Problem removing ldcore.dll

adamczykon · Nov 10, 2007

I would greatly appreciate any assistance with removing this annoying malware.

Here is my HJT Log (Kaspersky log to follow):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:19 AM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\U3RldmUgQWRhbWN6eWs\command.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\windows\system32\ksdsrngo.exe
C:\Program Files\ASAP\ASAPSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\rwintldq.exe
C:\WINDOWS\SYSTEM32\??pPatch\s?ool32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Steve\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\system32\pmnlmnl.dll (file missing)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {91DA894E-64D9-3C2B-892F-4FE6078408C6} - C:\WINDOWS\system32\xzfyh.dll
O2 - BHO: (no name) - {91F6BC8D-E607-4CDF-8C5E-3CC14FAABF97} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: ASAP Browser Helper Object - {9A2A2BF3-A049-407A-B548-4668E673DCF7} - C:\Program Files\ASAP\ASAPBHO.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: aivskurq.msdn_hlp - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - C:\WINDOWS\system32\aivskurq.dll (file missing)
O2 - BHO: (no name) - {A8FD2B6E-2560-44EA-938F-1AD41B931361} - C:\Program Files\microsoft frontpage\mexoca4444.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SpyGuardPro\bm.exe" dm=http://spyguardpro.com; ad=http://spyguardpro.com
O4 - HKLM\..\Run: [{A4-40-01-12-ZN}] C:\windows\system32\ksdsrngo.exe CHD001
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rwintldq.exe CHD001
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ASAPSvc.exe] "C:\Program Files\ASAP\ASAPSvc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\ksdsrngo.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\rwintldq.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://config.skillcheck.com/onlinetesting/icaclients/win32/8.1.00/onlinetesting.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152571135828
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: pmnlmnl - pmnlmnl.dll (file missing)
O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3RldmUgQWRhbWN6eWs\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\wlsijpur.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe (file missing)

--
End of file - 12233 bytes

adamczykon · Nov 10, 2007

Problem removing ldcore.dll part 2

Again, any assistance with cleaning this up would be greatly appreciated.

Here is my Kaspersky Log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, November 10, 2007 8:03:23 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/11/2007
Kaspersky Anti-Virus database records: 455723
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 132120
Number of viruses found: 12
Number of infected objects: 54
Number of suspicious objects: 0
Duration of the scan process: 02:37:10

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output\Steve\~Running.ping Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\History\History.IE5\MSHist012007110920071110\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temp\CEMG555077.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\CEMG555077.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Steve\Local Settings\Temp\cmdinst.exe/file1 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\cmdinst.exe/file2 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\cmdinst.exe/file4 Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\cmdinst.exe Inno: infected - 3 skipped
C:\Documents and Settings\Steve\Local Settings\Temp\install_en.exe Infected: not-a-virus

ownloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Steve\Local Settings\Temp\k11u72.exe/data0006 Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\Documents and Settings\Steve\Local Settings\Temp\k11u72.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Steve\Local Settings\Temp\NI.UGA6P_0001_N122M2210\setup.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\Perflib_Perfdata_d60.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temp\Perflib_Perfdata_f8c.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~DF146B.tmp Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~uga6psetup.exe/file14 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~uga6psetup.exe/file20 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~uga6psetup.exe/file34 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~uga6psetup.exe/file36 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~uga6psetup.exe Inno: infected - 4 skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\5V5RMFNS\install_en[1].exe Infected: not-a-virus

ownloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\JM1HGTNV\k11u72[1].exe/data0006 Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\JM1HGTNV\k11u72[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\OS37Q1G7\installer[1].exe/file1 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\OS37Q1G7\installer[1].exe/file2 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\OS37Q1G7\installer[1].exe/file4 Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\OS37Q1G7\installer[1].exe Inno: infected - 3 skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\OS37Q1G7\TTC-4444[1].exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\OS37Q1G7\TTC-4444[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\X5JFTQVP\acdt-pid72[1].exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\X5JFTQVP\acdt-pid72[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\X5JFTQVP\installer[1].exe/file1 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\X5JFTQVP\installer[1].exe/file2 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\X5JFTQVP\installer[1].exe/file4 Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\X5JFTQVP\installer[1].exe Inno: infected - 3 skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\YQ8Y37AI\sep_WOO_SCH_MOTO315_black_728x90[1].swf Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\YQ8Y37AI\woo_july_U520_728x90[1].swf Object is locked skipped
C:\Documents and Settings\Steve\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Steve\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ASAP\ASAPBHO_log.html Object is locked skipped
C:\Program Files\Common Files\Yazzle1549OinAdmin.exe Object is locked skipped
C:\Program Files\HP Web Jetadmin\logs\access_log Object is locked skipped
C:\Program Files\HP Web Jetadmin\logs\error_log Object is locked skipped
C:\Program Files\HP Web Jetadmin\logs\ssl_request_log Object is locked skipped
C:\Program Files\microsoft frontpage\mexoca4444.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\microsoft frontpage\mexoca555077.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\microsoft frontpage\mexoca83122.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\Network Monitor\netmon.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Program Files\Temporary\wininstall.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112840.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112841.dll Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112842.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112875.sys Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112876.sys Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112877.dll Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112889.dll Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112892.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112910.exe Infected: not-a-virus:AdWare.Win32.Agent.tb skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112974.dll Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112975.dll Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112976.dll Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112977.dll Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112978.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112979.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112980.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112981.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\change.log Object is locked skipped
C:\Temp\ocli.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\Temp\ocli.exe/data0003 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Temp\ocli.exe/data0004/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Temp\ocli.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Temp\ocli.exe/data0005 Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\Temp\ocli.exe NSIS: infected - 5 skipped
C:\WINDOWS\b122.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\fkwggshm.exe Object is locked skipped
C:\WINDOWS\mrofinu1000106.exe Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\a1\rarndrll2.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\ACEEvent.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\core.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\g2\caws83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\SYSTEM32\g2\caws83122.exe NSIS: infected - 1 skipped
C:\WINDOWS\SYSTEM32\h1\wdb51en.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\ldcore.dll Object is locked skipped
C:\WINDOWS\SYSTEM32\Logfiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\SYSTEM32\Mz08r\Mz08r1099.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\r2\wr31drs.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\winexy32.dll Object is locked skipped
C:\WINDOWS\TTC-4444.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\TTC-4444.exe NSIS: infected - 1 skipped
C:\WINDOWS\U3RldmUgQWRhbWN6eWs\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\U3RldmUgQWRhbWN6eWs\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\wbun.exe Infected: not-a-virus:AdWare.Win32.Agent.tb skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Mr_JAk3 · Nov 11, 2007

Hello and welcome to the Forums

You're quite infected...

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

adamczykon · Nov 11, 2007

Here's my combofix log

ComboFix 07-11-08.1 - Steve 2007-11-11 13:37:23.1 - NTFSx86
Running from: C:\Documents and Settings\Steve\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\Steve\ResErrors.log
C:\Documents and Settings\Steve\Start Menu\Programs\Startup\ta_start.lnk
C:\Documents and Settings\Steve\Start Menu\Programs\Startup\think-adz.lnk
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\764.exe
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\g2\caws83122.exe
C:\WINDOWS\system32\h1
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ppatch~1
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\v8
C:\WINDOWS\system32\v8\taldrvr11.exe
C:\WINDOWS\system32\xzfyh.dll
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\U3RldmUgQWRhbWN6eWs\asappsrv.dll
C:\WINDOWS\U3RldmUgQWRhbWN6eWs\command.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbun.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FMTR
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\core

