\internet explorer\plugins\djvu0409.dll
2003-07-29 06:15 . 2009-02-06 03:54 311296 ----a-w- c:\program files\internet explorer\plugins\djvu040c.dll
2003-07-29 06:15 . 2009-02-06 03:54 299008 ----a-w- c:\program files\internet explorer\plugins\djvu0411.dll
2003-07-29 06:15 . 2009-02-06 03:54 299008 ----a-w- c:\program files\internet explorer\plugins\djvu0412.dll
2003-07-29 06:15 . 2009-02-06 03:54 290816 ----a-w- c:\program files\internet explorer\plugins\djvu0804.dll
2003-07-29 06:15 . 2009-02-06 03:54 122880 ----a-w- c:\program files\internet explorer\plugins\DjVuCntl.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-05-22_00.25.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-10 22:19 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
- 2007-08-10 22:19 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2009-05-27 23:36 . 2009-05-27 23:36 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2009-06-03 22:25 . 2009-06-03 22:25 56320 c:\windows\assembly\NativeImages_v2.0.50727_32\Stardock.Central.Se#\5385eb9f34ad209ba7ea87cac00e1a64\Stardock.Central.Security.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 81920 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Uninstall\bcb8554f6f9d1fac5114830ff6c1d4bc\Sd.Uninstall.ni.dll
+ 2004-07-24 18:01 . 2009-05-28 11:56 296456 c:\windows\system32\FNTCACHE.DAT
+ 2009-06-03 22:25 . 2009-06-03 22:25 284672 c:\windows\assembly\NativeImages_v2.0.50727_32\VistaBridgeLibrary\1a7da1bd1409cb8aae83d12985e91785\VistaBridgeLibrary.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 485888 c:\windows\assembly\NativeImages_v2.0.50727_32\VDialog\b9f93ab4e871202f08bacb2eea45619f\VDialog.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd\b763c29a1b5ab7f3a4db1563af682177\Sd.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 422912 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Web\c71283976332f42816bf8eef4862aa2a\Sd.Web.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 155648 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.UI\3e7f2d58806d187d104688c6646cf0f4\Sd.UI.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 804352 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Irc\91e6d500574d1ef15828dcdbc154e44e\Sd.Irc.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 296960 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.InstallManager\3b63000c351829ab07838317ca9a3643\Sd.InstallManager.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 564224 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Common.XmlSerial#\ae0f4540e4c7dbed2820722ac3eed7da\Sd.Common.XmlSerializers.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 788480 c:\windows\assembly\NativeImages_v2.0.50727_32\sd.central.cvp.serv#\b6e8a38d3cfc48123b5715b7cd18b6e1\sd.central.cvp.server.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 128512 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Central.Archive\8101eb83b90821af4b7c6eab2024a41f\Sd.Central.Archive.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 345600 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Central.Archive.#\aca17957fd7012185f82679a35a18b0f\Sd.Central.Archive.XmlSerializers.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 326144 c:\windows\assembly\NativeImages_v2.0.50727_32\MyDock.Util\523977d5edec6266fcc0c7588e361cd5\MyDock.Util.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 100864 c:\windows\assembly\NativeImages_v2.0.50727_32\Interop.IWshRuntime#\b57a1fe2527d40aae9b62b10f57be9b8\Interop.IWshRuntimeLibrary.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 726016 c:\windows\assembly\NativeImages_v2.0.50727_32\ICSharpCode.SharpZi#\5c1a3278ff6412107322a65dee39790d\ICSharpCode.SharpZipLib.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 1308160 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Common\d0463aaf422bc51e171f0cad7a6775e1\Sd.Common.ni.dll
+ 2009-06-03 22:25 . 2009-06-03 22:25 6175232 c:\windows\assembly\NativeImages_v2.0.50727_32\Impulse\162b482fdd3a7302192bf6d202561efd\Impulse.ni.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="d:\games\steam\steam.exe" [2009-05-22 1217784]
"Executor"="c:\program files\Executor\executor.exe" [2008-05-19 1052672]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-04 185896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]
