Jump to content


Photo

Badly infected. No Internet Access. Help!


  • Please log in to reply
31 replies to this topic

#1 wnfrench

wnfrench

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 25 June 2006 - 04:37 PM

Three types of anti-spyware, active anti-virus protection and what I thought were safe internet browsing habits obviously weren't enough. One of my systems is badly infected and all the things I've done haven't cleaned out the bad stuff. I hope I haven't made the situation worse, but I may have: now I have no internet access (and that was before I physically pulled the plug to the router and cable modem!). The CPU meter in Task Manager is constantly pegged at 100% (except in safe mode) and the system runs as slow as the proverbial molasses in January!

I have run AAse multiple times, in both safe mode and regular mode, Ewido the same and Hijack This!(but without taking any actions in HJT). I've run the NewDotNet removal instructions suggested elsewhere in this forum, but am not sure if my responses to the popup spyware warnings/suggested actions of my various anti-spyware programs caused me to not do it the right way. Hence, the probable cause of my loss of internet access.

Tell me what you want me to send and do. I'll do it. Thanks in advance for any help you can give me.

Here's my latest AAse scan log:


Ad-Aware SE Build 1.06r1
Logfile Created on:Saturday, June 24, 2006 5:26:03 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R112 15.06.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
e2give(TAC index:7):13 total references
MRU List(TAC index:0):6 total references
Prutect(TAC index:8):2 total references
Spyware.E2Give(TAC index:10):3 total references
Win32.Generic.PWS(TAC index:10):18 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


6/24/2006 5:26:03 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Owner\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-2237693894-1415581680-2428159654-1003\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-2237693894-1415581680-2428159654-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-2237693894-1415581680-2428159654-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-2237693894-1415581680-2428159654-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-2237693894-1415581680-2428159654-1003\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 684
ThreadCreationTime : 6/24/2006 7:15:26 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 860
ThreadCreationTime : 6/24/2006 7:15:32 PM
BasePriority : High


Win32.Generic.PWS Object Recognized!
Type : Process
Data : inicfg32.dll
TAC Rating : 10
Category : Monitoring Tool
Comment : iniwin32.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 912
ThreadCreationTime : 6/24/2006 7:15:35 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

Win32.Generic.PWS Object Recognized!
Type : Process
Data : inicfg32.dll
TAC Rating : 10
Category : Monitoring Tool
Comment : iniwin32.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)


#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 924
ThreadCreationTime : 6/24/2006 7:15:35 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

Win32.Generic.PWS Object Recognized!
Type : Process
Data : inicfg32.dll
TAC Rating : 10
Category : Monitoring Tool
Comment : iniwin32.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)


#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1092
ThreadCreationTime : 6/24/2006 7:15:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

Win32.Generic.PWS Object Recognized!
Type : Process
Data : inicfg32.dll
TAC Rating : 10
Category : Monitoring Tool
Comment : iniwin32.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)


#:6 [msmpeng.exe]
FilePath : C:\Program Files\Windows Defender\
ProcessID : 1292
ThreadCreationTime : 6/24/2006 7:15:40 PM
BasePriority : Normal
FileVersion : 1.1.1347.0
ProductVersion : 1.1.1347.0
ProductName : Windows Defender
CompanyName : Microsoft Corporation
FileDescription : Service Executable
InternalName : MsMpEng.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MsMpEng.exe

Win32.Generic.PWS Object Recognized!
Type : Process
Data : inicfg32.dll
TAC Rating : 10
Category : Monitoring Tool
Comment : iniwin32.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)


#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1352
ThreadCreationTime : 6/24/2006 7:15:41 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

Win32.Generic.PWS Object Recognized!
Type : Process
Data : inicfg32.dll
TAC Rating : 10
Category : Monitoring Tool
Comment : iniwin32.dll.dmp
Object : C:\WINDOWS\System32\


Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\System32\inicfg32.dll)


#:8 [brsvc01a.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1760
ThreadCreationTime : 6/24/2006 7:15:47 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 4
ProductVersion : 1, 0, 0, 4
ProductName : brother Industries Ltd brsvc01a
CompanyName : brother Industries Ltd
FileDescription : brsvc01a
InternalName : brsvc01a
LegalCopyright : Copyright © Brother Industries, Ltd 2003
OriginalFilename : brsvc01a.exe

#:9 [brss01a.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1808
ThreadCreationTime : 6/24/2006 7:15:47 PM
BasePriority : Normal
FileVersion : 1.004
ProductVersion : 1, 0, 0, 4
ProductName : brother Industries Ltd brss01a.exe
CompanyName : brother Industries Ltd
FileDescription : brss01a.exe
InternalName : brss01a.exe
LegalCopyright : Copyright ? 2001
OriginalFilename : brss01a.exe
Comments : Brsplproc XP wrapper

#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1816
ThreadCreationTime : 6/24/2006 7:15:47 PM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

Win32.Generic.PWS Object Recognized!
Type : Process
Data : inicfg32.dll
TAC Rating : 10
Category : Monitoring Tool
Comment : iniwin32.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)


#:11 [cisvc.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1080
ThreadCreationTime : 6/24/2006 7:15:56 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cisvc.exe

#:12 [guard.exe]
FilePath : C:\Program Files\ewido anti-spyware 4.0\
ProcessID : 1232
ThreadCreationTime : 6/24/2006 7:15:57 PM
BasePriority : Normal
FileVersion : 4, 0, 0, 172
ProductVersion : 4, 0, 0, 172
ProductName : ewido anti-spyware
CompanyName : Anti-Malware Development a.s.
FileDescription : ewido anti-spyware guard
InternalName : ewido anti-spywareguard
LegalCopyright : Copyright © 2005 Anti-Malware Development a.s.
OriginalFilename : guard.exe

Win32.Generic.PWS Object Recognized!
Type : Process
Data : inicfg32.dll
TAC Rating : 10
Category : Monitoring Tool
Comment : iniwin32.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

Warning! "C:\Program Files\ewido anti-spyware 4.0\guard.exe"Process could not be terminated!

#:13 [lxrjd31s.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1272
ThreadCreationTime : 6/24/2006 7:15:58 PM
BasePriority : Normal


#:14 [nvsvc32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1388
ThreadCreationTime : 6/24/2006 7:15:58 PM
BasePriority : Normal
FileVersion : 6.14.10.6176
ProductVersion : 6.14.10.6176
ProductName : NVIDIA Driver Helper Service, Version 61.76
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 61.76
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:15 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1484
ThreadCreationTime : 6/24/2006 7:15:59 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

Win32.Generic.PWS Object Recognized!
Type : Process
Data : inicfg32.dll
TAC Rating : 10
Category : Monitoring Tool
Comment : iniwin32.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)


#:16 [mxtask.exe]
FilePath : C:\PROGRA~1\VCOM\SYSTEM~1\
ProcessID : 1532
ThreadCreationTime : 6/24/2006 7:16:00 PM
BasePriority : Normal
FileVersion : 6.0.3.5
CompanyName : Avanquest Publishing USA, Inc.
FileDescription : The background task server
InternalName : MXTask
LegalCopyright : Copyright © 1997-2005 Avanquest Publishing USA, Inc.
LegalTrademarks : SystemSuite is a trademark of Avanquest Publishing USA, Inc.
OriginalFilename : MXTask.exe