((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-11 13:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-11 13:49 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\SUPERAntiSpyware.com
2007-11-11 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-11 13:31 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-09 20:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-09 20:58 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-11-09 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-09 19:31 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\AVG7
2007-11-09 19:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-09 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-09 19:22 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Viewpoint
2007-11-09 18:57 4 --a------ C:\WINDOWS\SYSTEM32\stfv.bin
2007-11-09 18:56 443,454 --ahs---- C:\WINDOWS\SYSTEM32\wybeg.bak2
2007-11-09 05:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\acespy
2007-11-09 05:23 6,465 --ahs---- C:\WINDOWS\SYSTEM32\wybeg.bak1
2007-11-09 05:20 12 --a------ C:\WINDOWS\SYSTEM32\dpqaqlqx.bin
2007-11-09 05:19 196,680 --a------ C:\WINDOWS\SYSTEM32\rwintldq.exe
2007-11-09 05:18 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\SpyGuardPro
2007-11-09 05:18 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll
2007-11-09 05:18 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2007-11-09 05:16 <DIR> d--hs---- C:\WINDOWS\U3RldmUgQWRhbWN6eWs
2007-11-08 13:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\Mz08r
2007-11-08 13:18 <DIR> d-------- C:\Temp\mZOr
2007-11-08 13:18 <DIR> d-------- C:\Temp
2007-11-08 13:18 507,179 --a------ C:\Temp\ocli.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 18:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 21:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-10 00:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-10 00:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-10 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-09 10:19 --------- d-----w C:\Program Files\microsoft frontpage
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\U3RldmUgQWRhbWN6eWs\oal5xAo0kql1vqhdyqP.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]
C:\WINDOWS\system32\pmnlmnl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91F6BC8D-E607-4CDF-8C5E-3CC14FAABF97}]
C:\WINDOWS\system32\gebyw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]
C:\WINDOWS\system32\aivskurq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FD2B6E-2560-44EA-938F-1AD41B931361}]
2007-08-02 08:43 282624 --a------ C:\Program Files\microsoft frontpage\mexoca4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"WinVNC"="C:\Program Files\TightVNC\WinVNC.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-22 18:59]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-03 12:00]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-11 11:55]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 04:00]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-09 19:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASAPSvc.exe"="C:\Program Files\ASAP\ASAPSvc.exe" [2006-01-11 22:08]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB6631"=command /c del "C:\WINDOWS\settn.dll_tobedeleted"
"SpybotDeletingD3992"=cmd /c del "C:\WINDOWS\settn.dll_tobedeleted"
"SpybotDeletingB3583"=command /c del "C:\WINDOWS\kvnab.dll_tobedeleted"
"SpybotDeletingD5923"=cmd /c del "C:\WINDOWS\kvnab.dll_tobedeleted"
"SpybotDeletingB4389"=command /c del "C:\WINDOWS\SYSTEM32\wml.exe_tobedeleted"
"SpybotDeletingD8871"=cmd /c del "C:\WINDOWS\SYSTEM32\wml.exe_tobedeleted"
"SpybotDeletingB155"=command /c del "C:\WINDOWS\SYSTEM32\vxddsk.exe_tobedeleted"
"SpybotDeletingD1415"=cmd /c del "C:\WINDOWS\SYSTEM32\vxddsk.exe_tobedeleted"
"SpybotDeletingB8745"=command /c del "C:\WINDOWS\flt.dll_tobedeleted"
"SpybotDeletingD2410"=cmd /c del "C:\WINDOWS\flt.dll_tobedeleted"
"SpybotDeletingB5913"=command /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk_tobedeleted"
"SpybotDeletingD1884"=cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk_tobedeleted"
"SpybotDeletingB3543"=command /c del "C:\WINDOWS\SYSTEM32\drivers\core.sys_tobedeleted"
"SpybotDeletingD3584"=cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.sys_tobedeleted"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-06-22 10:00:55]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-14 10:28:03]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-09-28 19:44:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"= C:\WINDOWS\system32\pmnlmnl.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlmnl]
pmnlmnl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexy32]
winexy32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebyw.dll

R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 AsfAlrt;AsfAlrt;\??\C:\WINDOWS\System32\drivers\AsfAlrt.sys
R2 HPWebJetadmin;HP Web Jetadmin;"C:\Program Files\HP Web Jetadmin\hpwebjetd.exe" -k runservice

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 14:05:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 14:20:55 - machine was rebooted
.
--- E O F ---

Mr_JAk3 · Nov 12, 2007

Hi.

You have this aceapy keylogger installed. I'll assume that you haven't installed it on purpose; One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.

Backup Your Registry with ERUNT:

Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.

Note: to restore your registry, go to the backup folder and start ERDNT.exe

Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Make sure there are NO blank lines before Windows Registry Editor Version 5.00
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Folder::
C:\WINDOWS\SYSTEM32\acespy
C:\Documents and Settings\Steve\Application Data\SpyGuardPro
C:\WINDOWS\U3RldmUgQWRhbWN6eWs
C:\WINDOWS\SYSTEM32\Mz08r
C:\Temp\mZOr

File::
C:\WINDOWS\SYSTEM32\stfv.bin
C:\WINDOWS\SYSTEM32\wybeg.bak2
C:\WINDOWS\SYSTEM32\wybeg.bak1
C:\WINDOWS\SYSTEM32\dpqaqlqx.bin
C:\WINDOWS\SYSTEM32\rwintldq.exe
C:\WINDOWS\system32\pmnlmnl.dll
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\aivskurq.dll
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\system32\gebyw.dll
C:\Program Files\microsoft frontpage\mexoca4444.dll


Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91F6BC8D-E607-4CDF-8C5E-3CC14FAABF97}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FD2B6E-2560-44EA-938F-1AD41B931361}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"=-

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe"

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlmnl]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexy32]

Save this as "CFScript"

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

adamczykon · Nov 14, 2007

new combofix file

I followed your instructions and came up with the following combofix file (new HJT file to follow):