c:\documents and settings\Steve\Start Menu\Programs\Startup\
AWC.lnk - g:\awc (auto wallpaper changer)\AWC.exe [2009-4-1 1261568]
ImpulseNow.lnk - c:\program files\Stardock\Impulse\Now\ImpulseNow.exe [2009-5-4 356352]
Mozilla Sunbird.lnk - c:\program files\Mozilla Sunbird\sunbird.exe [2009-3-29 6354540]
Shortcut to Ut3 Map TO DOs.lnk - c:\documents and settings\Steve\Desktop\TO DO.txt [2008-8-13 6087]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-12-14 528384]
Spybot - Search & Destroy.lnk - c:\program files\Spybot\SpybotSD.exe [2009-1-31 5365592]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 18:08 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvuuss]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=ctwdm32.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^ImpulseNow.lnk]
path=c:\documents and settings\Steve\Start Menu\Programs\Startup\ImpulseNow.lnk
backup=c:\windows\pss\ImpulseNow.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^Ventrilo Server.lnk]
path=c:\documents and settings\Steve\Start Menu\Programs\Startup\Ventrilo Server.lnk
backup=c:\windows\pss\Ventrilo Server.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DGPN"=2 (0x2)
"TabletServiceWacom"=2 (0x2)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Brother XP spl Service"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Games\\Steam\\SteamApps\\battlebotv82\\counter-strike source\\hl2.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo Server\\ventrilo_srv.exe"=
"d:\\Games\\WarHammer 40,000 Dawn of War\\Dark Crusade\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"d:\\Games\\Earth 2160\\Earth2160_NO_SSE.exe"=
"d:\\Games\\Earth 2160\\Earth2160_SSE.exe"=
"d:\\Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"d:\\Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Games\\World in Conflict\\wic.exe"=
"d:\\Games\\World in Conflict\\wic_online.exe"=
"d:\\Games\\World in Conflict\\wic_ds.exe"=
"d:\\Games\\Quake Wars - Enemy Territory\\etqwded.exe"=
"d:\\Games\\Quake Wars - Enemy Territory\\etqw.exe"=
"d:\\Games\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"d:\\Games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"g:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
"g:\\Games\\Mass Effect\\MassEffectLauncher.exe"=
"g:\\Games\\Universe At War Earth Assault\\UAWEA.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\brothers in arms earned in blood\\System\\EiB.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\stalker shadow of chernobyl\\bin\\XR_3DA.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\prince of persia the warrior within\\PrinceOfPersia.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\roboblitz\\Binaries\\RoboLaunch.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\eets\\Eets.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\ghost recon advanced warfighter\\graw.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\ghost recon\\GhostRecon.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\ghost recon advanced warfighter 2\\graw2.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\multiwinia\\multiwinia.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\wallace and gromit demo\\WallaceGromitDemo.exe"=
"g:\\Games\\Spellforce 2 - Shadow Wars\\spellforce2.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\company of heroes\\RelicCOH.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\titan quest immortal throne\\Tqit.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\titan quest immortal throne\\help.htm"=
"d:\\Games\\Steam\\SteamApps\\common\\titan quest\\help.htm"=
"d:\\Games\\Sins of a Solar Empire\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"d:\\Games\\Steam\\SteamApps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/8/2009 5:46 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/8/2009 5:46 PM 108552]
R1 cdawdm;CDAWDM;c:\windows\system32\drivers\cdawdm.sys [11/22/2002 5:58 PM 48111]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/8/2009 5:45 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/8/2009 5:45 PM 298776]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [12/14/2006 4:50 PM 2368]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2/10/2008 1:49 PM 23040]
S3 Vsp;Vsp;\??\c:\windows\System32\drivers\Vsp.sys --> c:\windows\System32\drivers\Vsp.sys [?]
