Can't remove Trojan Generic9.AJIM

H

hleighty

New member
Persistent malware infection attributed to BHO with filename C:\Windows\System32\adsld.dll. The file is locked to access by WinHex and by the built-in Administrator user account. The file cannot be viewed in a hex editor (Access Denied) and immediately reappears after deletion to the Recycle Bin. This file is reliably and repeatedly identified by AVG 7.5 as Trojan Generic9.AJIM but all efforts to quarantine the infected file fail with immediate replacement of the quarantined file. Here below is the HJT 2.0.2 log followed in this thread at the next post by the Kaspersky online scanner log. Thanks for any assistance in removing this malware object.
-----[ Begin HJT Log ]-----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:37 PM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {EE5A0A38-CEF3-43A7-B3E6-50A4C9E230FE} - C:\WINDOWS\system32\adsld.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://c:\program files\common files\aolcoach\en_en\player\plugin\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146596725093
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = feddema.local
O17 - HKLM\Software\..\Telephony: DomainName = feddema.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = feddema.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = feddema.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = feddema.local
O20 - Winlogon Notify: winwll32 - winwll32.dll (file missing)
O20 - Winlogon Notify: yayabcd - yayabcd.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LBV - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\LBV.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 9167 bytes
-----[ End HJT Log ]-----


Thanks for any help or suggestions.
 
Can't Remove Trojan Generic9.AJIM

Here is the Kaspersky scan log.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 21, 2008 12:43:32 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/01/2008
Kaspersky Anti-Virus database records: 525897
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 79428
Number of viruses found: 17
Number of infected objects: 70
Number of suspicious objects: 0
Duration of the scan process: 01:36:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\LightScribe\log\log2504.txt Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF47AE.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NL3C23CI\RegistryCleaner[1].exe/RegistryCleaner.exe Infected: not-a-virus:FraudTool.Win32.RegCleanFix.a skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NL3C23CI\RegistryCleaner[1].exe SetupFactory: infected - 1 skipped
C:\Documents and Settings\Administrator\My Documents\maps.exe/stream/data0008 Infected: not-a-virus:AdWare.Win32.Comet.ay skipped
C:\Documents and Settings\Administrator\My Documents\maps.exe/stream Infected: not-a-virus:AdWare.Win32.Comet.ay skipped
C:\Documents and Settings\Administrator\My Documents\maps.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP164\A0032884.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP167\A0033959.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035040.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035042.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.gn skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035042.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035045.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP168\A0035051.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP169\A0036023.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP169\A0036024.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039027.dll Infected: not-a-virus:AdWare.Win32.BHO.oi skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039051.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039061.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039070.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039080.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039101.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039109.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039110.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039164.exe Infected: not-a-virus:FraudTool.Win32.RegCleanFix.a skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP171\A0039167.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.aa skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP173\A0039231.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP173\A0039249.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP173\A0039257.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP175\A0039296.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP176\A0040322.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP176\A0041332.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP176\A0041350.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP176\A0041365.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041651.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041653.dll Infected: Trojan.Win32.Obfuscated.mi skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041654.dll Infected: Trojan.Win32.Obfuscated.mi skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041655.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041659.exe Infected: Trojan-Spy.Win32.BZub.buz skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041660.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041661.dll Infected: Trojan.Win32.Obfuscated.mi skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041662.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041663.dll Infected: Trojan.Win32.Obfuscated.lf skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041664.exe Infected: not-virus:Hoax.Win32.Renos.apg skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041665.exe Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041666.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cll skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041775.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041781.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041787.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041795.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP177\A0041824.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP178\A0041832.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP179\A0041845.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP179\A0041879.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP180\A0041894.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP180\A0041899.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP180\A0041907.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP181\A0042073.dll Infected: not-a-virus:AdWare.Win32.BHO.rh skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP181\A0042335.sys Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042343.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042344.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042345.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042346.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042347.exe Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP182\A0042348.dll Object is locked skipped
C:\System Volume Information\_restore{F12F6FCA-02BA-4BDE-887E-CF7AA5F3F6EF}\RP194\change.log Object is locked skipped
C:\VNC\vnc-4_1_1-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\VNC\vnc-4_1_1-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\VNC\vnc-4_1_1-x86_win32.exe Inno: infected - 2 skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A548819D-A954-466E-98CC-FB7CE95949D8}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\adsld.dll Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\win10AF.exe/data0004/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.gn skipped
C:\WINDOWS\Temp\win10AF.exe/data0004 Infected: not-a-virus:AdWare.Win32.PurityScan.gn skipped
C:\WINDOWS\Temp\win10AF.exe/data0005 Infected: Trojan-Downloader.Win32.Agent.hjs skipped
C:\WINDOWS\Temp\win10AF.exe/data0006/data0007 Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\WINDOWS\Temp\win10AF.exe/data0006 Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\WINDOWS\Temp\win10AF.exe NSIS: infected - 5 skipped
C:\WINDOWS\Temp\win1179.exe/data0004/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.gn skipped
C:\WINDOWS\Temp\win1179.exe/data0004 Infected: not-a-virus:AdWare.Win32.PurityScan.gn skipped
C:\WINDOWS\Temp\win1179.exe/data0005 Infected: Trojan-Downloader.Win32.Agent.hjs skipped
C:\WINDOWS\Temp\win1179.exe/data0006/data0007 Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\WINDOWS\Temp\win1179.exe/data0006 Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\WINDOWS\Temp\win1179.exe NSIS: infected - 5 skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
Suspicious Registry entries can't be deleted.

