Winavx trojan - no control panel

**fatboysim** · 2007-10-01, 19:34

I've been infected by a winavx trojan over the last 24 hours and I can't seem to get rid of it. I'm running Zone Alarm security suite and Registry Mechanic but won't shift it. Its restricting access to control panel and giving me spyware popups.

Please can anybody help?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:24:24, on 01/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\SLEE503.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKUS\S-1-5-19\..\Run: [SSS6_Suite] "C:\Program Files\Steganos Security Suite 6\sss.exe" /booting (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [SSS6_SAFE] "C:\Program Files\Steganos Security Suite 6\safe.exe" /booting (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [SSS6_SPM] "C:\Program Files\Steganos Security Suite 6\spm.exe" /booting (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [SSS6_Suite] "C:\Program Files\Steganos Security Suite 6\sss.exe" /booting (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Ashampoo Magical Defrag.lnk = C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - blank (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1163974081968
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Steganos Live Encryption Engine (Version 503) [Service] (SLEE_503_SERVICE) - Unknown owner - C:\WINDOWS\system32\SLEE503.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6869 bytes

**steamwiz** · 2007-10-01, 22:42

Hi

Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

THEN ...

Please download Combofix: http://download.bleepingcomputer.com...a/ComboFix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Please remember to post :-

1. SUPERAntiSpyware Scan Log
2. C:\ComboFix.txt
3. a new hijackthis log.( run after everything else)

steam

**fatboysim** · 2007-10-02, 23:08

Thanks Steam. Here are the logs!

ComboFix 07-10-02.2 - Simo 2 2007-10-02 22:05:21.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.56 [GMT 1:00]
.
/wow section not completed

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\andrew 1\Desktop\internet.lnk
C:\Documents and Settings\Andrew\Desktop\internet.lnk
C:\Documents and Settings\Caroline\Desktop\internet.lnk
C:\Documents and Settings\Simo 2\Desktop\internet.lnk

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\nm

((((((((((((((((((((((((( Files Created from 2007-09-02 to 2007-10-02 )))))))))))))))))))))))))))))))
.