ComboFix 07-11-08.1 - Steve 2007-11-14 18:12:15.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.768 [GMT -5:00]
Running from: C:\Documents and Settings\Steve\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steve\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\microsoft frontpage\mexoca4444.dll
C:\WINDOWS\system32\aivskurq.dll
C:\WINDOWS\SYSTEM32\dpqaqlqx.bin
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\pmnlmnl.dll
C:\WINDOWS\SYSTEM32\rwintldq.exe
C:\WINDOWS\SYSTEM32\stfv.bin
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\SYSTEM32\wybeg.bak1
C:\WINDOWS\SYSTEM32\wybeg.bak2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Steve\Application Data\SpyGuardPro
C:\Documents and Settings\Steve\Application Data\SpyGuardPro\avtasks.dat
C:\Documents and Settings\Steve\Application Data\SpyGuardPro\Logs\av.log
C:\Documents and Settings\Steve\Application Data\SpyGuardPro\Logs\ga6Support.log
C:\Documents and Settings\Steve\Application Data\SpyGuardPro\Logs\update.log
C:\Documents and Settings\Steve\Application Data\SpyGuardPro\PGE.dat
C:\Program Files\microsoft frontpage\mexoca4444.dll
C:\Temp\mZOr
C:\WINDOWS\SYSTEM32\acespy
C:\WINDOWS\SYSTEM32\acespy\__acelog.ndx
C:\WINDOWS\SYSTEM32\acespy\systune.exe
C:\WINDOWS\SYSTEM32\dpqaqlqx.bin
C:\WINDOWS\SYSTEM32\Mz08r
C:\WINDOWS\SYSTEM32\rwintldq.exe
C:\WINDOWS\SYSTEM32\stfv.bin
C:\WINDOWS\SYSTEM32\wybeg.bak1
C:\WINDOWS\SYSTEM32\wybeg.bak2
C:\WINDOWS\U3RldmUgQWRhbWN6eWs
C:\WINDOWS\U3RldmUgQWRhbWN6eWs\oal5xAo0kql1vqhdyqP.vbs

.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-11 13:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-11 13:49 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\SUPERAntiSpyware.com
2007-11-11 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-11 13:31 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-09 20:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-09 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-09 19:31 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\AVG7
2007-11-09 19:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-09 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-09 19:22 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Viewpoint
2007-11-09 05:18 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll
2007-11-09 05:18 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2007-11-08 13:18 <DIR> d-------- C:\Temp
2007-11-08 13:18 507,179 --a------ C:\Temp\ocli.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 22:41 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-14 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-11 18:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 00:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-10 00:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-10 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-11_14.07.26.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\11-14-2007\ERDNT.EXE
+ 2007-11-14 22:33:59 4,833,280 ----a-w C:\WINDOWS\erdnt\11-14-2007\Users\00000001\NTUSER.DAT
+ 2007-11-14 22:34:00 12,288 ----a-w C:\WINDOWS\erdnt\11-14-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\2007-11-14\ERDNT.EXE
+ 2007-11-14 23:08:58 4,833,280 ----a-w C:\WINDOWS\erdnt\2007-11-14\Users\00000001\NTUSER.DAT
+ 2007-11-14 23:08:58 12,288 ----a-w C:\WINDOWS\erdnt\2007-11-14\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"WinVNC"="C:\Program Files\TightVNC\WinVNC.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-22 18:59]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-03 12:00]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-11 11:55]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 04:00]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-09 19:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASAPSvc.exe"="C:\Program Files\ASAP\ASAPSvc.exe" [2006-01-11 22:08]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-06-22 10:00:55]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-14 10:28:03]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-09-28 19:44:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= ???

R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 AsfAlrt;AsfAlrt;\??\C:\WINDOWS\System32\drivers\AsfAlrt.sys
R2 HPWebJetadmin;HP Web Jetadmin;"C:\Program Files\HP Web Jetadmin\hpwebjetd.exe" -k runservice

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 18:15:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-14 18:16:34
C:\ComboFix2.txt ... 2007-11-11 18:41
C:\ComboFix3.txt ... 2007-11-11 14:20
.
--- E O F ---

adamczykon · Nov 14, 2007

HJT Log

And here's my latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:58 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ASAP\ASAPSvc.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Steve\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ASAP Browser Helper Object - {9A2A2BF3-A049-407A-B548-4668E673DCF7} - C:\Program Files\ASAP\ASAPBHO.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ASAPSvc.exe] "C:\Program Files\ASAP\ASAPSvc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://config.skillcheck.com/onlinetesting/icaclients/win32/8.1.00/onlinetesting.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152571135828
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe (file missing)

--
End of file - 8525 bytes

Mr_JAk3 · Nov 15, 2007

Hi

We'll continue

You should print these instructions or save these to a text file. Follow these instructions carefully.