Win32.Generic.PWS Object Recognized!
Type : Process
Data : inicfg32.dll
TAC Rating : 10
Category : Monitoring Tool
Comment : iniwin32.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)


#:17 [shwiconem.exe]
FilePath : C:\Program Files\Digital Media Reader\
ProcessID : 1876
ThreadCreationTime : 6/24/2006 7:16:05 PM
BasePriority : Idle
FileVersion : 1, 4, 0, 8
ProductVersion : 1, 4, 0, 8
ProductName : Multimedia Card Reader
CompanyName : Alcor Micro, Corp.
LegalCopyright : Copyright c 2002
Comments : Alcor 9360 4/4.5 Slot XP

#:18 [lvcomsx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1940
ThreadCreationTime : 6/24/2006 7:16:05 PM
BasePriority : Normal
FileVersion : 8.3.0.1096
ProductVersion : 8.3.0.1096
ProductName : Logitech QuickCam
CompanyName : Logitech Inc.
FileDescription : LVCom Server
InternalName : LVComS.exe
LegalCopyright : © 1996-2004 Logitech. All rights reserved.
OriginalFilename : LVComS.exe

#:19 [msascui.exe]
FilePath : C:\Program Files\Windows Defender\
ProcessID : 1992
ThreadCreationTime : 6/24/2006 7:16:06 PM
BasePriority : Normal
FileVersion : 1.1.1347.0
ProductVersion : 1.1.1347.0
ProductName : Windows Defender
CompanyName : Microsoft Corporation
FileDescription : Windows Defender User Interface
InternalName : MSASCUI
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MSASCUI.exe

Win32.Generic.PWS Object Recognized!
Type : Process
Data : inicfg32.dll
TAC Rating : 10
Category : Monitoring Tool
Comment : iniwin32.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)


#:20 [ewido.exe]
FilePath : C:\Program Files\ewido anti-spyware 4.0\
ProcessID : 2012
ThreadCreationTime : 6/24/2006 7:16:06 PM
BasePriority : Normal
FileVersion : 4, 0, 0, 172
ProductVersion : 4, 0, 0, 172
ProductName : ewido anti-spyware
CompanyName : Anti-Malware Development a.s.
FileDescription : ewido anti-spyware
InternalName : ewido anti-spyware
LegalCopyright : Copyright © 2005 Anti-Malware Development a.s.
OriginalFilename : ewido.exe

Win32.Generic.PWS Object Recognized!
Type : Process
Data : inicfg32.dll
TAC Rating : 10
Category : Monitoring Tool
Comment : iniwin32.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)


#:21 [aim.exe]
FilePath : C:\Program Files\AIM\
ProcessID : 1648
ThreadCreationTime : 6/24/2006 7:16:07 PM
BasePriority : Normal
FileVersion : 5.9.3861
ProductVersion : 5.9.3861
ProductName : AOL Instant Messenger
CompanyName : America Online, Inc.
FileDescription : AOL Instant Messenger
InternalName : AIM
LegalCopyright : Copyright © 1996-2005 America Online, Inc.
OriginalFilename : AIM.EXE

#:22 [taskmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 400
ThreadCreationTime : 6/24/2006 7:16:11 PM
BasePriority : High
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows TaskManager
InternalName : taskmgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : taskmgr.exe

Win32.Generic.PWS Object Recognized!
Type : Process
Data : inicfg32.dll
TAC Rating : 10
Category : Monitoring Tool
Comment : iniwin32.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)


#:23 [wscntfy.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2464
ThreadCreationTime : 6/24/2006 7:16:51 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Security Center Notification App
InternalName : wscntfy.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wscntfy.exe

#:24 [mxtask.exe]
FilePath : C:\PROGRA~1\VCOM\SYSTEM~1\
ProcessID : 2612
ThreadCreationTime : 6/24/2006 7:16:57 PM
BasePriority : Normal
FileVersion : 6.0.3.5
CompanyName : Avanquest Publishing USA, Inc.
FileDescription : The background task server
InternalName : MXTask
LegalCopyright : Copyright © 1997-2005 Avanquest Publishing USA, Inc.
LegalTrademarks : SystemSuite is a trademark of Avanquest Publishing USA, Inc.
OriginalFilename : MXTask.exe

Win32.Generic.PWS Object Recognized!
Type : Process
Data : inicfg32.dll
TAC Rating : 10
Category : Monitoring Tool
Comment : iniwin32.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)


#:25 [hijackthis.exe]
FilePath : C:\Program Files\Hijackthis\
ProcessID : 2764
ThreadCreationTime : 6/24/2006 7:22:42 PM
BasePriority : Normal
FileVersion : 1.99.0001
ProductVersion : 1.99.0001
ProductName : HijackThis
CompanyName : Soeperman Enterprises Ltd.
FileDescription : HijackThis
InternalName : HijackThis
LegalCopyright : Freeware
OriginalFilename : HijackThis.exe
Comments : Version history is in Help section

#:26 [notepad.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3616
ThreadCreationTime : 6/24/2006 7:23:24 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Notepad
InternalName : Notepad
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : NOTEPAD.EXE

Win32.Generic.PWS Object Recognized!
Type : Process
Data : inicfg32.dll
TAC Rating : 10
Category : Monitoring Tool
Comment : iniwin32.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)


#:27 [cidaemon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3732
ThreadCreationTime : 6/24/2006 7:23:36 PM
BasePriority : Idle
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cidaemon.exe

#:28 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 800
ThreadCreationTime : 6/24/2006 9:15:29 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:29 [notepad.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2648
ThreadCreationTime : 6/24/2006 9:15:32 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Notepad
InternalName : Notepad
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : NOTEPAD.EXE

Win32.Generic.PWS Object Recognized!
Type : Process
Data : inicfg32.dll
TAC Rating : 10
Category : Monitoring Tool
Comment : iniwin32.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

"C:\WINDOWS\system32\NOTEPAD.EXE"Process terminated successfully

#:30 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 2256
ThreadCreationTime : 6/24/2006 9:28:17 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

Win32.Generic.PWS Object Recognized!
Type : Process
Data : inicfg32.dll
TAC Rating : 10
Category : Monitoring Tool
Comment : iniwin32.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)


#:31 [notepad.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3056
ThreadCreationTime : 6/24/2006 9:36:43 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Notepad
InternalName : Notepad
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : NOTEPAD.EXE

Win32.Generic.PWS Object Recognized!
Type : Process
Data : inicfg32.dll
TAC Rating : 10
Category : Monitoring Tool
Comment : iniwin32.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

"C:\WINDOWS\system32\notepad.exe"Process terminated successfully

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 24


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

e2give Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}

e2give Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}

e2give Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}
Value : AppID3

e2give Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}
Value :

e2give Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}
Value : AppID

e2give Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}

Prutect Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\iebhos.dll

Prutect Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{3643abc2-21bf-46b9-b230-f247db0c6fd6}

Spyware.E2Give Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}

Spyware.E2Give Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\typelib\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 10
Objects found so far: 34


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 34


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 34



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 34


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 34


Deep scanning and examining files (J:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for J:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 34