S4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2/12/2008 2:08 PM 1373480]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
2005-08-07 c:\windows\Tasks\cleanup-test.job
- d:\data\cleanup.bat [2004-09-07 02:12]
2009-05-04 c:\windows\Tasks\cleanup.job
- d:\data\cleanup.bat [2004-09-07 02:12]
2009-05-12 c:\windows\Tasks\DataOnly.job
- c:\windows\system32\ntbackup.exe [2004-08-04 00:12]
2009-06-07 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wrinsiders.com/Teens/?RP=SignIn
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\
FF - prefs.js: browser.startup.homepage - file:///d:/Data/HomePage/index.html
FF - component: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\GameTap@gametap.com\plugins\npGameTapWebUpdater.dll
FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\default.y55\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\GameTap Web Player\bin\release\npGameTapWebPlayer.dll
FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-07 16:39
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-725345543-764733703-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"????????????????????????"=hex:63,a2,df,ea,77,f0,95,25,eb,6c,dc,66,29,e5,12,1d,
2c,29,70,2c,5c,5c,25,f7,2c,2c,5c,d1,25,c3,2e,2e,00,00,00,00,00,00,00,00,00,\
"???n"=hex:67,c5,3f,af,2f,06,f4,bd,6a,bc,3c,06,c9,a8,f3,94,cf,fc,28,65,23,1f,
51,a4,66,c3,ff,fd,10,6b,09,b0,09,00,c0,46,db,0a,6f,85,96,63,1a,e5,64,d4,d7,\
"?????"=hex:9b,9d,a9,7e,82,9e,bf,2c,e9,55,17,f0,77,5c,30,60
"???n"=hex:ca,7f,b1,85,35,af,19,95,9b,a8,37,7a,99,ab,d7,56,38,b0,d3,96,72,26,
af,0f,16,9e,d6,36,d2,33,4f,56,ef,d6,90,a9,11,dc,dd,ab,e0,b9,e6,2f,ab,b3,26,\
"??"=hex:1b,ee,fb,ee,5e,a8,db,76,e9,8e,a8,56,0f,22,bd,59,a7,f5,31,8b,68,3d,0d,
66,8f,a9,af,3a,cd,97,dd,26,b6,8f,e0,00,53,f0,17,e0,33,21,7c,c4,ec,bb,45,d6,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
[HKEY_USERS\S-1-5-21-725345543-764733703-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:60,0d,47,33,43,d6,05,78,97,20,41,75,fe,20,a2,c4,e6,c4,14,cd,72,
bc,80,4a,7f,c2,b8,b7,b8,67,45,6b,87,24,7d,2b,e6,ac,26,26,0f,b6,9f,85,ba,26,\
"rkeysecu"=hex:65,d6,a2,52,b5,22,4b,f2,49,55,2b,25,75,bf,64,56
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2304)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\MSVCP71.dll
c:\windows\system32\msi.dll
.
Completion time: 2009-06-07 16:41
ComboFix-quarantined-files.txt 2009-06-07 21:41
ComboFix2.txt 2009-05-22 23:57
ComboFix3.txt 2009-05-22 00:28
Pre-Run: 12,837,810,176 bytes free
Post-Run: 12,909,498,368 bytes free
Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
294 --- E O F --- 2009-05-23 02:53
-------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:48:50 PM, on 6/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Executor\executor.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Spybot - Search & Destroy.lnk = C:\Program Files\Spybot\SpybotSD.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tuvuuss - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
--
End of file - 4928 bytes
-------------------------
Okey...
Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvuuss]
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Then uninstall all previous versions of Malwarebytes' Anti-Malware (MBAM).
Restart the pc.
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to a convenient location.
Double click on mbam-setup.exe to install it.
Before clicking the Finish button, make sure that these 2 boxes are checked (ticked): Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
Select the Scanner tab. Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
When done, you will be prompted. Click OK, then click on Show Results.
Checked (ticked) all items and click on Remove Selected.
After it has removed the items, Notepad will open. Please post this log in your next reply along with a fresh HijackThis log. You can also find the log in the Logs tab. The bottom most log is the latest.
Malwarebytes' Anti-Malware 1.37
Database version: 2259
Windows 5.1.2600 Service Pack 3
6/10/2009 6:44:19 PM
mbam-log-2009-06-10 (18-44-19).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 752702
Time elapsed: 2 hour(s), 23 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 12
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
c:\documents and settings\Steve\Application Data\ptidle (Trojan.Downloader) -> Quarantined and deleted successfully.
Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\system32\afnoinkdsfe.dll.vir (Trojan.Ertfor) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\ovfsthoexqsdnrniyyxyfkkjygtwtjlfjkdsxc.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\ovfsthqbtipejuamkumlrsdnvkffqtmddqhudu.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\ovfsthvhptehqbgkpdtfpphqkwyrvrdrccrukd.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\drivers\ovfsthdhberunpppqjtkrdqimylcfyhtpkcbfa.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{2d1bca4f-b413-410a-8075-a3efb933ae76}\RP205\A0064886.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{2d1bca4f-b413-410a-8075-a3efb933ae76}\RP205\A0064887.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210613.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210614.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210615.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210616.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{81deb3a1-32f6-47da-814f-cc9817b6bb5d}\RP266\A0210789.dll (Trojan.Ertfor) -> Quarantined and deleted successfully.
