Bagle rootkit

G

Gingerheid

New member
Hello

I have acquired the bagle rootkit of some variety on my other computer.

I'm afraid I'm going to have to start by admitting that despite knowing nothing about computers I've been messing around with trying to get rid of it - sorry! I've never had a problem this bad before so I've never ended up on one of these forums!

I am in a shared house and can only connect to the net by wireless, which is one of the services it has removed, so I'm afraid I'm limited in what I can get onto the computer.

I have managed to install AVG 8 on the computer (albeit I can't update it), but nothing else worked. I previously had 7.5 with avg anti-spyware and anti rootkit (which all got nobbled). I haven't been able to install any of the vista anti rootkit things I can find. Spyware doctor installed, but I get get an update for it, so it can't do anything.

Should it help in identifying the variety of bagle, the registry entry it has gifted me is HKEY_CURRENT_USER\Software\FirstRRRun, first12ru123n, [reg_dword, value: 00000001], and avg is picking up srosa.sys from time to time.

I have GOT hijackthis to run on the computer by renaming it and burning it on a cd, log below.

I renamed combofix and ran it from the cd, i got a window with a progress bar which goes to the top but no log file is created. Explorer crashes if I try to navigate a hard drive in it.

Would be very grateful for any help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:49:55, on 28/06/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\brsvc01a.exe
C:\Windows\system32\brss01a.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Windows\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\WerFault.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\ehome\ehtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
E:\HiJacdkThis.exe
C:\Windows\system32\wbem\wmiprvse.exe
\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=8&key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: WIKI.DLL,avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: AGL - Sysinternals - www.sysinternals.com - C:\Users\Barry\AppData\Local\Temp\AGL.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\Windows\system32\brsvc01a.exe
O23 - Service: Google Update Service (gupdate1c8d27662817f9e) (gupdate1c8d27662817f9e) - Google Inc. - C:\Program Files\Google\Update\1.0.103.0\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KGKBMQ - Sysinternals - www.sysinternals.com - C:\Users\Barry\AppData\Local\Temp\KGKBMQ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: UVKPAI - Sysinternals - www.sysinternals.com - C:\Users\Barry\AppData\Local\Temp\UVKPAI.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 8960 bytes
 
Hi

  • Download Bagle Remover to your desktop.
  • Doubleclick Beagled.exe and follow the prompts.
  • When finished, it shall produce a log (C:\Bagled.txt). Post that log to your reply along with a fresh HijackThis log, please.
 
Hi

Let's try this then:

Please download gmer.zip from Gmer and save it to your desktop.

  1. Right click on gmer.zip and select Extract All....
  2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  3. Click on the Browse button. Click on Desktop. Then click OK.
  4. Click Next. It will start extracting.
  5. Once done, check (tick) the Show extracted files box and click Finish.
  6. Double click on gmer.exe to run it.
  7. Select the Rootkit tab.
  8. On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  9. Select all drives that are connected to your system to be scanned.
  10. Click on the Scan button.
  11. When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  12. Open Notepad or a similar text editor.
  13. Paste the clipboard contents into the text editor.
  14. Save the Gmer scan log and post it in your next reply.
  15. Close Gmer.
  16. Open Command Prompt by going to Start > Run and type in cmd. Press Enter.
  17. In Command Prompt, type in net stop gmer. Press Enter.
  18. Type in exit to close Command Prompt.

Note: Do not run any programs while Gmer is running.
 
Thanks again...

I've got the feeling I'm starting to be a bit of a pain...

Four error messages:

CreateFile c:\windows\gmer.dll The system cannot find the file specified

CreateFile c:\windows\system32.\drivers\gmer.sys. The system cannot find the file specified

Loaded GMER's driver version is incompatible with the currently running gmer application. You need to stop the driver with the net stop gmer command.

net stop gmer produces the message:

System error 1060 has occurred.
The specified service does not exist as an installed service.

I tried from a cd and extracting the file to the desktop with a different name, same result :(

One thing I have done is buy a second harddisk today, which I'm hoping to install something on in order to copy my data files across. (It's been suggested to me that at least in order to get the data it would be safer to use Linux rather than a fresh Windows install). W

Obviously I would much rather salvage a lot more than this, but might this realistically be the best likely outcome? If so, what would be best to use to copy the data? And what sort of things (if any) could I safely copy across?
 
Hi

You can backup files like pictures and documents so.

We can try other issues but problem here is your OS :/

Bagle_remover works fine in XP.

Let me know if you want to continue cleaning.
 