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 34




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

e2give Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : iebhos.control

e2give Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : iebhos.control.1

e2give Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\e2g

e2give Object Recognized!
Type : Folder
TAC Rating : 7
Category : Malware
Comment : e2give
Object : C:\Program Files\E2G

e2give Object Recognized!
Type : Folder
TAC Rating : 7
Category : Malware
Comment : e2give
Object : C:\Program Files\\\E2G

e2give Object Recognized!
Type : File
Data : IeBHOs.dll
TAC Rating : 7
Category : Malware
Comment :
Object : C:\Program Files\e2g\



e2give Object Recognized!
Type : File
Data : IeBHOs.dll
TAC Rating : 7
Category : Malware
Comment :
Object : C:\Program Files\\e2g\



Spyware.E2Give Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\appid\iebhos.dll

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 8
Objects found so far: 42

6:12:34 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:46:30.859
Objects scanned:226853
Objects identified:18
Objects ignored:0
New critical objects:18

#2 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 26 June 2006 - 12:09 AM

Please download E2TakeOut by RubbeR DuckY from here:

http://www.malwareby...g/E2TakeOut.zip
  • Extract the file to your Desktop
  • Double click E2TakeOut.exe
  • Click the Begin Removal button
  • Wait until the program is finished scanning
  • Once done, it will produce a popup stating that the infection has been found and you need to reboot you computer to complete the removal
  • Reboot your computer
  • Once your computer has rebooted E2TakeOut will open and produce a report
  • Please copy/paste that report into your next reply
.......................
Also please post a Fresh Hijack This log.
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#3 wnfrench

wnfrench

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 26 June 2006 - 02:58 PM

Hi Janie! Thanks for repsonding so quickly. But what were you doing working Sunday night? Anyway, thank you.

Shortly after posting the above entry, I was reading some more posts and came across the E2TakeOut. I downloaded it, transferred it to the infected system ( thank goodness for USB flash drives!) and ran it. Here's the log:

E2TakeOut v1.00 [http://www.malwarebytes.org]

Removed! C:\WINDOWS\system32\inicfg32.dll
Removed directory and files! C:\Program Files\E2G
Removed orphaned leftovers
AppInit key reset

I ran it again this morning; it showed nothing to clean or report.

Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:33:39 AM, on 6/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Documents and Settings\Owner\Desktop\E2TakeOut.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Shortcut to taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\webhdll.dll' missing
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} (InstallShield Setup Player 2K2) - http://host1.tcnet.t...stall/setup.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1132581635578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.cus...l/java/RntX.cab
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\dRvclnt.dll (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\aqezhvw.exe (file missing)

#4 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 26 June 2006 - 05:28 PM

It was WebHancer (not NewDotNet) that took out your internet connectivity.

Download LSPfix here:
http://www.cexx.org/lspfix.htm

Start the program and then check the *I know what I'm doing* box.

Disconnect from the internet.

Move all instances of webhdll.dll (and nothing else) to the Remove pane. click the Finish Button.

I'll come back with steps for other things to fix on your HijackThis log
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#5 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 26 June 2006 - 05:36 PM

Open HijackThis and do a *scan only*
When it finishes, checkmark these entries in the list and press the *fix checked* button:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)

O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll (file missing)

O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\dRvclnt.dll (file missing)

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\aqezhvw.exe (file missing)

Delete this folder (if found)

C:\Program Files\E2G

Reboot your computer. Let me know if things are back to working ok?
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#6 wnfrench

wnfrench

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 27 June 2006 - 08:55 PM

Well, CJ, things kind of came back to normal, with one or two exceptions which we can discuss when we get the new major problems resolved.

I rebooted, system came back up. I ran HJT scan, Ewido scan, System Suite (Trend Micro) AV scan. Everything appeared to be pretty clean.

Brought both systems down, reconnected "was-sick-now-better" system to router and cable modem, fired everything back up. Looked at MSIE settings, didn't look any the worse for wear, cleared out the cache, didn't see any bad cookies, and brought up IE. It went straight to my Comcast homepage and everything looked fine.

I then went to one of my favorite sites, a subscription site for technical analysis, and one with which I've never had any problems. A few minutes into my visit, Ewido and SSAV warnings started popping up like mad! I closed down IE but didn't physically disconnect, and ran scans using the tools mentioned above. They came up with a whole new collection of goodies, as you will see below.

In addition, my normal desktop had disappeared and been replaced by a black screen with a message something like " Your system is at risk of infection. You should install anti-spyware and anti-virus software!" Ha Ha. One thing you can say about these malware types is they certainly have a sense of humor.

After I started to try to look around using Windows Explorer and run some scans, the screens(I have a dual monitors) turned white. That's the way they are as of this posting. I have not rebooted yet.

Here are reports from those scans:

I. Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 11:40:14 AM, on 6/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web

Folders\ibm00001.exe"
F3 - REG:win.ini: run=C:\WINDOWS\inet20026\services.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [ÿ_zskVWQEUV] C:\WINDOWS\system32\_zskwrkni05]^JUW_Y]F\VUEQWV.exe
O4 - HKLM\..\RunServices: [ÿ_zskVWQEUV] C:\WINDOWS\system32\_zskwrkni05]^JUW_Y]F\VUEQWV.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ÿ_zskVWQEUV] C:\WINDOWS\system32\_zskwrkni05]^JUW_Y]F\VUEQWV.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - Global Startup: Shortcut to taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} (InstallShield Setup Player 2K2) - http://host1.tcnet.t...stall/setup.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.micros...b?1132581635578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.cus...l/java/RntX.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

II. Ewido:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:44:39 PM 6/27/2006

+ Scan result:



C:\Documents and Settings\Owner\Local Settings\Temp\vx6.game -> Downloader.Agent.anh : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4DM3OHAF\188[1].htm -> Downloader.Agent.at : No action taken.
C:\Documents and Settings\Owner\Application Data\VCOM\SystemSuite\Quarantine\vxgamet1.exe.QUAR00 -> Downloader.Agent.hy : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\vxt1.game -> Downloader.Agent.hy : No action taken.
C:\Documents and Settings\Owner\Application Data\VCOM\SystemSuite\Quarantine\vxgame4.exe.QUAR00 -> Downloader.Small.ctk : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\vx4.game -> Downloader.Small.ctk : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\vx3.game -> Downloader.Small.cxx : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\vxt3.game -> Downloader.Small.cyb : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\vxt2.game -> Downloader.Small.dbx : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\vxt4.game -> Downloader.Small.dbx : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0XEZWDUR\win32[1].exe -> Downloader.Tibs.eo : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\6.dlb -> Downloader.Tibs.ew : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\7.dlb -> Downloader.Tibs.ew : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZVLJ79OW\xpl[1].wmf -> Exploit.MS05-053-WMF : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\2.dlb -> Hijacker.Spywad.o : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O9QNKHAB\new[1].htm -> Not-A-Virus.Constructor.Perl.Msdds.b : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\SystemDoctor2006FreeInstall.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : No action taken.
C:\Documents and Settings\Owner\Application Data\VCOM\SystemSuite\Quarantine\comdlj32.dll.QUAR00 -> Proxy.Agent.ji : No action taken.
C:\Documents and Settings\Owner\Application Data\VCOM\SystemSuite\Quarantine\OEM.exe.QUAR00 -> Proxy.Agent.jw : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\vx2.game -> Proxy.Agent.km : No action taken.
C:\Documents and Settings\Owner\Application Data\VCOM\SystemSuite\Quarantine\taskdir.dll.QUAR00 -> Proxy.Lager.aq : No action taken.
C:\Documents and Settings\Owner\Application Data\VCOM\SystemSuite\Quarantine\TheMatrixHasYou.exe.QUAR00 -> Proxy.Small.bo : No action taken.
C:\Documents and Settings\Owner\Application Data\VCOM\SystemSuite\Quarantine\socks.exe.QUAR00 -> Proxy.Small.bt : No action taken.
C:\Documents and Settings\Owner\Application Data\VCOM\SystemSuite\Quarantine\select.exe.QUAR00 -> Proxy.Small.em : No action taken.
C:\Documents and Settings\Owner\Application Data\VCOM\SystemSuite\Quarantine\alg.exe.QUAR00 -> Worm.Delf.i : No action taken.