2007-10-02 22:01 <DIR> d-------- C:\WINDOWS\LastGood
2007-10-02 21:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-02 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-02 19:13 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-02 19:13 <DIR> d-------- C:\Documents and Settings\Simo 2\Application Data\SUPERAntiSpyware.com
2007-10-02 19:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-01 18:23 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-01 00:53 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-10-01 00:53 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-10-01 00:53 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-10-01 00:53 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-10-01 00:52 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2007-10-01 00:52 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-10-01 00:52 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-10-01 00:52 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-10-01 00:51 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2007-10-01 00:51 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2007-10-01 00:30 98,304 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.dll
2007-10-01 00:30 6,016 --a--c--- C:\WINDOWS\system32\dllcache\msfsio.sys
2007-10-01 00:30 35,200 --a--c--- C:\WINDOWS\system32\dllcache\msgame.sys
2007-10-01 00:30 22,016 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
2007-10-01 00:30 2,944 --a--c--- C:\WINDOWS\system32\dllcache\msmpu401.sys
2007-10-01 00:30 17,280 --a--c--- C:\WINDOWS\system32\dllcache\mraid35x.sys
2007-10-01 00:30 15,360 --a--c--- C:\WINDOWS\system32\dllcache\mpe.sys
2007-10-01 00:29 8,320 --a--c--- C:\WINDOWS\system32\dllcache\memcard.sys
2007-10-01 00:29 7,424 --a--c--- C:\WINDOWS\system32\dllcache\mammoth.sys
2007-10-01 00:29 6,528 --a--c--- C:\WINDOWS\system32\dllcache\miniqic.sys
2007-10-01 00:29 47,616 --a--c--- C:\WINDOWS\system32\dllcache\memgrp.dll
2007-10-01 00:29 320,384 --a--c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2007-10-01 00:29 26,112 --a--c--- C:\WINDOWS\system32\dllcache\memstpci.sys
2007-10-01 00:29 235,648 --a--c--- C:\WINDOWS\system32\dllcache\mgaud.dll
2007-10-01 00:29 164,586 --a--c--- C:\WINDOWS\system32\dllcache\mdgndis5.sys
2007-10-01 00:27 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2007-10-01 00:27 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2007-10-01 00:27 70,656 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.dll
2007-10-01 00:27 45,568 --a--c--- C:\WINDOWS\system32\dllcache\kdsui.dll
2007-10-01 00:27 37,376 --a--c--- C:\WINDOWS\system32\dllcache\kousd.dll
2007-10-01 00:27 26,442 --a--c--- C:\WINDOWS\system32\dllcache\lanepic5.sys
2007-10-01 00:27 242,176 --a--c--- C:\WINDOWS\system32\dllcache\kdsusd.dll
2007-10-01 00:27 19,016 --a--c--- C:\WINDOWS\system32\dllcache\ktc111.sys
2007-10-01 00:27 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2007-10-01 00:11 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-10-01 00:11 2,135,552 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-09-24 20:34 <DIR> d-------- C:\Program Files\iTunes
2007-09-14 20:00 <DIR> d-------- C:\Documents and Settings\Simo 2\Application Data\PC Tools
2007-09-13 18:19 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2007-09-13 18:19 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-09-13 18:19 10,880 --a--c--- C:\WINDOWS\system32\dllcache\ndisip.sys
2007-09-13 18:19 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-09-13 18:17 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-09-13 18:17 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-09-13 18:17 51,328 --a--c--- C:\WINDOWS\system32\dllcache\msdv.sys
2007-09-13 18:17 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-09-13 18:16 48,128 --a--c--- C:\WINDOWS\system32\dllcache\61883.sys
2007-09-13 18:16 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
2007-09-13 18:16 38,912 --a--c--- C:\WINDOWS\system32\dllcache\avc.sys
2007-09-13 18:16 38,912 --a------ C:\WINDOWS\system32\drivers\avc.sys
2007-09-02 13:39 <DIR> d-------- C:\Documents and Settings\Simo 2\Application Data\InterVideo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-02 22:06 4662816 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-02 21:56 63308 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-01 18:09 --------- d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-30 22:48 --------- d-------- C:\Program Files\Spyware Doctor
2007-09-24 20:34 --------- d-------- C:\Program Files\iPod
2007-09-24 20:17 --------- d-------- C:\Program Files\Apple Software Update
2007-09-21 20:30 --------- d-------- C:\Documents and Settings\Andrew\Application Data\Roxio
2007-09-06 16:14 75248 --a------ C:\WINDOWS\zllsputility.exe
2007-09-06 16:14 1086952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-08-14 17:02 82248 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-08-14 17:02 57672 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-08-14 17:02 40264 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-08-14 17:02 29000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-08-12 18:27 --------- d-------- C:\Documents and Settings\Simo 2\Application Data\Roxio
2007-08-12 17:25 --------- d-------- C:\Documents and Settings\andrew 1\Application Data\MailFrontier
2007-08-10 11:53 --------- d-------- C:\Program Files\QuickTime
2007-08-10 10:07 --------- d-------- C:\Documents and Settings\Simo 2\Application Data\Apple Computer
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-11-08 09:36]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-19 14:17]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-03-19 11:37]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-03-19 11:33]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-23 21:12]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 14:43]
"RegistryMechanic"="" []
"TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [2007-03-14 16:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 10:00]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"SSS6_Suite"="C:\Program Files\Steganos Security Suite 6\sss.exe" /booting
"SSS6_SAFE"="C:\Program Files\Steganos Security Suite 6\safe.exe" /booting
"SSS6_SPM"="C:\Program Files\Steganos Security Suite 6\spm.exe" /booting