Hi

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.

If no go, rename dss.exe to Gingerheid.exe and try again, please :)
 
Thanks!

Something finally ran :)

Trying to get it on the HDD crashed the computer, so I ran it from the CD - hope that's ok.

Something I noticed immediately after my last post when I used Linux to try and get some photos off a memory card for my camera was that there was an autorun.inf pointing to a NIDEIECT.COM. I daresay that's part of what's up to no good?

Deckard's System Scanner v20071014.68
Run by Barry on 2008-07-01 18:47:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Barry.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:48:06, on 01/07/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\brsvc01a.exe
C:\Windows\system32\brss01a.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Windows\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\WerFault.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Windows\ehome\ehsched.exe
F:\shaba_is_fantastic.exe
C:\Windows\system32\DllHost.exe
C:\Users\Barry\Desktop\Barry.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=8&key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: WIKI.DLL,avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: AGL - Sysinternals - www.sysinternals.com - C:\Users\Barry\AppData\Local\Temp\AGL.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\Windows\system32\brsvc01a.exe
O23 - Service: Google Update Service (gupdate1c8d27662817f9e) (gupdate1c8d27662817f9e) - Google Inc. - C:\Program Files\Google\Update\1.0.103.0\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KGKBMQ - Sysinternals - www.sysinternals.com - C:\Users\Barry\AppData\Local\Temp\KGKBMQ.exe
O23 - Service: RLO - Sysinternals - www.sysinternals.com - C:\Users\Barry\AppData\Local\Temp\RLO.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: UVKPAI - Sysinternals - www.sysinternals.com - C:\Users\Barry\AppData\Local\Temp\UVKPAI.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 9133 bytes

-- Files created between 2008-06-01 and 2008-07-01 -----------------------------

2008-06-28 00:55:27 0 d-------- C:\Program Files\RootKit Hook Analyzer
2008-06-27 21:55:32 0 d-------- C:\327882R2FWJFW
2008-06-26 01:41:02 0 d-------- C:\Users\All Users\WindowsSearch
2008-06-26 00:34:01 0 d-------- C:\inetpub
2008-06-25 18:14:26 0 d-------- C:\Belkin
2008-06-25 17:37:33 122880 --a------ C:\f-bagle.exe <Not Verified; F-Secure Corporation; F-Secure Corp. F-Bagle>
2008-06-24 22:00:46 0 d--h----- C:\$AVG8.VAULT$
2008-06-24 19:13:56 0 d-------- C:\!KillBox
2008-06-24 19:02:48 0 d-a------ C:\Users\All Users\TEMP
2008-06-24 19:02:41 0 d-------- C:\Program Files\Spyware Doctor
2008-06-24 19:02:16 0 d-------- C:\Windows\system32\drivers\Avg
2008-06-24 19:02:12 0 d-------- C:\Users\All Users\avg8
2008-06-24 19:02:12 0 d-------- C:\Program Files\AVG
2008-06-20 00:30:22 0 d-------- C:\Program Files\Daniusoft
2008-06-03 03:12:56 47936 --a------ C:\Windows\system32\wgrs.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 111376 --a------ C:\Windows\system32\expat.dll
2008-06-03 03:12:56 416000 --a------ C:\Windows\system32\agsnet.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 43824 --a------ C:\Windows\system32\agprtcl.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 50880 --a------ C:\Windows\system32\agproxy.dll <Not Verified; iAnywhere Solutions, Inc.; AGAutoProxy Module>
2008-06-03 03:12:56 34592 --a------ C:\Windows\system32\agnet.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 40352 --a------ C:\Windows\system32\agcrypto.dll
2008-06-03 03:12:56 42368 --a------ C:\Windows\system32\agconnct.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 25152 --a------ C:\Windows\system32\agcncmn.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 66064 --a------ C:\Windows\system32\agcmn.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 146816 --a------ C:\Windows\system32\agclcmn.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 34464 --a------ C:\Windows\system32\agcehdlr.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo>
2008-06-02 17:07:38 0 d-------- C:\Swe
2008-06-02 16:57:34 599 --a------ C:\Windows\_MSSETUP.BAT
2008-06-02 16:57:33 14103 --a------ C:\Windows\_MSRSTRT.EXE
2008-06-02 16:55:51 0 d-------- C:\SWE-INST