::Report end


III. System Suite (Trend Micro) AV Scan:

On-Demand Virus Scanner Results:

Run: 6/27/2006 10:46:39 AM

Drives scanned:
C:\
D:\
Categories checked:
Boot Sectors
Executables
Macros

Results:

Found potential threat
In File: C:\WINDOWS\comdlj32.dll
Name: TROJ_AGENT.BPM
Requested action: Remove potential threat.
Results: Potential threat removal attempt failed. File quarantined.

Found potential threat
In File: C:\WINDOWS\inet20026\alg.exe
Name: TROJ_CHOPHAR.A
Requested action: Automatically attempt to remove potential threat from infected file.
Result: Potential threat removal attempt failed. File quarantined.

Found potential threat
In File: C:\WINDOWS\inet20026\select.exe
Name: TROJ_SMALL.WL
Requested action: Automatically attempt to remove potential threat from infected file.
Result: Potential threat removal attempt failed. File quarantined.

Found potential threat
In File: C:\WINDOWS\inet20026\socks.exe
Name: TROJ_PROXY.AC
Requested action: Automatically attempt to remove potential threat from infected file.
Result: Potential threat removal attempt failed. File quarantined.

Found potential threat
In File: C:\WINDOWS\OEM.exe
Name: TROJ_PROXY.BN
Requested action: Automatically attempt to remove potential threat from infected file.
Result: Potential threat removal attempt failed. File quarantined.

Found potential threat
In File: C:\WINDOWS\system32\taskdir.dll
Name: TROJ_LAGER.Z
Requested action: Automatically attempt to remove potential threat from infected file.
Result: Potential threat removal attempt failed. File quarantined.

Found potential threat
In File: C:\WINDOWS\system32\TheMatrixHasYou.exe
Name: TROJ_DAEMONIZ.AM
Requested action: Automatically attempt to remove potential threat from infected file.
Result: Potential threat removal attempt failed. File quarantined.

Found potential threat
In File: C:\WINDOWS\system32\vxgame4.exe
Name: TROJ_SMALL.BBN
Requested action: Automatically attempt to remove potential threat from infected file.
Result: Potential threat removal attempt failed. File quarantined.

Found potential threat
In File: C:\WINDOWS\system32\vxgamet1.exe
Name: TROJ_DLOADER.CTO
Requested action: Automatically attempt to remove potential threat from infected file.
Result: Potential threat removal attempt failed. File quarantined.

Files not scanned:
C:\hiberfil.sys
C:\pagefile.sys

11115 Executables scanned
1596 Macros scanned
12 Files inside archives scanned
2 Files that could not be scanned (files in use, encrypted archives, etc.)
12753 Total files scanned


If you don't need or want the Ewido or AV scans, I won't paste them into future postings.

My biggest questions are where does this stuff come from, how does it get through and what do I have to do to prevent it? I have some specific questions for you once. and if, we get this mess cleaned up.

Thanks,

Bill

#7 wnfrench

wnfrench

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 27 June 2006 - 09:08 PM

Something that I forgot to add is that whenever I go directly to the Desktop folder using Windows Explorer (one of the only ways I can access those desktop shortcuts now!), I get an AV popup warning me of something call "PE_Generic." It's probably one of, if not the main, culprits responsible for these pretty blank, white screens looking at me now.

#8 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 27 June 2006 - 11:12 PM

I have to wonder if you have a rootkit and a backdoor trojan (I know you have a backdoor trojan and some other very nasty things...and your PC is also being used to send spam by a spambot).

Keep this PC off the net. Run these two tools to produce a log:

Post a report from this tool

Download the free beta trial of this tool from F-Secure called Blacklight
F-Secure Blacklight: http://www.f-secure....light/try.shtml
Doubleclick on bibeta.exe to run it.
Click the *I accept* button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new text file near blacklite.Post it please. The text file is named:
fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
!!Do not rename any files yet

..................
And this tool:

Please download Rootkit Revealer
http://www.sysintern...itrevealer.html
(link is at the very bottom of the page)

Unzip it to your desktop.
Open the rootkitrevealer folder and double-click rootkitrevealer.exe
Click the Scan button (bottom right)
It may take a while to scan (don't do anything while it's running - leave the PC idle during the scan!)
When it's done, go up to File > Save. Choose to save it to your desktop.
Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#9 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 27 June 2006 - 11:16 PM

Oh, and the Ewido report...says "no action taken"

Here's what you need to be doing. At the end of the scan you are presented with a list of infected files found.

Press the *Recommended Action* link and choose *quarantine* from the list....then hit the *Apply to all* button

Posted Image

Then *Apply to all*
Posted Image
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#10 wnfrench

wnfrench

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 28 June 2006 - 01:27 AM

BlackLight Beta could not run. It returned this message:

"F-Secure BlackLight could not acquire necessary privileges (SeDebugPrivilege)."
"- Your computer settings may prevent acquiring these privileges.
-A malicious program might have disabled these privileges."

I encountered a similar message when I tried to run ListDLLs a few days ago: "No debug privilege." I then proceeded to manually start debug in a DOS window just fine.

Must not be the same thing.

Here is the scan report from Root Kit Reveal:

S-1-5-21-2237693894-1415581680-2428159654-1003 0 bytes Error dumping hive: The system cannot find the file specified.
HKLM\SOFTWARE\Classes\webcal\URL Protocol 2/17/2005 12:26 PM 13 bytes Data mismatch between Windows API and raw hive data.
C:\System Volume Information\catalog.wci\0001000A.ci 6/27/2006 5:46 PM 332.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000A.dir 6/27/2006 5:46 PM 1.31 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000C.ci 6/27/2006 5:47 PM 4.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000C.dir 6/27/2006 5:47 PM 320 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000E.ci 6/27/2006 5:52 PM 4.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000E.dir 6/27/2006 5:52 PM 320 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffc.000 6/27/2006 5:52 PM 240 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffc.001 6/27/2006 5:52 PM 576.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffc.002 6/27/2006 5:52 PM 576.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffd.000 6/27/2006 5:47 PM 240 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffd.001 6/27/2006 5:47 PM 576.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffd.002 6/27/2006 5:47 PM 576.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 6/27/2006 5:40 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.
D: 0 bytes Error mounting volume

- end -

Drive D: on this system is a partition on physical drive C: in which all the system backup files are stored.

#11 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 28 June 2006 - 01:45 AM

SeDebugPrivilege error is usually as result of damage by the Look2me pest. This tool fixes that one and a couple of others, plus a good log of diagnostic stuff for me to look at ;)

1. Download this file - combofix.exe
http://download.blee...Bs/combofix.exe

2. Double click on combofix.exe & follow the prompts.

Note: If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no)
Y is recommended (if you put N, the tool will exit without fixing and will remove the combofix file and folders)


Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.