While waiting for a response, I am continuing to pursue and investigate this problem within my limited resources.

Adaware 2007 with latest updates finds three registry entries that can't be handled by either quarantine or removal. After Exporting to a .reg file, attempted manual removal using regedit also fails (Access Denied) even when IE7 is closed (logged in normally to built-in Administrator user account). The three suspicious keys reported by Adaware 2007 that can't be modified or deleted are:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu

In checking the Permissions for this Hive and Key, the only entities that have Full Control is SYSTEM and the local Administrators Group on the local machine. Everyone else (including CREATOR-OWNER) has Read Permission and Special Permissions. But the built-in Administrator user account has an entry showing its permissions set to "Special Permissions" even though this user account is a member of the local Administrators Group. This probably explains why the keys can't be accessed or modified (the most restrictive permissions apply).

I'm awaiting any advice that may become available.
 
Suspicious Registry entries can't be deleted.

While waiting for a response, I am continuing to pursue and investigate this problem within my limited resources.

Adaware 2007 with latest updates finds three registry entries that can't be handled by either quarantine or removal. After Exporting to a .reg file, attempted manual removal using regedit also fails (Access Denied) even when IE7 is closed (logged in normally to built-in Administrator user account). The three suspicious keys reported by Adaware 2007 that can't be modified or deleted are:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu

In checking the Permissions for this Hive and Key, the only entities that have Full Control are SYSTEM and the Administrators Group on the local machine. Everyone else (including CREATOR-OWNER) has Read Permission and Special Permissions. But the built-in Administrator user account has an entry showing its permissions set to "Special Permissions" only, even though this user account is a member of the local Administrators Group. This probably explains why the keys can't be accessed or modified (the most restrictive permissions apply) when logged-in normally to the built-in Administrator user account.

I'm awaiting any advice that may become available.
 
Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.
Click to expand...


Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.



Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Please post the ComboFix log along with the Kaspersky log in your reply.
 
Commencing the Procedures

Thanks for responding. I'm now beginning the procedures you sent me and I will follow the instructions faithfully to the best of my ability. Your help is greatly appreciated. More later when I have the first results.
 
First ComboFix Log

ComboFix 08-01-29.3 - Administrator 2008-02-04 9:58:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.154 [GMT -8:00]
Running from: F:\Security\Spyware\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\adsld.dll
C:\WINDOWS\system32\drivers\fcoaugqg.dat
C:\Program Files\Helper
C:\setup.exe
C:\WINDOWS\system32\adsld.dll
C:\WINDOWS\system32\dbddbbaac7_r.dll
C:\WINDOWS\system32\drivers\fcoaugqg.dat
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\lnnmp.ini
C:\WINDOWS\system32\lnnmp.ini2
C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_BWQECBQE
-------\bwqecbqe