-- Find3M Report ---------------------------------------------------------------

2008-07-01 18:42:45 731136 --a------ C:\avenger.exe
2008-06-30 20:59:17 3261 --a------ C:\Windows\bthservsdp.dat
2008-06-25 17:56:46 0 d-------- C:\Program Files\NoteWorthy Composer
2008-06-22 22:51:37 0 d-------- C:\Users\Barry\AppData\Roaming\dvdcss
2008-06-20 02:39:07 0 d-------- C:\Program Files\Google
2008-06-15 21:52:03 0 d-------- C:\Program Files\Windows Mail
2008-06-03 03:13:00 0 d-------- C:\Program Files\AvantGo
2008-06-03 03:12:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-24 23:02:28 0 d-------- C:\Users\Barry\AppData\Roaming\Mozilla
2008-05-02 21:03:48 0 d-------- C:\Program Files\MagicDVDRipper
2008-04-14 00:36:49 302 --a------ C:\Users\Barry\AppData\Roaming\electrem.cfg
2008-04-10 01:04:38 174 --ahs---- C:\Program Files\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
24/06/2008 21:55 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 08:38]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe" [08/08/2007 18:31]
"AcronisTimounterMonitor"="C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe" [18/02/2005 08:10]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [11/07/2006 18:12]
"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [20/07/2006 07:55]
"MaxBlastMonitor.exe"="C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe" [08/08/2007 18:26]
"RtHDVCpl"="RtHDVCpl.exe" [09/11/2006 11:57 C:\Windows\RtHDVCpl.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 05:25]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [08/03/2007 15:00]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [19/07/2006 15:51]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [14/10/2003 11:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [14/04/2004 15:46]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [14/04/2004 16:04]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [24/06/2008 19:02]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [10/06/2008 21:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [19/01/2008 08:33]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe [3/21/2008 3:26:50 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInternetIcon"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=WIKI.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr
iissvcs w3svc was
apphost apphostsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf27dec0-c6f0-11dc-889d-806e6f6e6963}]
AutoRun\command- F:\setup.exe

*Newly Created Service* - AEGISP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-01 18:48:42 ------------
 
Ehm... where to start?

When I first booted the computer it restarted straight away, but was ok the second time.

I copied gmer from the cd onto the desktop, but tried to run it off the cd drive first. It came up but disappeared again before the buttons were enabled.

Did net stop gmer in case it was still going in the background and tried again - lasted a bit longer but still disappeared.

Did net stop gmer again, then also stopped hdlrrr.exe in task manager.

This time I managed to get as far as a few moments into the scan, but then disappeared again.

Of all weird weirdnesses, the cd then started showing in that drive as blank. I put it into the other driver and tried again.

Sometimes it gets as far as loading services, and gives an error message which only flashes up very quickly before gmer disappears again. I've run it a million times to try time it just right to get a screen grab of the message before it disappears.

The dialogue says warning - GMER has found system modification, which might have been caused by ROOTKIT activity. Dou [sic!} you want to fully scan your system?

The table in the background has, in red,
Process - hidden process (*** hidden***) 2644
Service E\??\C:\windows\system32\drivers\srosa.sys (*** hidden***) (System) (srosa)

I noticed that avg seems to have been deleted from my computer again, it's not starting up when I boot the computer any more.

As this seems to represent a change since the last renamed hijack this / renamed dss, I tried to run them again. Neither work any more either.

:(

Any help much appreciated !
 
I'm desperate to give you something to go on, so kept on trying, and managed to get a dss report to run, in safe mode. Safe mode keeps crashing randomly, so I just kept going until it happened to stay upright long enough to say something...

Still no extra.txt file that I can see though.

Deckard's System Scanner v20071014.68
Run by Barry on 2008-07-02 00:29:17
Computer is in Safe Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Barry.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:18 AM, on 7/2/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Safe mode

Running processes:
C:\Windows\system32\cmd.exe
C:\Windows\explorer.exe
C:\Windows\helppane.exe
C:\Windows\notepad.exe
E:\shaba_is_fantastic.exe
C:\Users\Barry\Desktop\Barry.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: WIKI.DLL,avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: AGL - Sysinternals - www.sysinternals.com - C:\Users\Barry\AppData\Local\Temp\AGL.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\Windows\system32\brsvc01a.exe
O23 - Service: Google Update Service (gupdate1c8d27662817f9e) (gupdate1c8d27662817f9e) - Google Inc. - C:\Program Files\Google\Update\1.0.103.0\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KGKBMQ - Sysinternals - www.sysinternals.com - C:\Users\Barry\AppData\Local\Temp\KGKBMQ.exe
O23 - Service: RLO - Sysinternals - www.sysinternals.com - C:\Users\Barry\AppData\Local\Temp\RLO.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: UVKPAI - Sysinternals - www.sysinternals.com - C:\Users\Barry\AppData\Local\Temp\UVKPAI.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 6316 bytes