3. When finished, it shall produce a log for you. Post that log in your next reply
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#12 wnfrench

wnfrench

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 28 June 2006 - 03:52 AM

Here is the log from combofix.exe (You're right. This is quite a file. I have added a note at the end.):

Start Time= Tue 06/27/2006 21:31:52.85
Running from: C:\Bleeping Computer

(((((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))

21:32:57.84

* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-22 16:38:44 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-06-27 11:23:00 2 "C:\WINDOWS\system32\maxd641.exe"
2006-06-27 10:42:30 22,528 "C:\WINDOWS\system32\vxgame1.exe"
2006-06-27 10:42:30 35,952 "C:\WINDOWS\system32\vxgame2.exe"
2006-06-22 16:38:22 8,464 "C:\WINDOWS\system32\sporder.dll"
2006-06-22 17:04:44 53 "C:\WINDOWS\nqocec.dat"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06/22/2006 05:04 PM 53 nqocec.dat.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-27 11:23:00 2 "C:\WINDOWS\system32\maxd641.exe"
2006-06-27 10:42:30 22,528 "C:\WINDOWS\system32\vxgame1.exe"
2006-06-27 10:42:30 35,952 "C:\WINDOWS\system32\vxgame2.exe"
2006-06-22 16:38:44 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-06-22 16:38:22 8,464 "C:\WINDOWS\system32\sporder.dll"


((((((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\SYSTEM32\BK.EXE


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



21:36:33.23
((((((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\drsmartload1.exe
C:\drsmartload45g.exe
C:\drsmartload46g.exe
C:\drsmartload849a.exe
C:\drsmartload849g.exe
C:\Mendoza1.exe
C:\dfndra.exe
C:\nwnm.exe
C:\kybrd.exe
C:\WINDOWS\newname.dat
C:\WINDOWS\keyboard1.dat
C:\Program Files\Common Files\misc001
C:\Program Files\Common Files\simtest
C:\Program Files\Common Files\svchostsys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-06-27 11:23:00 2 ( A.... ) "C:\WINDOWS\system32\maxd641.exe"
2006-06-27 10:43:14 46592 ( A.... ) "C:\WINDOWS\system32\zlbw.dll"
2006-06-27 10:42:44 9266 ( A.... ) "C:\WINDOWS\system32\taskdir~.exe"
2006-06-27 10:42:30 35952 ( A.... ) "C:\WINDOWS\system32\vxgame2.exe"
2006-06-27 10:42:30 35952 ( A.... ) "C:\WINDOWS\system32\_zskwrkni05YTWFESJ]_VUT^MYZ.exe"
2006-06-27 10:42:30 22528 ( A.... ) "C:\WINDOWS\system32\vxgame1.exe"
2006-06-27 10:41:56 1510595 ( A.... ) "C:\Documents and Settings\Owner\Application Data\Install.dat"
2006-06-27 10:41:52 17894 ( A.... ) "C:\WINDOWS\xpupdate.exe"
2006-06-27 10:41:52 6630 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq5.exe"
2006-06-27 10:41:50 2518 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq1.exe"
2006-06-27 10:41:50 15 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq8.exe"
2006-06-27 10:41:44 7792 ( A.... ) "C:\WINDOWS\system32\kernels8.exe"
2006-06-26 12:26:58 ( .D... ) "C:\Program Files\LSPFixer"
2006-06-24 16:32:46 ( .D... ) "C:\Program Files\SysInternals"
2006-06-24 16:24:16 0 ( A.... ) "C:\Program Files\New Shortcut"
2006-06-24 14:22:42 ( .D... ) "C:\Program Files\Hijackthis"
2006-06-23 16:52:16 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-06-22 16:59:02 143360 ( A.... ) "C:\WINDOWS\ms061878-53406.exe"
2006-06-22 16:41:14 32768 ( A.... ) "C:\WINDOWS\tbggdhbu.exe"
2006-06-22 16:40:26 1392640 ( A.... ) "C:\WINDOWS\cfg32a.exe"
2006-06-22 16:38:58 928 ( A.... ) "C:\WINDOWS\system32\nt68rrtc12.sys"
2006-06-22 16:38:58 928 ( A.... ) "C:\WINDOWS\system32\nt68rrtc12.sys"
2006-06-22 16:38:46 20480 ( A.... ) "C:\stub_sca3.exe"
2006-06-22 16:38:44 48167 ( A.... ) "C:\WINDOWS\system32\VSL05.exe"
2006-06-22 16:38:38 174669 ( A.... ) "C:\WINDOWS\srvdijtuly.exe"
2006-06-22 16:38:22 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-06-22 16:38:04 45056 ( A.... ) "C:\wd7gi8n.exe"
2006-06-22 16:37:56 129649 ( A.... ) "C:\WINDOWS\elpp100drop.exe"
2006-06-22 16:37:52 175362 ( A.... ) "C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe"
2006-06-22 16:37:46 319294 ( A.... ) "C:\WINDOWS\YOINSI.exe"
2006-06-22 16:37:30 234248 ( A.... ) "C:\WINDOWS\Tagasuarus2.exe"
2006-06-22 16:31:52 13373 ( A.... ) "C:\mx.exe"
2006-06-17 23:41:48 ( .D... ) "C:\Program Files\SideCar"
2006-06-02 09:59:04 ( .D... ) "C:\Documents and Settings\Owner\Application Data\ArcSoft"
2006-06-01 15:19:22 4608 ( A.... ) "C:\WINDOWS\system32\w95inf32.dll"
2006-06-01 15:19:22 2272 ( A.... ) "C:\WINDOWS\system32\w95inf16.dll"
2006-06-01 15:18:42 ( .D... ) "C:\Program Files\ArcSoft"
2006-05-30 18:19:18 2088960 ( A.... ) "C:\WINDOWS\cfg32.exe"
2006-05-30 18:09:20 24576 ( A.... ) "C:\WINDOWS\Uninstall.exe"
2006-05-01 22:40:40 ( .D... ) "C:\Program Files\Windows Defender"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"SunKistEM"="C:\\Program Files\\Digital Media Reader\\shwiconem.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"Fix-It AV"="C:\\PROGRA~1\\VCOM\\SYSTEM~1\\MemCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"ÿ_zskVWQEUV"="C:\\WINDOWS\\system32\\_zskwrkni05]^JUW_Y]F\\VUEQWV.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000001
"Wallpaper"="C:\\WINDOWS\\desktop.html"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Outlook Express\\kyfewyqe.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Online Services\\hocy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
"backup"="C:\\WINDOWS\\pss\\BigFix.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\BigFix\\BigFix.exe /atstartup"
"item"="BigFix"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
"item"="Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideCar DCIS Authentication.lnk]
"backup"="C:\\WINDOWS\\pss\\SideCar DCIS Authentication.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SideCar\\SideCar.exe "
"item"="SideCar DCIS Authentication"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Zeno.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\Zeno.lnk"
"backup"="C:\\WINDOWS\\pss\\Zeno.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\owinrqez.exe GID003"
"item"="Zeno"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Z_Start.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\Z_Start.lnk"
"backup"="C:\\WINDOWS\\pss\\Z_Start.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\ZICORN~1.EXE CORN003"
"item"="Z_Start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aqezhvwA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aqezhvwA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\aqezhvwA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="owinrqez"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\owinrqez.exe GID003"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cfg32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\cfg32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpue]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dexplore"
"hkey"="HKCU"
"command"="\"C:\\DOCUME~1\\Owner\\MYDOCU~1\\SMANTE~1\\dexplore.exe\" -vt yazr"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndra"
"hkey"="HKLM"
"command"="C:\\\\dfndra.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kbdoc3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kbdoc3"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\kbdoc3.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrd"
"hkey"="HKLM"
"command"="C:\\\\kybrd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ms061878-53406]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ms061878-53406"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ms061878-53406.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NEWDOT~2"
"hkey"="HKLM"
"command"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnm"
"hkey"="HKLM"
"command"="C:\\\\nwnm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NVMixerTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSSelectorReinstall]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="oss_reinstall"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Acronis\\Acronis Disk Director\\oss_reinstall.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PECarlin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PECarlin"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\PECarlin\\PECarlin.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pop06ap]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pop06ap2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\pop06ap2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pop06apelt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="thiselt"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\thiselt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="services"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\inet20026\\services.exe"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys_up1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="svchostsys"
"hkey"="HKCU"
"command"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CCZoop05"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\CCZoop05.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{AD-DC-CC-CA-ZN}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pqdsregs"
"hkey"="HKLM"
"command"="C:\\windows\\system32\\pqdsregs.exe GID003"
"inimapping"="0"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 3.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Owner.job