We'll do this again:

Backup Your Registry with ERUNT:

Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.

Note: to restore your registry, go to the backup folder and start ERDNT.exe

Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Make sure there are NO blank lines before Windows Registry Editor Version 5.00
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)

Run ATF Cleaner

Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Restart your computer to the safe mode:

Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Run a scan with Dr.Web CureIt

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

adamczykon · Nov 17, 2007

DRWeb.csv file

Here's the Drweb.csv file (HJT to follow).

NOTE: I am no longer able to use IE so I'm using Firefox to get to this forum (IE just opens and then immediately closes with no messages). Print spooler is also no longer running and I lost my installed printer.

04802078.FIL;C:\$VAULT$.AVG;Trojan.PurityAd.origin;Incurable.Moved.;
04804281.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.31817;Deleted.;
04805750.FIL;C:\$VAULT$.AVG;Trojan.Click.4740;Deleted.;
04823609.FIL;C:\$VAULT$.AVG;Trojan.Mezzia;Deleted.;
04826343.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.5013;Deleted.;
04826390.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
04828937.FIL;C:\$VAULT$.AVG;Trojan.Click.4740;Deleted.;
04830218.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.36206;Deleted.;
04832812.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.36206;Deleted.;
04833015.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.31817;Deleted.;
04837843.FIL;C:\$VAULT$.AVG;Trojan.EzulaAd;Deleted.;
04840031.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
04840156.FIL;C:\$VAULT$.AVG;Trojan.Click.4740;Deleted.;
04841078.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.31817;Deleted.;
05223171.FIL;C:\$VAULT$.AVG;Trojan.EzulaAd;Deleted.;
33646828.FIL;C:\$VAULT$.AVG;Trojan.Winpop.origin;Incurable.Moved.;
33646984.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.31817;Deleted.;
33647062.FIL;C:\$VAULT$.AVG;Trojan.Mezzia;Deleted.;
33647109.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.5013;Deleted.;
33647187.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.24715;Deleted.;
33647234.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.36206;Deleted.;
33647328.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
33647406.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
39813188.FIL;C:\$VAULT$.AVG;Trojan.Winpop.origin;Incurable.Moved.;
39815860.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
39817579.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.31817;Deleted.;
39817626.FIL;C:\$VAULT$.AVG;Trojan.Click.4740;Deleted.;
39817688.FIL;C:\$VAULT$.AVG;Trojan.EzulaAd;Deleted.;
39820141.FIL\data001;C:\$VAULT$.AVG\39820141.FIL;Adware.MediaTicket.origin;;
39820141.FIL\data002;C:\$VAULT$.AVG\39820141.FIL;Trojan.PurityAd.origin;;
39820141.FIL;C:\$VAULT$.AVG;Archive contains infected objects;Moved.;
39820313.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
39822079.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.31817;Deleted.;
39824610.FIL;C:\$VAULT$.AVG;Trojan.Mezzia;Deleted.;
39827126.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.5013;Deleted.;
39828860.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.24715;Deleted.;
39828938.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.36206;Deleted.;
mexoca555077.dll;C:\Program Files\microsoft frontpage;Adware.Ttc;Moved.;
mexoca83122.dll;C:\Program Files\microsoft frontpage;Adware.Ttc;Moved.;
mexoca4444.dll.vir;C:\qoobox\Quarantine\C\Program Files\microsoft frontpage;Adware.Ttc;Moved.;
rwintldq.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32;Adware.Hotbot.origin;Moved.;
xzfyh.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32;Adware.ClickSpring.origin;Moved.;
asappsrv.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\U3RldmUgQWRhbWN6eWs;Trojan.Proxy.493;Deleted.;
command.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\U3RldmUgQWRhbWN6eWs;Trojan.Proxy.493;Deleted.;
A0112847.exe\data002;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112847.exe;Trojan.DownLoader.origin;;
A0112847.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842;Archive contains infected objects;Moved.;
A0112875.sys;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842;Program.Winfixer - read error;;
A0112876.sys;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842;Program.Winfixer - read error;;
A0112887.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842;Trojan.Fakealert.352;Deleted.;
A0113108.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845;Trojan.DnsChange;Deleted.;
A0113143.dll;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847;Adware.ClickSpring.origin;Moved.;
A0113144.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847;Trojan.Proxy.493;Deleted.;
A0113145.dll;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847;Trojan.Proxy.493;Deleted.;
A0113314.dll;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP852;Adware.Ttc;Moved.;
A0113315.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP852;Adware.Hotbot.origin;Moved.;