((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-04 09:49 . 2004-08-04 04:00 260,272 -r-hs---- C:\cmldr
2008-02-04 09:49 . 2008-01-29 11:58 210 -rahs---- C:\BOOT.BAK
2008-01-30 10:30 . 2008-01-30 10:30 <DIR> d-------- C:\Program Files\CCleaner
2008-01-30 10:12 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-23 03:48 . 2008-01-23 03:48 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-23 03:48 . 2008-01-23 03:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 03:47 . 2008-01-23 03:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 16:30 . 2008-01-22 16:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 09:41 . 2008-01-21 09:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-21 09:41 . 2008-01-21 09:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-20 06:04 . 2008-01-20 06:06 <DIR> d-------- C:\Program Files\WinHex
2008-01-19 13:41 . 2008-01-19 13:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-19 13:41 . 2008-01-23 03:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-19 13:40 . 2008-01-19 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-18 12:13 . 2008-01-18 12:13 23 --a------ C:\WINDOWS\system32\afdffca_r.ocx
2008-01-18 12:12 . 2008-01-18 12:12 <DIR> d-------- C:\Program Files\jv16 PowerTools 2007
2008-01-18 10:54 . 2007-01-18 04:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-13 13:59 . 2008-01-19 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-11 00:14 . 2008-01-11 00:14 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-01-11 00:13 . 2008-01-11 00:13 <DIR> d-------- C:\Program Files\MSECACHE
2008-01-10 22:29 . 2007-04-12 02:58 1,052,472 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2008-01-10 22:29 . 2007-04-12 02:58 300,816 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2008-01-10 22:29 . 2007-04-12 02:58 199,440 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-01-10 22:29 . 2007-04-12 02:58 112,400 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2008-01-10 22:29 . 2007-04-12 02:58 75,792 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2008-01-10 22:29 . 2007-04-12 02:58 32,528 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-01-09 15:22 . 2008-01-09 15:22 <DIR> d-------- C:\Program Files\WinASO
2008-01-09 14:36 . 2008-01-11 08:38 137 --a------ C:\WINDOWS\wininit.ini
2008-01-09 13:29 . 2008-01-20 05:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-09 12:55 . 2008-01-09 12:55 <DIR> d-------- C:\Program Files\BillP Studios
2008-01-09 12:55 . 2008-01-09 12:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\WinPatrol
2008-01-07 13:51 . 2008-01-07 13:52 1,291,662 --a------ C:\Install
2008-01-07 10:30 . 2008-01-09 11:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-07 10:30 . 2008-01-07 10:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-06 03:14 . 2008-01-07 12:45 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-01-04 18:24 . 2008-01-04 18:24 <DIR> d-------- C:\WINDOWS\RegistryCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 18:12 --------- d-----w C:\Program Files\Java
2008-01-11 06:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-09 22:53 188 ----a-w C:\CMDR950I.DAT
2008-01-09 21:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-07 20:45 --------- d-----w C:\Program Files\Nxdfiedj
2008-01-07 18:59 --------- d-----w C:\Program Files\America Online 9.0
2008-01-07 18:27 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-07 17:51 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-01-07 17:51 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-12-19 05:54 --------- d-----w C:\Program Files\Yahoo!
2007-12-19 05:54 --------- d-----w C:\Program Files\Pure Networks
2007-12-19 05:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Gtek
2007-12-19 05:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\GTek
2007-12-19 05:23 --------- d-----w C:\Program Files\MSBuild
2007-12-19 05:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-19 05:14 --------- d-----w C:\Program Files\Reference Assemblies
2007-12-19 05:05 --------- d-----w C:\Program Files\Three Rings Design
2007-12-19 04:57 --------- d-----w C:\Program Files\HPQ
2007-12-19 04:55 --------- d-----w C:\Program Files\R4 Controller
2007-12-19 04:52 --------- d-----w C:\Program Files\MSXML 6.0
2007-12-19 03:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-12-19 03:29 --------- d-----w C:\Program Files\MSD
2007-12-19 03:28 --------- d-----w C:\Program Files\Maxthon
2007-12-19 03:12 --------- d-----w C:\Program Files\Google
2007-12-19 03:08 --------- d-----w C:\Program Files\HandyBits
2007-12-19 03:06 --------- d-----w C:\Program Files\AOL Deskbar
2007-11-14 16:55 164 ----a-w C:\install.dat
2006-12-30 21:23 1,798 -c--a-w C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
2006-03-07 18:59 8,842 -c--a-r C:\Program Files\VSHARE.38_
2006-03-07 18:59 67,828 -c--a-r C:\Program Files\TABCTL16.OC_
2006-03-07 18:59 64,000 -c--a-r C:\Program Files\STORAGE.DL2
2006-03-07 18:59 580,252 -c--a-r C:\Program Files\VB40016.DL_