Completion time: Tue 06/27/2006 21:36:37.81
ComboFix ver 06.06.26 - This logfile is located at C:\ComboFix.txt

WNF note: I see a reference to Elite Media above. In going through the IE settings screens, I saw Elite Media had been added as a trusted site. I manually deleted it. Later, I thought of it and used RegEdit to find numerous registry entries referencing Elite Media. I left them alone.

Thanks.

#13 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 28 June 2006 - 03:31 PM

This is quite a mess :P

1. Make a copy of these instructions to have handy as all cleaning needs to be done in Safe mode with all browsers closed. First, Open Ewido and select *Update* at the top and download and install any new updates.

2. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

4. Reboot into Safe Mode
You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

How to start the computer in Safe mode
http://service1.syma...src=sec_doc_nam

5. Once in safe mode, start Ewido AntiMalware

a. Click on scanner

b. Click on *complete system scan*

c. Let the program scan the machine.

d. When the scan is done you will see a list of infected objects (if any found) At the bottom of the list, Please click on "recommended action"/and choose to Set all Elements to quarantine and check the box "Perform action with all infections".
If you get a warning about a file being in an archive, please choose *yes* to quarantine the entire archive

[5]When the scanner finishes, click on "Save Report" at the bottom. This will create a text file. Make sure you know where to find this file again.

6. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Checkmark the "Show log after script ends" box before running the program.
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • click "save"
    IN "filename" enter log.txt
  • click exit to exit the BFU program.
Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder


7. Stay in safe mode and run a full system scan with your Trend-Micro AV and let it remove any infected files found.

Reboot back into normal mode

8. Now please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

Logs needed in your next post are:

log.txt will be in the C:\BFU\ folder

Ewido Scan log

Fresh HijackThis log
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#14 wnfrench

wnfrench

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 28 June 2006 - 11:34 PM

Here are the logs you requested:

BFU Log:

BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 1:43:34 PM, on 6/28/2006

Option Unload Explorer: Yes
Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)
Failed: ServiceStop Network Monitor (service not found)
Failed: ServiceStop cmdService (service not found)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDisable cmdService (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: ServiceDelete cmdService (service not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FolderDelete C:\Program Files\outlook (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FileDelete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Perflib_Perfdata_46c.dat (operation failed)
Failed: FileDelete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFBA9E.tmp (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)
Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\svchostsys (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\simtest (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\misc001 (folder not found)
Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)
Failed: FolderDelete C:\Program Files\Update06 (folder not found)
Failed: FolderDelete C:\Program Files\Update03 (folder not found)
Failed: FolderDelete C:\Program Files\Update04 (folder not found)
Failed: FolderDelete C:\Program Files\Update08 (folder not found)
Failed: FolderDelete C:\Program Files\W-Update (folder not found)
Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)
Failed: FolderDelete C:\Program Files\Cas (folder not found)
Failed: FolderDelete C:\Program Files\CasStub (folder not found)
Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)
Failed: FolderDelete C:\Program Files\ipwins (folder not found)
Failed: FolderDelete C:\WINDOWS\mdrive (folder not found)
Failed: FolderDelete C:\Program Files\PECarlin (folder not found)
Failed: FolderDelete C:\Program Files\AXVenore (folder not found)
Failed: FolderDelete C:\Program Files\SDVita (folder not found)
Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)
Script completed.


Ewido Log:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:35:09 PM 6/28/2006

+ Scan result:

C:\WINDOWS\cfg32.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\cfg32a.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\tbggdhbu.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\stub_sca3.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-2237693894-1415581680-2428159654-500\Dc1.0000 -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\amm06.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\wd7gi8n.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dlh9jkdq5.exe -> Downloader.Small.cwj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kernels8.exe -> Downloader.Tibs.eo : Cleaned with backup (quarantined).
C:\WINDOWS\ms061878-53406.exe -> Downloader.VB.aga : Cleaned with backup (quarantined).
C:\WINDOWS\xpupdate.exe -> Hijacker.Spywad.o : Cleaned with backup (quarantined).
C:\mx.exe -> Hijacker.VB.lb : Cleaned with backup (quarantined).
C:\WINDOWS\desktop.html -> Not-A-Virus.Hoax.Win32.Renos.cy : Cleaned with backup (quarantined).
C:\WINDOWS\inet20026\ICQ2003Decrypt.dll -> Not-A-Virus.PSWTool.Win32.ICQ.l : Cleaned with backup (quarantined).
C:\WINDOWS\system32\_zskwrkni05YTWFESJ]_VUT^MYZ.exe -> Proxy.Agent.km : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vxgame2.exe -> Proxy.Agent.km : Cleaned with backup (quarantined).
C:\WINDOWS\inet20026\Icq.exe -> Trojan.Agent.gq : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.aa : Cleaned with backup (quarantined).


::Report end


HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:42:24 PM, on 6/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.trendmicr...=TROJ_MUDROP.BQ
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [ÿ_zskVWQEUV] C:\WINDOWS\system32\_zskwrkni05]^JUW_Y]F\VUEQWV.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Shortcut to taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} (InstallShield Setup Player 2K2) - http://host1.tcnet.t...stall/setup.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.micros...b?1132581635578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.cus...l/java/RntX.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe


WNF notes:

1. I noticed the following lines in the BFU log:

"Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation faile)"

I could not find any files named "mc-" with any extension anywhere on the affected computer.

"Failed: FileDelete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Perflib_Perfdata_46c.dat (operation failed)
Failed: FileDelete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFBA9E.tmp (operation failed)"

I found the first file to see if I could manually delete it and went as far as "Are you sure you want to send 'XXXX.XXX' to the Recycle Bin?" It appeared as if it were going to let me do it. I could not find the second file anywhere.