adamczykon · Nov 17, 2007

Latest HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:48, on 2007-11-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\ASAP\ASAPSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Steve\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ASAP Browser Helper Object - {9A2A2BF3-A049-407A-B548-4668E673DCF7} - C:\Program Files\ASAP\ASAPBHO.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ASAPSvc.exe] "C:\Program Files\ASAP\ASAPSvc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [ASAPSvc.exe] "C:\Program Files\ASAP\ASAPSvc.exe" (User '?')
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://config.skillcheck.com/onlinetesting/icaclients/win32/8.1.00/onlinetesting.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152571135828
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe (file missing)

--
End of file - 8358 bytes

Mr_JAk3 · Nov 17, 2007

Hmm okay we'll do some more research...

Then, please do the following...

To generate a HijackThis Startup list:

1. Open HijackThis by double-clicking the desktop shortcut or HijackThis.exe
2. Click on "Open the Misc Tools Section"
3. Make sure that both boxes to the right of "Generate StartupList Log" are checked:

* List also minor sections (Full)
* List empty sections (Complete)

4. Click "Generate StartupListLog"
5. Click "Yes" at the prompt.
6. A Notepad window will open with the contents of the HijackThis Startup list displayed
7. Copy & Paste that log to here

adamczykon · Nov 18, 2007

HJT StartuplistLog Part 1

Here's the Startup List Log (too long for one post so I'm splitting it into two parts):

StartupList report, 2007-11-18, 10:40:43
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Steve\Desktop\HiJackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16544)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ASAP\ASAPSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Steve\Desktop\HiJackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Steve\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

diagent = "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
UpdReg = C:\WINDOWS\UpdReg.EXE
WinVNC = "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
ATICCC = "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
EPSON Stylus C88 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
eFax 4.3 = "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ASAPSvc.exe = "C:\Program Files\ASAP\ASAPSvc.exe"
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
updateMgr = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
WMPNSCFG = C:\Program Files\Windows Media Player\WMPNSCFG.exe
SUPERAntiSpyware = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
ASAP Browser Helper Object - C:\Program Files\ASAP\ASAPBHO.dll - {9A2A2BF3-A049-407A-B548-4668E673DCF7}
(no name) - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Office Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\OGACheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=58813

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

[Citrix ICA Client]
InProcServer32 = C:\PROGRA~1\Citrix\icaweb32\WFICA.OCX
CODEBASE = https://config.skillcheck.com/onlinetesting/icaclients/win32/8.1.00/onlinetesting.cab

[{31435657-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

[LinkedIn ContactFinderControl]
InProcServer32 = C:\WINDOWS\DOWNLO~1\LINKED~1.DLL
CODEBASE = http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152571135828

[get_atlcom Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gp.ocx
CODEBASE = http://www.adobe.com/products/acrobat/nos/gp.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx
CODEBASE = http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

(Part 2 to follow)

adamczykon · Nov 18, 2007

HJT StartuplistLog Part 2

Here is part 2 (of 3) of the Startup List Log:

Enumerating Windows NT/2000/XP services

abp480n5: \SystemRoot\System32\DRIVERS\ABP480N5.SYS (disabled)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
adpu160m: \SystemRoot\System32\DRIVERS\adpu160m.sys (disabled)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Compaq AGP Bus Filter: \SystemRoot\System32\DRIVERS\agpCPQ.sys (disabled)
Aha154x: \SystemRoot\System32\DRIVERS\aha154x.sys (disabled)
aic78u2: \SystemRoot\System32\DRIVERS\aic78u2.sys (disabled)
aic78xx: \SystemRoot\System32\DRIVERS\aic78xx.sys (disabled)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AliIde: \SystemRoot\System32\DRIVERS\aliide.sys (disabled)
ALI AGP Bus Filter: \SystemRoot\System32\DRIVERS\alim1541.sys (disabled)
AMD AGP Bus Filter Driver: \SystemRoot\System32\DRIVERS\amdagp.sys (disabled)
amsint: \SystemRoot\System32\DRIVERS\amsint.sys (disabled)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
asc: \SystemRoot\System32\DRIVERS\asc.sys (disabled)
asc3350p: \SystemRoot\System32\DRIVERS\asc3350p.sys (disabled)
asc3550: \SystemRoot\System32\DRIVERS\asc3550.sys (disabled)
ASF Agent: C:\Program Files\Intel\ASF Agent\ASFAgent.exe (autostart)
AsfAlrt: \??\C:\WINDOWS\System32\drivers\AsfAlrt.sys (autostart)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\SYSTEM32\ati2sgag.exe (autostart)
ati2mtag: system32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (autostart)
AVG7 Clean Driver: \SystemRoot\System32\Drivers\avgclean.sys (system)
Belarc SMBios Access: \SystemRoot\System32\Drivers\BANTExt.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
catchme: \??\C:\DOCUME~1\Steve\LOCALS~1\Temp\catchme.sys (manual start)
cbidf: \SystemRoot\System32\DRIVERS\cbidf2k.sys (disabled)
cd20xrnt: \SystemRoot\System32\DRIVERS\cd20xrnt.sys (disabled)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
CmdIde: \SystemRoot\System32\DRIVERS\cmdide.sys (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cpqarray: \SystemRoot\System32\DRIVERS\cpqarray.sys (disabled)
Creative Service for CDROM Access: C:\WINDOWS\System32\CTsvcCDA.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Creative SoundFont Management Device Driver: System32\DRIVERS\ctsfm2k.sys (manual start)
dac2w2k: \SystemRoot\System32\DRIVERS\dac2w2k.sys (disabled)
dac960nt: \SystemRoot\System32\DRIVERS\dac960nt.sys (disabled)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
MS IEEE-1284.4 Driver: System32\DRIVERS\Dot4.sys (manual start)
Print Class Driver for IEEE-1284.4: System32\DRIVERS\Dot4Prt.sys (manual start)
Dot4USB Filter Dot4USB Filter: System32\DRIVERS\dot4usb.sys (manual start)
dpti2o: \SystemRoot\System32\DRIVERS\dpti2o.sys (disabled)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel(R) PRO/1000 Network Connection Driver: System32\DRIVERS\e1000325.sys (manual start)
3Com EtherLink XL 90XB/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Google Updater Service: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
hpn: \SystemRoot\System32\DRIVERS\hpn.sys (disabled)
HP Web Jetadmin: "C:\Program Files\HP Web Jetadmin\hpwebjetd.exe" -k runservice (autostart)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i2omp: \SystemRoot\System32\DRIVERS\i2omp.sys (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV2: System32\DRIVERS\wATV03nt.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
Iap: C:\Program Files\Dell\OpenManage\Client\Iap.exe (autostart)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
ini910u: \SystemRoot\System32\DRIVERS\ini910u.sys (disabled)
IntelIde: \SystemRoot\System32\DRIVERS\intelide.sys (disabled)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
mraid35x: \SystemRoot\System32\DRIVERS\mraid35x.sys (disabled)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Intel NCS NetService: C:\Program Files\Intel\NCS\Sync\NetSvc.exe (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OMCI WDM Device Driver: System32\DRIVERS\omci.sys (system)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Creative OS Services Driver: System32\DRIVERS\ctoss2k.sys (manual start)
Creative SB Live! Series (WDM): system32\drivers\P16X.sys (manual start)
Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
perc2: \SystemRoot\System32\DRIVERS\perc2.sys (disabled)
perc2hib: \SystemRoot\System32\DRIVERS\perc2hib.sys (disabled)
PfModNT: \??\C:\WINDOWS\System32\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: system32\DRIVERS\PxHelp20.sys (system)
ql1080: \SystemRoot\System32\DRIVERS\ql1080.sys (disabled)
Ql10wnt: \SystemRoot\System32\DRIVERS\ql10wnt.sys (disabled)
ql12160: \SystemRoot\System32\DRIVERS\ql12160.sys (disabled)
ql1240: \SystemRoot\System32\DRIVERS\ql1240.sys (disabled)
ql1280: \SystemRoot\System32\DRIVERS\ql1280.sys (disabled)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SASDIFSV: \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (system)
SASENUM: \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS (manual start)
SASKUTIL: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (system)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: \SystemRoot\System32\DRIVERS\sisagp.sys (disabled)
smwdm: system32\drivers\smwdm.sys (manual start)
Sparrow: \SystemRoot\System32\DRIVERS\sparrow.sys (disabled)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{261FF5D6-55B3-4D28-8348-7DBC93E219F0} (manual start)
symc810: \SystemRoot\System32\DRIVERS\symc810.sys (disabled)
symc8xx: \SystemRoot\System32\DRIVERS\symc8xx.sys (disabled)
sym_hi: \SystemRoot\System32\DRIVERS\sym_hi.sys (disabled)
sym_u3: \SystemRoot\System32\DRIVERS\sym_u3.sys (disabled)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
TosIde: \SystemRoot\System32\DRIVERS\toside.sys (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
ultra: \SystemRoot\System32\DRIVERS\ultra.sys (disabled)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: \SystemRoot\System32\DRIVERS\viaagp.sys (disabled)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
VNC Server: "C:\Program Files\TightVNC\WinVNC.exe" -service (manual start)
WMDM PMSP Service: C:\WINDOWS\System32\MsPMSPSv.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: "C:\Program Files\Windows Media Player\WMPNetwk.exe" (autostart)
WpdUsb: System32\Drivers\wpdusb.sys (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (system)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