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Ashampoo Magical Defrag.lnk - C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe [2006-06-16 17:44:05]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-08-17 20:33:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Ashampoo Magical Defrag.lnk - C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe [2006-06-16 17:44:05]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-08-17 20:33:25]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
R2 SLEE_503_DRIVER;Steganos Live Encryption Engine (Version 503) [Driver];\??\C:\WINDOWS\system32\drivers\SLEE503.sys
R2 STEC3;STEC3;\??\C:\WINDOWS\system32\STEC3.sys
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys
R3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys
S3 AEILAB;AEI USB To Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AEILAB.SYS
S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ssm_bus.sys
S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys
S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-25 22:19:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-30 23:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-06-06 23:54:37 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-09-21 09:00:00 C:\WINDOWS\Tasks\At11.job"
"2007-09-30 10:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-09-30 11:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-09-16 12:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-09-30 13:00:01 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-09-30 14:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-09-21 15:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-09-02 16:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-09-30 17:00:01 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-10-01 00:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-10-02 18:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-10-02 19:00:01 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-10-02 20:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-10-02 21:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-09-23 22:00:01 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-09-30 23:00:00 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\WnapAki4.exe
"2007-10-01 00:00:00 C:\WINDOWS\Tasks\At26.job"
"2007-10-01 01:00:00 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\WnapAki4.exe
"2007-08-06 02:00:00 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\WnapAki4.exe
"2007-06-18 00:57:08 C:\WINDOWS\Tasks\At29.job"
"2007-10-01 01:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-06-18 00:57:08 C:\WINDOWS\Tasks\At30.job"
"2007-06-18 00:57:08 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\WnapAki4.exe
"2007-06-18 00:57:08 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\WnapAki4.exe
"2007-07-12 07:00:49 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\WnapAki4.exe
"2007-06-18 00:57:08 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\WnapAki4.exe
"2007-09-21 09:00:00 C:\WINDOWS\Tasks\At35.job"
"2007-09-30 10:00:00 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\WnapAki4.exe
"2007-09-30 11:00:00 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\WnapAki4.exe
"2007-09-16 12:00:00 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\WnapAki4.exe
"2007-09-30 13:00:01 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\WnapAki4.exe
"2007-08-06 02:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-09-30 14:00:00 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\WnapAki4.exe
"2007-09-21 15:00:00 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\WnapAki4.exe
"2007-09-02 16:00:00 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\WnapAki4.exe
"2007-09-30 17:00:01 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\WnapAki4.exe
"2007-10-02 18:00:01 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\WnapAki4.exe
"2007-10-02 19:00:01 C:\WINDOWS\Tasks\At45.job"
"2007-10-02 20:00:00 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\WnapAki4.exe
"2007-10-02 21:00:00 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\WnapAki4.exe
"2007-09-23 22:00:01 C:\WINDOWS\Tasks\At48.job"
"2007-06-06 23:54:36 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-06-06 23:54:37 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-06-06 23:54:37 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-06-06 23:54:37 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\6na860jN.exe
"2007-07-12 07:00:49 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\6na860jN.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-02 22:05:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\SET93.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-10-02 22:08:40 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-02 22:08
.
--- E O F ---
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/02/2007 at 09:33 PM

Application Version : 3.9.1008

Core Rules Database Version : 3317
Trace Rules Database Version: 1318

Scan type : Complete Scan
Total Scan Time : 02:11:42

Memory items scanned : 389
Memory threats detected : 1
Registry items scanned : 5583
Registry threats detected : 6
File items scanned : 70538
File threats detected : 56

Trojan.Net-AVP/AVT
C:\WINDOWS\SYSTEM32\PRINTER.EXE
C:\WINDOWS\SYSTEM32\PRINTER.EXE
[WinAVX] C:\WINDOWS\SYSTEM32\WINAVXX.EXE
C:\WINDOWS\SYSTEM32\WINAVXX.EXE
[WinAVX] C:\WINDOWS\SYSTEM32\WINAVXX.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#WinAVX [ C:\WINDOWS\system32\WinAvXX.exe ]
HKU\S-1-5-21-2940447137-3612692752-1319273744-1011\Software\Microsoft\Windows\CurrentVersion\Run#WinAVX [ C:\WINDOWS\system32\WinAvXX.exe ]
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP\AUTORUN.EXE
C:\DOCUMENTS AND SETTINGS\SIMO 2\START MENU\PROGRAMS\STARTUP\SYSTEM.EXE
C:\WINDOWS\Prefetch\AUTORUN.EXE-3088AD1E.pf
C:\WINDOWS\Prefetch\PRINTER.EXE-0E099EB1.pf
C:\WINDOWS\Prefetch\SYSTEM.EXE-0B69EAB8.pf
C:\WINDOWS\Prefetch\WINAVXX.EXE-050EF48B.pf