-- Files created between 2008-06-02 and 2008-07-02 -----------------------------

2008-07-02 00:27:34 96 d-------- \Deckard
2008-07-02 00:03:50 300544 --a------ \something_different.dll <SOME#CWO.DLL>
2008-07-01 22:44:03 811008 --a------ \something_different.exe <SOME##R@.EXE>
2008-07-01 18:45:50 686630 --a------ \dss.exe
2008-07-01 18:45:44 686630 --a------ \shaba_is_fantastic.exe <SHAB#SBK.EXE>
2008-06-28 00:55:27 0 d-------- C:\Program Files\RootKit Hook Analyzer
2008-06-27 22:51:09 90432 --a------ C:\Windows\system32\drivers\srosa.sys
2008-06-27 22:50:55 700416 -----n--- C:\Windows\system32\drivers\hldrrr.exe
2008-06-27 22:50:27 700416 --a------ C:\Windows\system32\drivers\mdelk.exe
2008-06-27 22:50:25 0 d-------- C:\Windows\system32\drivers\downld
2008-06-24 19:02:41 0 d-------- C:\Program Files\Spyware Doctor
2008-06-24 19:02:16 0 d-------- C:\Windows\system32\drivers\Avg
2008-06-24 19:02:12 0 d-------- C:\Program Files\AVG
2008-06-20 00:30:22 0 d-------- C:\Program Files\Daniusoft
2008-06-03 03:12:56 47936 --a------ C:\Windows\system32\wgrs.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 111376 --a------ C:\Windows\system32\expat.dll
2008-06-03 03:12:56 416000 --a------ C:\Windows\system32\agsnet.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 43824 --a------ C:\Windows\system32\agprtcl.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 50880 --a------ C:\Windows\system32\agproxy.dll <Not Verified; iAnywhere Solutions, Inc.; AGAutoProxy Module>
2008-06-03 03:12:56 34592 --a------ C:\Windows\system32\agnet.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 40352 --a------ C:\Windows\system32\agcrypto.dll
2008-06-03 03:12:56 42368 --a------ C:\Windows\system32\agconnct.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 25152 --a------ C:\Windows\system32\agcncmn.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 66064 --a------ C:\Windows\system32\agcmn.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 146816 --a------ C:\Windows\system32\agclcmn.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 34464 --a------ C:\Windows\system32\agcehdlr.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo>
2008-06-02 16:57:34 599 --a------ C:\Windows\_MSSETUP.BAT
2008-06-02 16:57:33 14103 --a------ C:\Windows\_MSRSTRT.EXE


-- Find3M Report ---------------------------------------------------------------

2008-07-02 00:26:11 250 --a------ \gmer.ini
2008-07-01 23:35:59 3261 --a------ C:\Windows\bthservsdp.dat
2008-07-01 23:26:46 0 d-------- C:\Program Files\Paint Shop Pro 5
2008-07-01 18:50:06 19111 --a------ \main.txt
2008-06-25 17:56:46 0 d-------- C:\Program Files\NoteWorthy Composer
2008-06-20 02:39:07 0 d-------- C:\Program Files\Google
2008-06-15 21:52:03 0 d-------- C:\Program Files\Windows Mail
2008-06-03 03:13:00 0 d-------- C:\Program Files\AvantGo
2008-06-03 03:12:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-02 21:03:48 0 d-------- C:\Program Files\MagicDVDRipper
2008-04-10 01:04:38 174 --ahs---- C:\Program Files\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 08:38 AM]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe" [08/08/2007 06:31 PM]
"AcronisTimounterMonitor"="C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe" [02/18/2005 08:10 AM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [07/11/2006 06:12 PM]
"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [07/20/2006 07:55 AM]
"MaxBlastMonitor.exe"="C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe" [08/08/2007 06:26 PM]
"RtHDVCpl"="RtHDVCpl.exe" [11/09/2006 11:57 AM C:\Windows\RtHDVCpl.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [03/08/2007 03:00 PM]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [07/19/2006 03:51 PM]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [10/14/2003 11:22 AM]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [04/14/2004 03:46 PM]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [04/14/2004 04:04 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/24/2008 07:02 PM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [06/10/2008 09:22 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=WIKI.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr
iissvcs w3svc was
apphost apphostsvc

*Newly Created Service* - AEGISP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-02 00:29:38 ------------
 
Hi

OK, then we need a recovery console.