-----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:34 PM, on 6/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Executor\executor.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
G:\AWC (Auto Wallpaper Changer)\AWC.exe
C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\games\steam\steam.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Spybot - Search & Destroy.lnk = C:\Program Files\Spybot\SpybotSD.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
--
End of file - 4964 bytes
---------------------------------
Okay looks good now. How is the pc running now? Any symptoms?
It seems ok except sometimes google searches return links to different phishing sites. The most frequent one today is claiming to be sucleaner.com. However, clicking on the google link a second time properly goes to the site.
Here's my current hijackthis log:
Steve
================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:01 PM, on 6/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\games\steam\steam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
G:\Programs\Mumble\mumble.exe
G:\Programs\Mumble\dbus-daemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\calc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrinsiders.com/Teens/?RP=SignIn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Steam] "d:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: AWC.lnk = G:\AWC (Auto Wallpaper Changer)\AWC.exe
O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
O4 - Startup: Mozilla Sunbird.lnk = C:\Program Files\Mozilla Sunbird\sunbird.exe
O4 - Startup: Shortcut to Ut3 Map TO DOs.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Spybot - Search & Destroy.lnk = C:\Program Files\Spybot\SpybotSD.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
--
End of file - 4754 bytes
Ok in that case we'll do some digging...
Please run a GMER Rootkit scan:
Download GMER's application from here:
http://www.gmer.net/gmer.zip
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.
If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.
Please RIGHT-CLICK HERE (http://www.silentrunners.org/Silent%20Runners.vbs) and Save As (in IE it's "Save Target As") to download Silent Runners.
Save it to the desktop.
Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
Once you receive the prompt "All Done!", double-click the new text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-21 19:27:34
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT sptd.sys ZwCreateKey [0xB9EBE0D0]
SSDT sptd.sys ZwEnumerateKey [0xB9EC3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xB9EC4340]
SSDT sptd.sys ZwOpenKey [0xB9EBE0B0]
SSDT sptd.sys ZwQueryKey [0xB9EC4418]
SSDT sptd.sys ZwQueryValueKey [0xB9EC4298]
SSDT sptd.sys ZwSetValueKey [0xB9EC44AA]
---- Kernel code sections - GMER 1.0.15 ----
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B8DB48AC 5 Bytes JMP 8AB596E0
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 0403A68D C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 0403A615 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 0403A711 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 0403A63D C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 0403A6B8 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 0403A662 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 0403A6E3 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[3352] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 0403A5ED C:\Program Files\Winamp\Plugins\gen_jumpex.dll
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EBEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EBEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EBEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EBF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EBF61E] sptd.sys
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8AD591E8
Device \FileSystem\Udfs \UdfsCdRom 8AB8B410
Device \FileSystem\Udfs \UdfsDisk 8AB8B410
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbohci \Device\USBPDO-0 8AB571E8
Device \Driver\usbohci \Device\USBPDO-1 8AB571E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8ADCA1E8
Device \Driver\dmio \Device\DmControl\DmConfig 8ADCA1E8
Device \Driver\dmio \Device\DmControl\DmPnP 8ADCA1E8
Device \Driver\dmio \Device\DmControl\DmInfo 8ADCA1E8
Device \Driver\usbohci \Device\USBPDO-2 8AB571E8
Device \Driver\usbohci \Device\USBPDO-3 8AB571E8
Device \Driver\usbohci \Device\USBPDO-4 8AB571E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{C4E33733-79B1-408C-A9B5-239AFA3EF59B} 8951A1E8
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\prodrv06 \Device\ProDrv06 E2459938
Device \Driver\usbehci \Device\USBPDO-5 8AB171E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AD5B1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AD5B1E8
Device \Driver\Cdrom \Device\CdRom0 8AB091E8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8AD5B1E8
Device \Driver\Cdrom \Device\CdRom1 8AB091E8
Device \Driver\atapi \Device\Ide\IdePort0 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdePort1 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-1c sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdePort2 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdePort3 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-24 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\Ftdisk \Device\HarddiskVolume4 8AD5B1E8