**fatboysim** · 2007-10-02, 23:10

Adware.Tracking Cookie
C:\Documents and Settings\Simo 2\Cookies\simo 2@mediaplex[1].txt
C:\Documents and Settings\Simo 2\Cookies\simo 2@msnportal.112.2o7[1].txt
C:\Documents and Settings\Simo 2\Cookies\simo 2@statse.webtrendslive[1].txt
C:\Documents and Settings\Simo 2\Cookies\simo 2@atdmt[2].txt
C:\Documents and Settings\Simo 2\Cookies\simo 2@questionmarket[2].txt
C:\Documents and Settings\Simo 2\Cookies\simo 2@a[1].txt
C:\Documents and Settings\Simo 2\Cookies\simo 2@media.adrevolver[2].txt
C:\Documents and Settings\Simo 2\Cookies\simo 2@doubleclick[1].txt
C:\Documents and Settings\Simo 2\Cookies\simo 2@adrevolver[3].txt
C:\Documents and Settings\Simo 2\Cookies\simo 2@tradedoubler[1].txt
C:\Documents and Settings\Simo 2\Cookies\simo 2@adrevolver[2].txt
C:\Documents and Settings\Caroline\Cookies\caroline@2o7[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@acvs.mediaonenetwork[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@adopt.euroclick[2].txt
C:\Documents and Settings\Caroline\Cookies\caroline@adrevolver[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@adrevolver[3].txt
C:\Documents and Settings\Caroline\Cookies\caroline@ads.expedia[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@ads.pointroll[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@adtech[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@advertising[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@atdmt[2].txt
C:\Documents and Settings\Caroline\Cookies\caroline@bannersng.yell[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@bs.serving-sys[2].txt
C:\Documents and Settings\Caroline\Cookies\caroline@clickshift[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@counter2.hitslink[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@doubleclick[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@e-2dj6wflickcpgcq.stats.esomniture[2].txt
C:\Documents and Settings\Caroline\Cookies\caroline@e-2dj6wfloshd5sbo.stats.esomniture[2].txt
C:\Documents and Settings\Caroline\Cookies\caroline@e-2dj6wgkiohcpmgo.stats.esomniture[2].txt
C:\Documents and Settings\Caroline\Cookies\caroline@e-2dj6wglighdpalq.stats.esomniture[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@e-2dj6wgmyeoc5eao.stats.esomniture[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@e-2dj6wjmykjc5ido.stats.esomniture[2].txt
C:\Documents and Settings\Caroline\Cookies\caroline@media.hotels[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@media.sensis.com[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@mediaonenetwork[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@mediaplex[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@msnportal.112.2o7[2].txt
C:\Documents and Settings\Caroline\Cookies\caroline@questionmarket[2].txt
C:\Documents and Settings\Caroline\Cookies\caroline@revsci[2].txt
C:\Documents and Settings\Caroline\Cookies\caroline@roiservice[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@saletrack.co[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@server.lon.liveperson[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@serving-sys[2].txt
C:\Documents and Settings\Caroline\Cookies\caroline@tacoda[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@tradedoubler[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@webtracking.touchclarity[1].txt
C:\Documents and Settings\Caroline\Cookies\caroline@www.etracker[2].txt

Malware.SpyLocked
HKCR\videoaccessactivex.Chl
HKCR\videoaccessactivex.Chl\CLSID

Trojan.Downloader-Gen/NoMultiTask
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EADAA009-1607-4BC5-9F86-0410EF133D2D}\RP131\A0085462.DLL

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:19:15, on 02/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\SLEE503.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\Windows-KB890830-V1.22.exe
c:\cd57ef14a4aea060e89c75a5c48b\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [SSS6_Suite] "C:\Program Files\Steganos Security Suite 6\sss.exe" /booting (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [SSS6_SAFE] "C:\Program Files\Steganos Security Suite 6\safe.exe" /booting (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [SSS6_SPM] "C:\Program Files\Steganos Security Suite 6\spm.exe" /booting (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [SSS6_Suite] "C:\Program Files\Steganos Security Suite 6\sss.exe" /booting (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Ashampoo Magical Defrag.lnk = C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - blank (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1163974081968
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Steganos Live Encryption Engine (Version 503) [Service] (SLEE_503_SERVICE) - Unknown owner - C:\WINDOWS\system32\SLEE503.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6650 bytes

**steamwiz** · 2007-10-03, 00:17

Hi

I expected to see more files removed by Superantispyware & Combofix .... the other programs you ran must have removed them...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

Code:

File::
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\system32\6na860jN.exe
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\system32\WnapAki4.exe
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

is your problem resolved ?

steam

**tashi** · 2007-10-09, 23:57

Due to lack of a response to your helper, this topic has been archived.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.

Thread: Winavx trojan - no control panel

Thread Tools

Display

Winavx trojan - no control panel

thanks

thanks 2

Posting Permissions