2006-03-07 18:59 49,399 -c--a-r C:\Program Files\VBDB16.DL_
2006-03-07 18:59 25,197 -c--a-r C:\Program Files\STORAGE.DL1
2006-03-07 18:59 23,044 -c--a-r C:\Program Files\VAEN21.OL_
2006-03-07 18:59 108,779 -c--a-r C:\Program Files\TYPELIB.DL_
2006-03-07 18:59 1,897 -c--a-r C:\Program Files\VBAJET.DL_
2006-03-07 18:59 1,602 -c--a-r C:\Program Files\WB383SB.95_
2006-03-07 18:59 1,528 -c--a-r C:\Program Files\WBMP2405.95_
2006-03-07 18:59 1,496 -c--a-r C:\Program Files\WBTB7503.95_
2006-03-07 18:59 1,494 -c--a-r C:\Program Files\WBSC14SC.95_
2006-03-07 18:59 1,485 -c--a-r C:\Program Files\TBI7503.95_
2006-03-07 18:59 1,476 -c--a-r C:\Program Files\WB502SYS.95_
2006-03-07 18:59 1,472 -c--a-r C:\Program Files\TBI6502.95_
2006-03-07 18:59 1,472 -c--a-r C:\Program Files\TBI6501.95_
2006-03-07 18:59 1,456 -c--a-r C:\Program Files\WBMP3008.95_
2006-03-07 18:59 1,449 -c--a-r C:\Program Files\WBTBBLWN.95_
2006-03-07 18:59 1,437 -c--a-r C:\Program Files\TBI6503.95_
2006-03-07 18:59 1,420 -c--a-r C:\Program Files\WBTC4CYL.95_
2006-03-07 18:59 1,414 -c--a-r C:\Program Files\ZZ4MPI30.95_
2006-03-07 18:58 98,789 -c--a-r C:\Program Files\OLE2NLS.DL_
2006-03-07 18:58 88,532 -c--a-r C:\Program Files\OLE2DISP.DL_
2006-03-07 18:58 8,000 -c--a-r C:\Program Files\MSJETERR.DL_
2006-03-07 18:58 7,684 -c--a-r C:\Program Files\SCP.DL_
2006-03-07 18:58 617,834 -c--a-r C:\Program Files\MSAJT200.DL_
2006-03-07 18:58 60,352 -c--a-r C:\Program Files\PEGO16A.OC_
2006-03-07 18:58 59,061 -c--a-r C:\Program Files\SETUP1.EX_
2006-03-07 18:58 502,082 -c--a-r C:\Program Files\PEGRP16A.DL_
2006-03-07 18:58 5,762 -c--a-r C:\Program Files\OLE2.RE_
2006-03-07 18:58 44,428 -c--a-r C:\Program Files\PE3DO16A.OC_
2006-03-07 18:58 4,039 -c--a-r C:\Program Files\STKIT416.DL_
2006-03-07 18:58 39,785 -c--a-r C:\Program Files\MSCOMM16.OC_
2006-03-07 18:58 35,579 -c--a-r C:\Program Files\OLE2CONV.DL_
2006-03-07 18:58 306,271 -c--a-r C:\Program Files\OC25.DL_
2006-03-07 18:58 30,624 -c--a-r C:\Program Files\SETUP.EXE
2006-03-07 18:58 274,957 -c--a-r C:\Program Files\PRO950.EX_
2006-03-07 18:58 24,410 -c--a-r C:\Program Files\OLE2PROX.DL_
2006-03-07 18:58 2,856 -c--a-r C:\Program Files\STDOLE.TL_
2006-03-07 18:58 170,995 -c--a-r C:\Program Files\OLE2.DL_
2006-03-07 18:58 12,896 -c--a-r C:\Program Files\MSJETINT.DL_
2006-03-07 18:58 12,148 -c--a-r C:\Program Files\SETUP.LST
2006-03-07 18:58 1,479 -c--a-r C:\Program Files\SC14PSI.95_
2006-03-07 18:58 1,455 -c--a-r C:\Program Files\STLTHZZ4.95_
2006-03-07 18:58 1,447 -c--a-r C:\Program Files\MPI3008.95_
2006-03-07 18:58 1,327 -c--a-r C:\Program Files\R42600.95_
2006-03-07 18:58 1,326 -c--a-r C:\Program Files\R42700.95_
2006-03-07 18:58 1,321 -c--a-r C:\Program Files\R50700.95_
2006-03-07 18:58 1,288 -c--a-r C:\Program Files\R50800.95_
2006-03-07 18:57 74,916 -c--a-r C:\Program Files\DBLIST16.OC_
2006-03-07 18:57 67,072 -c--a-r C:\Program Files\DAO2516.DL2
2006-03-07 18:57 61,684 -c--a-r C:\Program Files\COMPOBJ.DL_
2006-03-07 18:57 46,105 -c--a-r C:\Program Files\COMDLG16.OC_
2006-03-07 18:57 38,144 -c--a-r C:\Program Files\C950CALC.XL_
2006-03-07 18:57 203,301 -c--a-r C:\Program Files\DAO2516.DL1
2006-03-07 18:57 173,744 -c--a-r C:\Program Files\DBGRID16.OC_
2006-03-07 18:57 15,098 -c--a-r C:\Program Files\CTL3DV2.DL_
2006-03-07 18:57 106,413 -c--a-r C:\Program Files\GRDKRN16.DL_
2006-03-07 18:57 1,562 -c--a-r C:\Program Files\MPI2402.95_
2006-03-07 18:57 1,513 -c--a-r C:\Program Files\MPI2405.95_
2006-03-07 18:57 1,504 -c--a-r C:\Program Files\MPI1901.95_
2006-03-07 18:57 1,497 -c--a-r C:\Program Files\MPI3006.95_
2006-03-07 18:57 1,483 -c--a-r C:\Program Files\MPI3007.95_
2006-03-07 18:57 1,480 -c--a-r C:\Program Files\350_85.95_
2006-03-07 18:57 1,469 -c--a-r C:\Program Files\50242PPH.95_
2006-03-07 18:57 1,465 -c--a-r C:\Program Files\MPI3004.95_
2006-03-07 18:57 1,465 -c--a-r C:\Program Files\BBC50PPH.95_
2006-03-07 18:57 1,463 -c--a-r C:\Program Files\383SC.95_
2006-03-07 18:57 1,462 -c--a-r C:\Program Files\502SYSMX.95_
2006-03-07 18:57 1,462 -c--a-r C:\Program Files\350SBC30.95_
2006-03-07 18:57 1,459 -c--a-r C:\Program Files\MPI2403.95_
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 18:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 04:12 102492]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 02:27 1015808]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 12:54 253952]
"Lexmark 4200 Series"="C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 02:04 57344]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 00:51 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 00:50 204800]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 02:29 102400]
"HostManager"="C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe" [2006-09-25 16:52 50736]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 08:06 292152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-19 13:41 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwll32]
winwll32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayabcd]
yayabcd.dll