Device \Driver\Cdrom \Device\CdRom2 8AB091E8
Device \Driver\Ftdisk \Device\HarddiskVolume5 8AD5B1E8
Device \Driver\prohlp02 \Device\ProHlp02 E1FD61F0
Device \Driver\NetBT \Device\NetBt_Wins_Export 8951A1E8
Device \Driver\NetBT \Device\NetbiosSmb 8951A1E8
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbohci \Device\USBFDO-0 8AB571E8
Device \Driver\usbohci \Device\USBFDO-1 8AB571E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8951C1E8
Device \Driver\usbohci \Device\USBFDO-2 8AB571E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8951C1E8
Device \Driver\usbohci \Device\USBFDO-3 8AB571E8
Device \Driver\usbohci \Device\USBFDO-4 8AB571E8
Device \Driver\Ftdisk \Device\FtControl 8AD5B1E8
Device \Driver\usbehci \Device\USBFDO-5 8AB171E8
Device \Driver\cdawdm \Device\Scsi\cdawdm1Port4Path0Target1Lun0 8AAD01E8
Device \Driver\cdawdm \Device\Scsi\cdawdm1Port4Path0Target1Lun0 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\cdawdm \Device\Scsi\cdawdm1 8AAD01E8
Device \Driver\cdawdm \Device\Scsi\cdawdm1 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \Driver\cdawdm \Device\Scsi\cdawdm1Port4Path0Target0Lun0 8AAD01E8
Device \Driver\cdawdm \Device\Scsi\cdawdm1Port4Path0Target0Lun0 sfsync04.sys (FrontLine Synchronization Driver/Protection Technology (StarForce))
Device \FileSystem\Cdfs \Cdfs 8A881790
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk@imagepath \systemroot\system32\drivers\ovfsthdhberunpppqjtkrdqimylcfyhtpkcbfa.sys
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk@inst 0
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@ver sni060409
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@cid 01
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@bid 3838505566-725345543-764733703-1801674531
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@aid 998
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@sid 3
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@feed 0x22 0x64 0x78 0x36 ...
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@cmddelay 28801
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main@logoffset 3726
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\delete
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\ff
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\ff@extension \\?\C:\Program Files\Mozilla Firefox\extensions\{09C632F2-2F51-49E2-9A4C-E0173025E9BC}
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\ff@version 1
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\injector
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\injector@iexplore.exe ovfsthwi.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\injector@explorer.exe ovfsthff.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\main\tasks
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules@ovfsth.sys \systemroot\system32\drivers\ovfsthdhberunpppqjtkrdqimylcfyhtpkcbfa.sys
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules@ovfsth.dll \systemroot\system32\ovfsthoexqsdnrniyyxyfkkjygtwtjlfjkdsxc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules@ovfsthlog.dat \systemroot\system32\ovfsthokvbxvihlxhdejojsrmrqwyvkxxljxwb.dat
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules@ovfsthwi.dll \systemroot\system32\ovfsthqbtipejuamkumlrsdnvkffqtmddqhudu.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules@ovfsthff.dll \systemroot\system32\ovfsthvhptehqbgkpdtfpphqkwyrvrdrccrukd.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthlmlguyabrrvkaasfkfdotunmoelxmllk\modules@ovfsth.dat \systemroot\system32\ovfstheuposgxodxgbmcnmkjawoinysysxtrpg.dat
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA5 0x02 0x67 0x67 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA5 0x02 0x67 0x67 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA5 0x02 0x67 0x67 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA5 0x02 0x67 0x67 ...
---- EOF - GMER 1.0.15 ----
-------------------------------------------------------
"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Steam" = ""d:\games\steam\steam.exe" -silent" ["Valve Corporation"]
"Executor" = ""C:\Program Files\Executor\executor.exe" -s" ["Martin Bresson"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = "C:\Program Files\Google\Gmail Notifier\gnotify.exe" ["Google Inc."]
"amd_dc_opt" = "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" ["AMD"]
"AVG8_TRAY" = "C:\PROGRA~1\AVG\AVG8\avgtray.exe" ["AVG Technologies CZ, s.r.o."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "D:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {HKLM...CLSID} = "Microsoft.AntiSpyware.ShellExecuteHook.1"
\InProcServer32\(Default) = "D:\Program Files\MS Antispyware\shellextension.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> avgrsstarter\DLLName = "avgrsstx.dll" ["AVG Technologies CZ, s.r.o."]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
MakeFile Class\(Default) = "{D8504558-278D-4A93-BCBC-75B142CAA3B3}"
-> {HKLM...CLSID} = "MakeFile Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\vdshell.dll" ["FarStone Technology Inc."]