2. The malware has set up at least one new user account, or group -- I'm not sure --"Administrators," which may or may not be the one(s) controlling the desktop, control panel, task manager, etc. When I try to get into various parts of the system, I get "Access Denied" a lot. At one point, a window came up that said that the system was locked and under control of the administrator. It gave me the opportunity to access the administrator's account, but denied me when I didn't have the correct password.

This is probably something you've seen a lot. But it was new to me!

#15 wnfrench

wnfrench

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 28 June 2006 - 11:46 PM

Oh yes, I was able to get rid of something with the Trend Micro AV scan. Here is the log:

Virus Scan Results:

Run: 6/28/2006 2:08:56 PM

Scanned:
Boot Sector
Boot Sector
All files, including those in archives, on all local hard drives

Results:

Found potential threat
In File: C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-74b2599d-6c8d0e29.zip\BlackBox.class
Name: JAVA_BYTEVER.AC
Results: File containing potential threat deleted successfully.

Files not scanned:
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_46c.dat
C:\Documents and Settings\Administrator\NTUSER.DAT
C:\Documents and Settings\Administrator\ntuser.dat.LOG
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3f5c463bc7fa7648ac74ef4eb7ca5df9_00d5b920-6ffd-439b-a2e1-f9df8a983e91
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5314f00bea62d4683d9436f8fca474a2_00d5b920-6ffd-439b-a2e1-f9df8a983e91
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5c9f5bd6a10426cae28ec0563461571b_00d5b920-6ffd-439b-a2e1-f9df8a983e91
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a583fb0c2a5247d9bcadf03cc8d33ae3_00d5b920-6ffd-439b-a2e1-f9df8a983e91
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
C:\Documents and Settings\NetworkService\NTUSER.DAT
C:\Documents and Settings\NetworkService\ntuser.dat.LOG
C:\Documents and Settings\Owner\My Documents\S?mantec
C:\pagefile.sys
C:\System Volume Information
C:\WINDOWS\system32\config\default
C:\WINDOWS\system32\config\default.LOG
C:\WINDOWS\system32\config\SAM
C:\WINDOWS\system32\config\SAM.LOG
C:\WINDOWS\system32\config\SECURITY
C:\WINDOWS\system32\config\SECURITY.LOG
C:\WINDOWS\system32\config\software
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system
C:\WINDOWS\system32\config\system.LOG

10994 Executables scanned
1595 Macros scanned
6935 Files inside archives scanned
25 Files that could not be scanned (files in use, encrypted archives, etc.)
224221 Total files scanned

WNF Notes:

1. I see that "C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_46c.dat" shows up again, this time not scanned. Should I just go out and delete it manually?

2. I've never seen this many files excluded from a scan before. Normally it's just C:\pagefile.sys and maybe one or two others. Is this normal? Or a sign of things that should be available to us that now aren't?

#16 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 29 June 2006 - 05:26 PM

That's looking a LOT better. I think the problem was that Ewido had not been told to clean up and that last log you did run it correct and it eliminated a lot of the trojans that were downloading malware to your system.

FYI, the BFU Alcanshorty log only shows me what it did NOT find on your system from a long list of known malware installed by the worm. And don't worry about the Trend files it didn't scan, that is normal.

Scan with HijackThis and checkmark this entry in the list:

O4 - HKLM\..\RunServices: [ÿ_zskVWQEUV] C:\WINDOWS\system32\_zskwrkni05]^JUW_Y]F\VUEQWV.exe

Then delete these folders (if found). If not found they have been already been removed by a prior cleaning step.

C:\WINDOWS\system32\_zskwrkni05]^JUW_Y]F

C:\Documents and Settings\Owner\My Documents\S?mantec (That question mark in the name is a wildcard letter, could be anything)

Then, please open HijackThis and instead of scan, choose *Open Misc Tools Section*
In the first section (Generate Startup List), please checkmark the two boxes to the right and then press the *Generate StartupList log* button
Posted Image

When it finishes, please the *Save List* button and copy the results back here please.
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#17 wnfrench

wnfrench

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 29 June 2006 - 09:11 PM

CJ, here's what I did, based on your latest instructions:

1. Checked the box next to:

O4 - HKLM\..\RunServices: [ÿ_zskVWQEUV] C:\WINDOWS\system32\_zskwrkni05]^JUW_Y]F\VUEQWV.exe

Then I ran a scan immediately afterward. Guess what? It showed up again! I did the same thing once or twice more with the same result.

2.Went to C:\WINDOWS\system32\ and tried to delete:

C:\WINDOWS\system32\_zskwrkni05]^JUW_Y]F.

It wasn't there! I used Windows Explorer Search to look for all kinds of variations of its name throughout the entire system, but had no success. I then used Registry Magic to search for any entries with "vueq". It came up with two: one is obviously the same as the HJT scan entry; the second is located in:

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Software Explorers\Disabled RunKey\Run"

Does this mean that it has been disabled and/or removed by Windows Defender? What will happen if we manually delete the first registry entry?

3. While I couldn't find the above referenced file, I did find a number of suspicious files in C:\WINDOWS\system32\, all dated between 6/22/06, when all this started, and 6/27/06, when it became even worse. I'm going to try to paste a screen shot below so you can see what I mean.

4. Here is the HJT StartUp List Log:

StartupList report, 6/29/2006, 1:25:06 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Shortcut to taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = c:\windows\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
SunKistEM = C:\Program Files\Digital Media Reader\shwiconem.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
LVCOMSX = C:\WINDOWS\system32\LVCOMSX.EXE
Fix-It AV = C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide
!ewido = "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

ÿ_zskVWQEUV = C:\WINDOWS\system32\_zskwrkni05]^JUW_Y]F\VUEQWV.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

ISP signup reminder 3.job
MP Scheduled Scan.job
Norton AntiVirus - Scan my computer - Owner.job

--------------------------------------------------

Enumerating Download Program Files:

[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitstop.dll
CODEBASE = http://www.pcpitstop...p/PCPitStop.CAB

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft....k/?linkid=39204

[Microsoft PID Sniffer]
InProcServer32 = C:\WINDOWS\system32\odc.dll
CODEBASE = https://support.micr...ActiveX/odc.cab

[InstallShield Setup Player 2K2]
CODEBASE = http://host1.tcnet.t...stall/setup.exe

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.micros...ntent/opuc2.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.syma...n/bin/cabsa.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.micros...b?1132581635578

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Snapfish File Upload ActiveX Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SnapfishUpload1407.ocx
CODEBASE = http://www.costcopho...ostcoUpload.cab

[Crucial cpcScan]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\cpcScan.dll
CODEBASE = http://www.crucial.c.../cpcScanner.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Live Collaboration]
InProcServer32 = C:\WINDOWS\DOWNLO~1\RntX.dll
CODEBASE = https://livewc01.cus...l/java/RntX.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\system32\pnrpnsp.dll
NameSpace #5: C:\WINDOWS\system32\pnrpnsp.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