adamczykon · Nov 18, 2007

HJT Startup List Log part 3 (Final)

Sorry about making this 3 posts, I didn't realize how big it would be. Anyway, here's the third and final portion:

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 38,817 bytes
Report generated in 0.531 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Mr_JAk3 · Nov 18, 2007

Hi

So IE is still not working? When did this begin?
Have you tired re-installing your printer?

adamczykon · Nov 19, 2007

IE stopped working after my first Hijack This log post. Whether I click on the shortcut for IE,,use the out of the Start Menu>Programs>IE option, or click on a shortcut of a web page I use often, I get the same response: IE starts and then immediately closes in less than 1 second.

When I try to reinstall a printer driver I get an error that says "Operation could not be completed. The print spooler service is not running"

When I checked Services (Under Administrative Tools in Control Panel) and tried to start the Print Spooler service, I get this error: "Could not start the Print Spooler service on local computer. Error 1068: The dependency service or group failed to start".

BTW: Some additional issues I've noted and assumed were associated with this problem include no active programs being displayed on my taskbar even though they are definitely open (for example, I've currently got this web page open as well as my Control panel, but there's no control panel or web page showing on my taskbar). I have to Alt+Tab or minimize one to switch between active programs because I can't switch between them using the taskbar.

I really do not want to have to wipe and reload so I'm hoping you can help me fix this problem.

Mr_JAk3 · Nov 19, 2007

OK another scan...

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

adamczykon · Nov 19, 2007

GMER Log

Here's the GMER log:

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-11-19 16:01:59
Windows 5.1.2600 Service Pack 2

---- Devices - GMER 1.0.13 ----

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F79B7404] avg7rsw.sys

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE A7DB7C8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE A7DB47C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ A7DB060A
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE A7DB0AED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION A7DBB958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION A7DBE821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA A7DC738A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA A7DC6D49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS A7DC0BBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION A7DC1331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION A7DCF4F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL A7DB7B37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL A7DB3948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL A7DBD46B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN A7DCE79D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL A7DCDC4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP A7DB42FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP A7DCE1DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible A7DC91F9

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F79B7404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F79B7404] avg7rsw.sys

---- Registry - GMER 1.0.13 ----

Reg \Registry\USER\S-1-5-21-2558107475-2740083912-10409753-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3385B8B6-8D7F-BF80-03FD-C1913C7D4040}@iaaeofnojddomkonkm 0x69 0x61 0x63 0x70 ...
Reg \Registry\USER\S-1-5-21-2558107475-2740083912-10409753-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3385B8B6-8D7F-BF80-03FD-C1913C7D4040}@hageidngaflkmngi 0x6B 0x61 0x6A 0x6F ...

---- EOF - GMER 1.0.13 ----

Mr_JAk3 · Nov 20, 2007

Ok some research..

Download an unzip Registry Search by Bobbi Flekman
Unzip it to your desktop.
Doubleclick the file regsearch.exe

Type the following to the first white box:
Print Spooler

Hit the OK button and the scan begins.

Wait for a textfile to open and paste the contents to here :bigthumb:

adamczykon · Nov 22, 2007

RegSearch.txt log

Here's the Text file for the RegSearch utility:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 2007-11-21 22:17:53 for strings:
; 'print spooler'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPOOLER\0000]
"DeviceDesc"="Print Spooler"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Spooler]
"DisplayName"="Print Spooler"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPOOLER\0000]
"DeviceDesc"="Print Spooler"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Spooler]
"DisplayName"="Print Spooler"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SPOOLER\0000]
"DeviceDesc"="Print Spooler"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Spooler]
"DisplayName"="Print Spooler"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPOOLER\0000]
"DeviceDesc"="Print Spooler"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]
"DisplayName"="Print Spooler"

; End Of The Log...

Problem removing ldcore.dll

New member

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

New member

Security Expert-Emeritus

New member

New member

Security Expert-Emeritus

New member

New member

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member