See here
and choose .“Command Prompt”

Delete these via command prompt:

C:\Windows\system32\drivers\srosa.sys
C:\Windows\system32\drivers\hldrrr.exe
C:\Windows\system32\drivers\mdelk.exe
C:\Windows\system32\drivers\downld

Reboot normally and post back a fresh dss log.

If you don't know how to delete files/folders, just ask :)
 
Hello

It appeared to work as you said, and I did all the steps, and I am a throwback from Dos 6.2 days so I remember how to delete files and directories. I definitely did tell it to delete them, and it didn't give an error message.

They are still there though :(

Main.txt only - no extra.txt this time either.

Deckard's System Scanner v20071014.68
Run by Barry on 2008-07-02 15:36:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Barry.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:36:44, on 02/07/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\brsvc01a.exe
C:\Windows\system32\brss01a.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Windows\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\svchost.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\drivers\hldrrr.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Windows\ehome\ehRecvr.exe
F:\avg_free_stf_all_8_100a1323.exe
C:\Users\Barry\AppData\Local\Temp\RarSFX2\avgsetup.exe
C:\Windows\system32\wbem\wmiprvse.exe
\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Barry\Desktop\dccss.exe
C:\Users\Barry\Desktop\Barry.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=8&key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [drvsyskit] C:\Windows\system32\drivers\hldrrr.exe
O4 - HKCU\..\Run: [mule_st_key] C:\Users\Barry\AppData\Roaming\m\flec006.exe
O4 - HKCU\..\Run: [german.exe] C:\Windows\system32\wintems.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3506276621-3869378006-3358427872-1009\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'AdminAccount')
O4 - HKUS\S-1-5-21-3506276621-3869378006-3358427872-500\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Administrator')
O4 - HKUS\S-1-5-21-3506276621-3869378006-3358427872-500\..\RunOnce: [WAB Migrate] %ProgramFiles%\Windows Mail\wab.exe /Upgrade (User 'Administrator')
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: WIKI.DLL,avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: AGL - Sysinternals - www.sysinternals.com - C:\Users\Barry\AppData\Local\Temp\AGL.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\Windows\system32\brsvc01a.exe
O23 - Service: Google Update Service (gupdate1c8d27662817f9e) (gupdate1c8d27662817f9e) - Google Inc. - C:\Program Files\Google\Update\1.0.103.0\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KGKBMQ - Sysinternals - www.sysinternals.com - C:\Users\Barry\AppData\Local\Temp\KGKBMQ.exe
O23 - Service: RLO - Sysinternals - www.sysinternals.com - C:\Users\Barry\AppData\Local\Temp\RLO.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: UVKPAI - Sysinternals - www.sysinternals.com - C:\Users\Barry\AppData\Local\Temp\UVKPAI.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 9761 bytes

-- Files created between 2008-06-02 and 2008-07-02 -----------------------------

2008-07-02 15:32:28 90432 --a------ C:\Windows\system32\drivers\srosa.sys
2008-07-02 15:32:27 700416 --a------ C:\Windows\system32\drivers\mdelk.exe
2008-06-28 00:55:27 0 d-------- C:\Program Files\RootKit Hook Analyzer
2008-06-27 22:50:55 700416 -----n--- C:\Windows\system32\drivers\hldrrr.exe
2008-06-27 22:50:25 0 d-------- C:\Windows\system32\drivers\downld
2008-06-27 21:55:32 0 d-------- C:\327882R2FWJFW
2008-06-26 01:41:02 0 d-------- C:\Users\All Users\WindowsSearch
2008-06-26 00:34:01 0 d-------- C:\inetpub
2008-06-25 18:14:26 0 d-------- C:\Belkin
2008-06-25 17:37:33 122880 --a------ C:\f-bagle.exe <Not Verified; F-Secure Corporation; F-Secure Corp. F-Bagle>
2008-06-24 22:00:46 0 d--h----- C:\$AVG8.VAULT$
2008-06-24 19:13:56 0 d-------- C:\!KillBox
2008-06-24 19:02:48 0 d-a------ C:\Users\All Users\TEMP
2008-06-24 19:02:41 0 d-------- C:\Program Files\Spyware Doctor
2008-06-24 19:02:16 0 d-------- C:\Windows\system32\drivers\Avg
2008-06-24 19:02:12 0 d-------- C:\Users\All Users\avg8
2008-06-24 19:02:12 0 d-------- C:\Program Files\AVG
2008-06-20 00:30:22 0 d-------- C:\Program Files\Daniusoft
2008-06-03 03:12:56 47936 --a------ C:\Windows\system32\wgrs.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 111376 --a------ C:\Windows\system32\expat.dll
2008-06-03 03:12:56 416000 --a------ C:\Windows\system32\agsnet.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 43824 --a------ C:\Windows\system32\agprtcl.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 50880 --a------ C:\Windows\system32\agproxy.dll <Not Verified; iAnywhere Solutions, Inc.; AGAutoProxy Module>
2008-06-03 03:12:56 34592 --a------ C:\Windows\system32\agnet.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 40352 --a------ C:\Windows\system32\agcrypto.dll
2008-06-03 03:12:56 42368 --a------ C:\Windows\system32\agconnct.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 25152 --a------ C:\Windows\system32\agcncmn.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 66064 --a------ C:\Windows\system32\agcmn.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 146816 --a------ C:\Windows\system32\agclcmn.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo Connect>
2008-06-03 03:12:56 34464 --a------ C:\Windows\system32\agcehdlr.dll <Not Verified; iAnywhere Solutions, Inc.; AvantGo>
2008-06-02 17:07:38 0 d-------- C:\Swe
2008-06-02 16:57:34 599 --a------ C:\Windows\_MSSETUP.BAT
2008-06-02 16:57:33 14103 --a------ C:\Windows\_MSRSTRT.EXE
2008-06-02 16:55:51 0 d-------- C:\SWE-INST