SciTE\(Default) = "{120B94B5-2E6A-4F13-94D0-414BCB64FA0F}"
-> {HKLM...CLSID} = "SciTE"
\InProcServer32\(Default) = "C:\Program Files\Scintilla Text Editor\wscitecm.dll" ["Burgaud.com"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
FolderShell Class\(Default) = "{24C0824F-BC16-41DB-9845-DE545941C3B0}"
-> {HKLM...CLSID} = "FolderShell Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\vdshell.dll" ["FarStone Technology Inc."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Default executables:
--------------------
<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\DOCUME~1\Steve\LOCALS~1\Temp\AutoWall.bmp"
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Computer, Inc."]
iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Computer, Inc."]
iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /playCD "%L"" ["Apple Computer, Inc."]
iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Computer, Inc."]
PDVDPlayDVDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\PowerDVD\PowerDVD.exe" "%L"" ["CyberLink Corp."]
RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]
RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
\LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]
RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " ["RealNetworks, Inc."]
RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."]
RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]
VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "D:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]
VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "D:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]
WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]
Startup items in "Steve" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\Steve\Start Menu\Programs\Startup
"AWC" -> shortcut to: "G:\AWC (Auto Wallpaper Changer)\AWC.exe" ["Steve Murphy"]
"ImpulseNow" -> shortcut to: "C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe" ["Stardock Corporation"]
"Mozilla Sunbird" -> shortcut to: "C:\Program Files\Mozilla Sunbird\sunbird.exe" ["Mozilla"]
"Shortcut to Ut3 Map TO DOs" -> shortcut to: "C:\Documents and Settings\Steve\Desktop\TO DO.txt" [null data]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]
"Spybot - Search & Destroy" -> shortcut to: "C:\Program Files\Spybot\SpybotSD.exe" ["Safer Networking Limited"]
Enabled Scheduled Tasks:
------------------------
"cleanup-test" -> launches: "D:\Data\cleanup.bat" [null data]
"cleanup" -> launches: "D:\Data\cleanup.bat" [null data]
"DataOnly" -> launches: "C:\WINDOWS\system32\ntbackup.exe backup "@C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\DataOnly.bks" /n "DataBackup.bkf created 8/7/2005 at 10:27 AM" /d "Set created 8/7/2005 at 10:27 AM" /v:yes /r:no /rs:no /hc:off /m normal /j "DataOnly" /l:s /f "F:\Backup of Data\DataBackup.bkf"" [MS]
"WGASetup" -> launches: "C:\WINDOWS\system32\KB905474\wgasetup.exe /autoauto" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG Free8 E-mail Scanner, avg8emc, "C:\PROGRA~1\AVG\AVG8\avgemc.exe" ["AVG Technologies CZ, s.r.o."]
AVG Free8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."]
Net Driver HPZ12, Net Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZinw12.dll" ["Hewlett-Packard"]}
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZipm12.dll" ["Hewlett-Packard"]}
SecuROM User Access Service (V7), UserAccess7, "C:\WINDOWS\System32\UAService7.exe" ["Sony DADC Austria AG."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
PCL hpz3l5jy\Driver = "hpz3l5jy.dll" ["Hewlett-Packard Company"]
---------- (launch time: 2009-06-21 19:29:43)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 49 seconds, including 18 seconds for message boxes)
===================================
Here you go.
Steve
:oops: :fear::confused:
Hello sbolton.
I was on a vacation this week but I guided your case to a friend who should have helped you when I was gone.
Now I don't know what happened but seems that you've been forgotten. I'm terribly sorry for this.
If you still require help - please reply to this topic.
Hello,
I was out of town for a few days so couldn't have done anything with it anyway. The only thing that seems bad is the redirected links. I read about the issue on slashdot and think that's what's going on with my computer.
http://it.slashdot.org/story/09/06/30/2237256/New-Click-Fraud-Attack-Is-Stealthiest-Yet (http://it.slashdot.org/story/09/06/30/2237256/New-Click-Fraud-Attack-Is-Stealthiest-Yet)
Do you know what is the best way to clean this up?
Thanks
Steve
Hiya :)
Do the redirects only happen weith FireFox browser?
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1 (http://jpshortstuff.247fixes.com/GooredFix.exe)
Download Mirror #2 (http://downloads.securitycadets.com/GooredFix.exe)
Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
Also please post a fresh HijackThis log too.
This topic is closed due to lack of a response :spider:
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread.
Applies only to the original topic starter.