S3 LBV;LBV;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\LBV.exe []
S3 UnlockerDriver4;UnlockerDriver4 Driver;C:\Program Files\Unlocker\UnlockerDriver4.sys []
S3 USA19H;USA19H;C:\WINDOWS\system32\DRIVERS\USA19H2k.sys [2003-06-24 19:30]
S3 USA19H2KP;Keyspan USB Serial Port Driver;C:\WINDOWS\system32\DRIVERS\USA19H2kp.SYS [2003-06-24 19:21]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 02:45:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-20 15:00:28 C:\WINDOWS\Tasks\wrSpySweeper20060502143530.job"
??
????.
\- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe*/ScheduleSweep=wrSpySweeper20060502143530
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 10:07:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-04 10:10:01 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-02-04 18:09:56
.
2008-01-10 05:47:37 --- E O F ---
 
First HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:29 AM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://c:\program files\common files\aolcoach\en_en\player\plugin\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146596725093
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = feddema.local
O17 - HKLM\Software\..\Telephony: DomainName = feddema.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = feddema.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = feddema.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = feddema.local
O20 - Winlogon Notify: winwll32 - winwll32.dll (file missing)
O20 - Winlogon Notify: yayabcd - yayabcd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LBV - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\LBV.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8903 bytes
 
Kaspersky Online Scanner Fails to Load ActiveX Control

Here is the error message I get when trying to Install the Kaspersky Online Scanner:

"Failed to load Kaspersky Online Scanner ActiveX control!

You must have administrative rights on this computer;
you also must have the IE security settings to the Medium level."

I am logged-in to Windows XP using the built-in Administrator user account. The IE7 Security Settings are at 'Medium'."
 
Is the old Kaspersky log any good?

I ran the Kaspersky Online scanner once before I got a response from Katana. This was before I ran ComboFix. After I finally got my instructions (long wait) I followed them exactly and installed the Recovery Console before running ComboFix. After ComboFix I ran HJT 2.0.2. But the next time I tried to run Kaspersky Online Scanner (that was installed before I got my instructions) it failed to run. I then uninstalled Kaspersky using Add/Remove Programs and then tried to reinstall it again per the instructions. That is when I got the Failure to load the ActiveX control. Same result on my second attempt. I'm stuck right now.
 
OK, please try this instead

TotalScan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Please go to this site Link >> TotalScan << LINK
  • Under Scan Now click the Full Scan button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small Save button and save the report to your desktop.
  • Please post the report in your reply.
 
TotalScan procedure won't start.

I clicked on the link in the instructions for TotalScan and opened the page at http://www.nanoscan.com/as/index/ where I saw a large green [Scan Now] button with two choices below it, Quick Scan and Full Scan. I chose Full Scan and then clicked [Scan Now]. After a brief wait I was prompted to Allow the ActiveX control. I did so. Then I clicked to [Install]. After another brief wait, the original screen with the big green [Scan Now] button returned. I tried again twice more -- same thing every time. Looks like an endless loop.
 
It looks like there is a permissions issue somewhere.
Please do the following and then try Kaspersky again.

  1. Please download FixPolicies.exe by Bill Castner and save it to your desktop.
  2. Double click on FixPolicies.exe to run it.
  3. Click on Install. It will create a folder named FixPolicies on your desktop.
  4. Open the FixPolicies folder.
  5. Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly; this is normal.
 
Tried Kaspersky twice more -- no luck.

Same behavior for Kaspersky. It fails with a message:

Failed to load Kaspersky Online Scanner ActiveX control!

You must have administrative rights on this computer;
you also must have the IE security settings to the Medium level.

I noticed that during the long wait before the script timed out, Task Manager was showing 99% of CPU cycles were assigned to System Idle Process and 1% of CPU cycles were assigned to taskmgr.exe. The Applications Tab of Task Manager showed all open tasks as "Running" and none were marked as Not Responding. I also noted that there was only very briefly any packets sent and received as network traffic over the LAN. We do have a good connection to the internet and I can PING remote servers with 0% packet loss. It takes several minutes for the Install process to fail and show the error message.

Here is a question: I noticed from the ComboFix Log that the persistent file that previously could not be deleted (filename adsld.dll) was shown as having been deleted, along with several of its friends with equally suspicious filenames. I verified the absence of the known malware file using Windows Explorer. I confirmed that file C:\WINDOWS\System32\adsld.dll is no longer present. That file appears in the eariler HJT log as 02 BHO. It is no longer being reported in the latest HJT log. Could it be that we have already achieved the desired results, notwithstanding the inability to run the Kaspersky scanner? What do you think?
 
AVG 7.5.516 reports zero threats found

Here are some reports of my additional observations:

Before running ComboFix.exe, AVG Antivirus consistenly reported the file C:\WINDOWS\System32\adsld.dll to be an infected file {Trojan Generic9.AJIM}. Each time, the infected object was detected, it was sent to the AVG Virus Vault (quarantine by any other name), only to reappear immediately and be detected again by AVG, etc., in an endless loop of detection/quarantine/repeat.