-- Find3M Report ---------------------------------------------------------------

2008-07-02 15:15:46 3261 --a------ C:\Windows\bthservsdp.dat
2008-07-02 00:44:30 731136 --a------ C:\avenger.exe
2008-07-01 23:26:46 0 d-------- C:\Program Files\Paint Shop Pro 5
2008-06-25 17:56:46 0 d-------- C:\Program Files\NoteWorthy Composer
2008-06-22 22:51:37 0 d-------- C:\Users\Barry\AppData\Roaming\dvdcss
2008-06-20 02:39:07 0 d-------- C:\Program Files\Google
2008-06-15 21:52:03 0 d-------- C:\Program Files\Windows Mail
2008-06-03 03:13:00 0 d-------- C:\Program Files\AvantGo
2008-06-03 03:12:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-24 23:02:28 0 d-------- C:\Users\Barry\AppData\Roaming\Mozilla
2008-05-02 21:03:48 0 d-------- C:\Program Files\MagicDVDRipper
2008-04-14 00:36:49 302 --a------ C:\Users\Barry\AppData\Roaming\electrem.cfg
2008-04-10 01:04:38 174 --ahs---- C:\Program Files\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
02/07/2008 15:36 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 08:38]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe" [08/08/2007 18:31]
"AcronisTimounterMonitor"="C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe" [18/02/2005 08:10]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [11/07/2006 18:12]
"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [20/07/2006 07:55]
"MaxBlastMonitor.exe"="C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe" [08/08/2007 18:26]
"RtHDVCpl"="RtHDVCpl.exe" [09/11/2006 11:57 C:\Windows\RtHDVCpl.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 05:25]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [08/03/2007 15:00]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [19/07/2006 15:51]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [14/10/2003 11:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [14/04/2004 15:46]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [14/04/2004 16:04]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [24/06/2008 19:02]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [10/06/2008 21:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [19/01/2008 08:33]
"drvsyskit"="C:\Windows\system32\drivers\hldrrr.exe" [18/02/2005 08:10]
"mule_st_key"="C:\Users\Barry\AppData\Roaming\m\flec006.exe" []
"german.exe"="C:\Windows\system32\wintems.exe" []

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe [3/21/2008 3:26:50 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInternetIcon"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=WIKI.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ
WindowsMobile wcescomm rapimgr
LocalServiceRestricted WcesComm RapiMgr
iissvcs w3svc was
apphost apphostsvc

*Newly Created Service* - AEGISP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-02 15:37:24 ------------
 
Sorry - also - I am going to be away from home for a few days, but I will see your reply on Monday and will be carrying on then!

Many thanks
 
Hi

Yes they are because there is likely a downloader.

Are you able to keep computer completely offline and post back logs using another computer?
 
Hello

The infected machine is completely offline currently, as because of the layout of my shared house I can only connect by wireless, which is one of the services that got deleted. It was this that made me realise something was wrong.

I am putting progs onto the computer / posting logs by burning cds.
 
You must log in or register to reply here.
Back
Top