Inspection of the Virus Vault showed multiple instances of the infected file, one for each time it was quarantined. This detection/quarantine loop had a frequency of about 2-3 detections per minute which made the computer virtually unusable. The short fix was to disable AVG so that the realtime scanner would not automatically start when Windows started. This made the computer "infected but usable".

Since I could not run Kaspersky a second time, I tried AVG again thinking that this might be relevant since AVG previously detected the infection very reliably. With the virus base updated to 2/4/2008, AVG scanned 27,812 objects and found zero errors and zero threats.

So to my untrained eye, the original reason for requesting help seems to be gone now. I think maybe ComboFix did the job and the ComboFix Log and the HJT Log both seem to confirm it.

Here is the telling part of the ComboFix Log:
((( Other Deletions )))
C:\WINDOWS\system32\adsld.dll
C:\WINDOWS\system32\drivers\fcoaugqg.dat
C:\Program Files\Helper
C:\setup.exe
C:\WINDOWS\system32\adsld.dll
C:\WINDOWS\system32\dbddbbaac7_r.dll
C:\WINDOWS\system32\drivers\fcoaugqg.dat
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\lnnmp.ini
C:\WINDOWS\system32\lnnmp.ini2
C:\WINDOWS\system32\mcrh.tmp

The confirmation is in the second HJT Log showing that the BHO c:\windows\system32\adsld.dll is no longer being reported. Further confirmation by AVG lends confidence to the hypothesis that "Maybe It Is Fixed Now".

Your comments on my "Maybe It Is Fixed Now" hypothesis are invited. If you want me to execute any other procedures, please pass me the instructions.
 
It is very likely that the infection is gone, BUT, malware likes to hide itself these days and a fresh run with an online scanner will tell us if there are any stray files left behind.
The very fact that Kaspersky won't run tells me that something is not right somewhere along the way.


Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NL3C23CI\RegistryCleaner[1].exe
C:\Documents and Settings\Administrator\My Documents\maps.exe
C:\WINDOWS\Temp\win10AF.exe
C:\WINDOWS\Temp\win1179.exe
Folder::
Driver::
LBV
UnlockerDriver4
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwll32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayabcd]
ADS::
  • Save this as CFScript.txt and place it on your desktop.


    CFScript.gif


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
 
ComboFix Log from CFScript

ComboFix 08-01-29.3 - Administrator 2008-02-05 14:15:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.153 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NL3C23CI\RegistryCleaner[1].exe
C:\Documents and Settings\Administrator\My Documents\maps.exe
C:\WINDOWS\Temp\win10AF.exe
C:\WINDOWS\Temp\win1179.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\My Documents\maps.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_LBV
-------\LEGACY_UNLOCKERDRIVER4
-------\LBV
-------\UnlockerDriver4


((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-04 09:49 . 2004-08-04 04:00 260,272 -r-hs---- C:\cmldr
2008-02-04 09:49 . 2008-01-29 11:58 210 -rahs---- C:\BOOT.BAK
2008-01-30 10:30 . 2008-01-30 10:30 <DIR> d-------- C:\Program Files\CCleaner
2008-01-30 10:12 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-23 03:48 . 2008-01-23 03:48 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-23 03:48 . 2008-01-23 03:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 03:47 . 2008-01-23 03:47 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 16:30 . 2008-01-22 16:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 09:41 . 2008-01-21 09:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-20 06:04 . 2008-01-20 06:06 <DIR> d-------- C:\Program Files\WinHex
2008-01-19 13:41 . 2008-01-19 13:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-19 13:41 . 2008-02-04 19:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-19 13:40 . 2008-01-19 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-18 12:13 . 2008-01-18 12:13 23 --a------ C:\WINDOWS\system32\afdffca_r.ocx
2008-01-18 12:12 . 2008-01-18 12:12 <DIR> d-------- C:\Program Files\jv16 PowerTools 2007
2008-01-18 10:54 . 2007-01-18 04:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-01-13 13:59 . 2008-01-19 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-11 00:14 . 2008-01-11 00:14 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-01-11 00:13 . 2008-01-11 00:13 <DIR> d-------- C:\Program Files\MSECACHE
2008-01-10 22:29 . 2007-04-12 02:58 1,052,472 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2008-01-10 22:29 . 2007-04-12 02:58 300,816 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2008-01-10 22:29 . 2007-04-12 02:58 199,440 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-01-10 22:29 . 2007-04-12 02:58 112,400 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2008-01-10 22:29 . 2007-04-12 02:58 75,792 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2008-01-10 22:29 . 2007-04-12 02:58 32,528 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-01-09 15:22 . 2008-01-09 15:22 <DIR> d-------- C:\Program Files\WinASO
2008-01-09 14:36 . 2008-01-11 08:38 137 --a------ C:\WINDOWS\wininit.ini
2008-01-09 13:29 . 2008-01-20 05:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-09 12:55 . 2008-01-09 12:55 <DIR> d-------- C:\Program Files\BillP Studios
2008-01-09 12:55 . 2008-01-09 12:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\WinPatrol
2008-01-07 13:51 . 2008-01-07 13:52 1,291,662 --a------ C:\Install
2008-01-07 10:30 . 2008-01-09 11:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-07 10:30 . 2008-01-07 10:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-06 03:14 . 2008-01-07 12:45 10,752 --a------ C:\WINDOWS\DCEBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 18:12 --------- d-----w C:\Program Files\Java
2008-01-11 06:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-09 22:53 188 ----a-w C:\CMDR950I.DAT
2008-01-09 21:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-07 20:45 --------- d-----w C:\Program Files\Nxdfiedj
2008-01-07 18:59 --------- d-----w C:\Program Files\America Online 9.0
2008-01-07 18:27 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-07 17:51 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-01-07 17:51 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-12-19 05:54 --------- d-----w C:\Program Files\Yahoo!
2007-12-19 05:54 --------- d-----w C:\Program Files\Pure Networks
2007-12-19 05:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Gtek
2007-12-19 05:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\GTek
2007-12-19 05:23 --------- d-----w C:\Program Files\MSBuild
2007-12-19 05:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-19 05:14 --------- d-----w C:\Program Files\Reference Assemblies
2007-12-19 05:05 --------- d-----w C:\Program Files\Three Rings Design
2007-12-19 04:57 --------- d-----w C:\Program Files\HPQ
2007-12-19 04:55 --------- d-----w C:\Program Files\R4 Controller
2007-12-19 04:52 --------- d-----w C:\Program Files\MSXML 6.0
2007-12-19 03:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-12-19 03:29 --------- d-----w C:\Program Files\MSD
2007-12-19 03:28 --------- d-----w C:\Program Files\Maxthon
2007-12-19 03:12 --------- d-----w C:\Program Files\Google
2007-12-19 03:08 --------- d-----w C:\Program Files\HandyBits
2007-12-19 03:06 --------- d-----w C:\Program Files\AOL Deskbar
2007-11-14 16:55 164 ----a-w C:\install.dat
2006-12-30 21:23 1,798 -c--a-w C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
2006-03-07 18:59 8,842 -c--a-r C:\Program Files\VSHARE.38_
2006-03-07 18:59 67,828 -c--a-r C:\Program Files\TABCTL16.OC_
2006-03-07 18:59 64,000 -c--a-r C:\Program Files\STORAGE.DL2
2006-03-07 18:59 580,252 -c--a-r C:\Program Files\VB40016.DL_
2006-03-07 18:59 49,399 -c--a-r C:\Program Files\VBDB16.DL_
2006-03-07 18:59 25,197 -c--a-r C:\Program Files\STORAGE.DL1
2006-03-07 18:59 23,044 -c--a-r C:\Program Files\VAEN21.OL_
2006-03-07 18:59 108,779 -c--a-r C:\Program Files\TYPELIB.DL_
2006-03-07 18:59 1,897 -c--a-r C:\Program Files\VBAJET.DL_
2006-03-07 18:59 1,602 -c--a-r C:\Program Files\WB383SB.95_
2006-03-07 18:59 1,528 -c--a-r C:\Program Files\WBMP2405.95_
2006-03-07 18:59 1,496 -c--a-r C:\Program Files\WBTB7503.95_
2006-03-07 18:59 1,494 -c--a-r C:\Program Files\WBSC14SC.95_
2006-03-07 18:59 1,485 -c--a-r C:\Program Files\TBI7503.95_
2006-03-07 18:59 1,476 -c--a-r C:\Program Files\WB502SYS.95_
2006-03-07 18:59 1,472 -c--a-r C:\Program Files\TBI6502.95_
2006-03-07 18:59 1,472 -c--a-r C:\Program Files\TBI6501.95_
2006-03-07 18:59 1,456 -c--a-r C:\Program Files\WBMP3008.95_
2006-03-07 18:59 1,449 -c--a-r C:\Program Files\WBTBBLWN.95_
2006-03-07 18:59 1,437 -c--a-r C:\Program Files\TBI6503.95_
2006-03-07 18:59 1,420 -c--a-r C:\Program Files\WBTC4CYL.95_
2006-03-07 18:59 1,414 -c--a-r C:\Program Files\ZZ4MPI30.95_
2006-03-07 18:58 98,789 -c--a-r C:\Program Files\OLE2NLS.DL_
2006-03-07 18:58 88,532 -c--a-r C:\Program Files\OLE2DISP.DL_
2006-03-07 18:58 8,000 -c--a-r C:\Program Files\MSJETERR.DL_
2006-03-07 18:58 7,684 -c--a-r C:\Program Files\SCP.DL_
2006-03-07 18:58 617,834 -c--a-r C:\Program Files\MSAJT200.DL_
2006-03-07 18:58 60,352 -c--a-r C:\Program Files\PEGO16A.OC_
2006-03-07 18:58 59,061 -c--a-r C:\Program Files\SETUP1.EX_
2006-03-07 18:58 502,082 -c--a-r C:\Program Files\PEGRP16A.DL_
2006-03-07 18:58 5,762 -c--a-r C:\Program Files\OLE2.RE_
2006-03-07 18:58 44,428 -c--a-r C:\Program Files\PE3DO16A.OC_
2006-03-07 18:58 4,039 -c--a-r C:\Program Files\STKIT416.DL_
2006-03-07 18:58 39,785 -c--a-r C:\Program Files\MSCOMM16.OC_
2006-03-07 18:58 35,579 -c--a-r C:\Program Files\OLE2CONV.DL_
2006-03-07 18:58 306,271 -c--a-r C:\Program Files\OC25.DL_
2006-03-07 18:58 30,624 -c--a-r C:\Program Files\SETUP.EXE
2006-03-07 18:58 274,957 -c--a-r C:\Program Files\PRO950.EX_
2006-03-07 18:58 24,410 -c--a-r C:\Program Files\OLE2PROX.DL_
2006-03-07 18:58 2,856 -c--a-r C:\Program Files\STDOLE.TL_
2006-03-07 18:58 170,995 -c--a-r C:\Program Files\OLE2.DL_
2006-03-07 18:58 12,896 -c--a-r C:\Program Files\MSJETINT.DL_
2006-03-07 18:58 12,148 -c--a-r C:\Program Files\SETUP.LST
2006-03-07 18:58 1,479 -c--a-r C:\Program Files\SC14PSI.95_
2006-03-07 18:58 1,455 -c--a-r C:\Program Files\STLTHZZ4.95_
2006-03-07 18:58 1,447 -c--a-r C:\Program Files\MPI3008.95_
2006-03-07 18:58 1,327 -c--a-r C:\Program Files\R42600.95_
2006-03-07 18:58 1,326 -c--a-r C:\Program Files\R42700.95_
2006-03-07 18:58 1,321 -c--a-r C:\Program Files\R50700.95_
2006-03-07 18:58 1,288 -c--a-r C:\Program Files\R50800.95_
2006-03-07 18:57 74,916 -c--a-r C:\Program Files\DBLIST16.OC_
2006-03-07 18:57 67,072 -c--a-r C:\Program Files\DAO2516.DL2
2006-03-07 18:57 61,684 -c--a-r C:\Program Files\COMPOBJ.DL_
2006-03-07 18:57 46,105 -c--a-r C:\Program Files\COMDLG16.OC_
2006-03-07 18:57 38,144 -c--a-r C:\Program Files\C950CALC.XL_
2006-03-07 18:57 203,301 -c--a-r C:\Program Files\DAO2516.DL1
2006-03-07 18:57 173,744 -c--a-r C:\Program Files\DBGRID16.OC_
2006-03-07 18:57 15,098 -c--a-r C:\Program Files\CTL3DV2.DL_
2006-03-07 18:57 106,413 -c--a-r C:\Program Files\GRDKRN16.DL_
2006-03-07 18:57 1,562 -c--a-r C:\Program Files\MPI2402.95_
2006-03-07 18:57 1,513 -c--a-r C:\Program Files\MPI2405.95_
2006-03-07 18:57 1,504 -c--a-r C:\Program Files\MPI1901.95_
2006-03-07 18:57 1,497 -c--a-r C:\Program Files\MPI3006.95_
2006-03-07 18:57 1,483 -c--a-r C:\Program Files\MPI3007.95_
2006-03-07 18:57 1,480 -c--a-r C:\Program Files\350_85.95_
2006-03-07 18:57 1,469 -c--a-r C:\Program Files\50242PPH.95_
2006-03-07 18:57 1,465 -c--a-r C:\Program Files\MPI3004.95_
2006-03-07 18:57 1,465 -c--a-r C:\Program Files\BBC50PPH.95_
2006-03-07 18:57 1,463 -c--a-r C:\Program Files\383SC.95_
2006-03-07 18:57 1,462 -c--a-r C:\Program Files\502SYSMX.95_
2006-03-07 18:57 1,462 -c--a-r C:\Program Files\350SBC30.95_
2006-03-07 18:57 1,459 -c--a-r C:\Program Files\MPI2403.95_
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 18:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 04:12 102492]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 02:27 1015808]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 12:54 253952]
"Lexmark 4200 Series"="C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe" [2004-01-16 02:04 57344]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 00:51 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 00:50 204800]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 02:29 102400]
"HostManager"="C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe" [2006-09-25 16:52 50736]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 08:06 292152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-19 13:40 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-19 13:41 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

S3 USA19H;USA19H;C:\WINDOWS\system32\DRIVERS\USA19H2k.sys [2003-06-24 19:30]
S3 USA19H2KP;Keyspan USB Serial Port Driver;C:\WINDOWS\system32\DRIVERS\USA19H2kp.SYS [2003-06-24 19:21]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-01 02:45:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-20 15:00:28 C:\WINDOWS\Tasks\wrSpySweeper20060502143530.job"
??
????.
\- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe*/ScheduleSweep=wrSpySweeper20060502143530
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 14:22:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\1133668973\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
.
**************************************************************************
.
Completion time: 2008-02-05 14:26:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-05 22:26:05
ComboFix2.txt 2008-02-04 18:10:01
.
2008-01-10 05:47:37 --- E O F ---
 
You must log in or register to reply here.
Back
Top