IPv6 Helper Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
abp480n5: system32\DRIVERS\ABP480N5.SYS (system)
Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
adpu160m: system32\DRIVERS\adpu160m.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: system32\DRIVERS\agp440.sys (system)
Compaq AGP Bus Filter: system32\DRIVERS\agpCPQ.sys (system)
Aha154x: system32\DRIVERS\aha154x.sys (system)
aic78u2: system32\DRIVERS\aic78u2.sys (system)
aic78xx: system32\DRIVERS\aic78xx.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AliIde: system32\DRIVERS\aliide.sys (system)
ALI AGP Bus Filter: system32\DRIVERS\alim1541.sys (system)
AMD AGP Bus Filter Driver: system32\DRIVERS\amdagp.sys (system)
AMD K7 Processor Driver: system32\DRIVERS\amdk7.sys (system)
amsint: system32\DRIVERS\amsint.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
asc: system32\DRIVERS\asc.sys (system)
asc3350p: system32\DRIVERS\asc3350p.sys (system)
asc3550: system32\DRIVERS\asc3550.sys (system)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
BrSplService: C:\WINDOWS\system32\brsvc01a.exe (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
BrPar: \SystemRoot\System32\drivers\BrPar.sys (autostart)
cbidf: system32\DRIVERS\cbidf2k.sys (system)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
cd20xrnt: system32\DRIVERS\cd20xrnt.sys (system)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
cirrus: system32\DRIVERS\cirrus.sys (manual start)
Indexing Service: C:\WINDOWS\system32\cisvc.exe (autostart)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
CmdIde: system32\DRIVERS\cmdide.sys (system)
Microsoft Composite Battery Driver: system32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cpqarray: system32\DRIVERS\cpqarray.sys (system)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
dac2w2k: system32\DRIVERS\dac2w2k.sys (system)
dac960nt: system32\DRIVERS\dac960nt.sys (system)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
dpti2o: system32\DRIVERS\dpti2o.sys (system)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
ewido anti-spyware 4.0 driver: \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys (system)
ewido anti-spyware 4.0 guard: C:\Program Files\ewido anti-spyware 4.0\guard.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID UPS Battery Driver: system32\DRIVERS\HidBatt.sys (manual start)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
hpn: system32\DRIVERS\hpn.sys (system)
HSFHWBS2: system32\DRIVERS\HSFHWBS2.sys (manual start)
HSF_DP: system32\DRIVERS\HSF_DP.sys (manual start)
HSF_DPV: system32\DRIVERS\HSF_DPV.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i2omp: system32\DRIVERS\i2omp.sys (system)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
ini910u: system32\DRIVERS\ini910u.sys (system)
IntelIde: system32\DRIVERS\intelide.sys (system)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
RIP Listener: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Logitech USB Monitor Filter: system32\drivers\lvusbsta.sys (manual start)
LxrJD31d: \??\C:\WINDOWS\system32\Drivers\LxrJD31d.sys (autostart)
Lexar JD31: LxrJD31s.exe (autostart)
mdmxsdk: system32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
mraid35x: system32\DRIVERS\mraid35x.sys (system)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
Macronix MX987xx Family Fast Ethernet NT Driver: system32\DRIVERS\mxnic.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: system32\DRIVERS\nv4_mini.sys (manual start)
Service for NVIDIA® nForce™ Audio Enumerator: system32\drivers\nvax.sys (manual start)
NVIDIA nForce Networking Controller Driver: system32\DRIVERS\NVENETFD.sys (manual start)
NVIDIA Network Bus Enumerator: system32\DRIVERS\nvnetbus.sys (manual start)
Service for NVIDIA® nForce™ Audio: system32\drivers\nvapu.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)
NVIDIA nForce AGP Bus Filter: system32\DRIVERS\nv_agp.sys (system)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Peer Networking Group Authentication: %SystemRoot%\system32\svchost.exe -k p2psvc (manual start)
Peer Networking Identity Manager: %SystemRoot%\system32\svchost.exe -k p2psvc (manual start)
Peer Networking: %SystemRoot%\system32\svchost.exe -k p2psvc (manual start)
Intel PentiumIII Processor Driver: system32\DRIVERS\p3.sys (system)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PCIIde: system32\DRIVERS\pciide.sys (system)
perc2: system32\DRIVERS\perc2.sys (system)
perc2hib: system32\DRIVERS\perc2hib.sys (system)
Logitech QuickCam Pro 3000(PID_08B1): system32\DRIVERS\CamDrL20.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Peer Name Resolution Protocol: %SystemRoot%\system32\svchost.exe -k p2psvc (manual start)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
PrismXL: C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
ql1080: system32\DRIVERS\ql1080.sys (system)
Ql10wnt: system32\DRIVERS\ql10wnt.sys (system)
ql12160: system32\DRIVERS\ql12160.sys (system)
ql1240: system32\DRIVERS\ql1240.sys (system)
ql1280: system32\DRIVERS\ql1280.sys (system)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Simple TCP/IP Services: %SystemRoot%\system32\tcpsvcs.exe (autostart)
SIS AGP Bus Filter: system32\DRIVERS\sisagp.sys (system)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Acronis Snapshots Manager: system32\DRIVERS\snapman.sys (system)
SNMP Service: %SystemRoot%\System32\snmp.exe (manual start)
SNMP Trap Service: %SystemRoot%\System32\snmptrap.exe (manual start)
Sparrow: system32\DRIVERS\sparrow.sys (system)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: \SystemRoot\system32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Alcor Micro Corp Reader: \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys (manual start)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{63C33B1B-E9A2-4399-8C21-F59FA31488FA} (manual start)
symc810: system32\DRIVERS\symc810.sys (system)
symc8xx: system32\DRIVERS\symc8xx.sys (system)
sym_hi: system32\DRIVERS\sym_hi.sys (system)
sym_u3: system32\DRIVERS\sym_u3.sys (system)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
SystemSuite Task Manager: C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe -Service (autostart)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Microsoft IPv6 Protocol Driver: system32\DRIVERS\tcpip6.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
tmpreflt: \??\C:\PROGRA~1\VCOM\SYSTEM~1\tmpreflt.sys (autostart)
tmxpflt: \??\C:\PROGRA~1\VCOM\SYSTEM~1\tmxpflt.sys (autostart)
TosIde: system32\DRIVERS\toside.sys (system)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microsoft Tun Miniport Adapter Driver: system32\DRIVERS\tunmp.sys (manual start)
ultra: system32\DRIVERS\ultra.sys (system)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: system32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: system32\DRIVERS\viaagp.sys (system)
ViaIde: system32\DRIVERS\viaide.sys (system)
Vsapint: \??\C:\PROGRA~1\VCOM\SYSTEM~1\Vsapint.sys (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
winachsf: system32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Defender Service: "C:\Program Files\Windows Defender\MsMpEng.exe" (autostart)
Windows Overlay Components: C:\WINDOWS\aqezhvw.exe (disabled)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 38,677 bytes
Report generated in 0.141 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history onl

- end -

#18 wnfrench

wnfrench

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 29 June 2006 - 09:18 PM

Here's that screen shot, if it works.....

Screen01.GIF

#19 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 29 June 2006 - 10:40 PM

Thanks for the screenshot :wub:

Ewido deleted the offending file:
C:\WINDOWS\system32\_zskwrkni05YTWFESJ]_VUT^MYZ.exe -> Proxy.Agent.km : Cleaned with backup (quarantined).

So that's why it's not there. I suspect you have some security program blocking changes to the registry is why the entry keeps coming back in HJT. Make sure if anything pops up on alert after *fixing* that item in HijackThis, that choose to "allow" rather than block that change.
....................................
This infection drops a bunch of "garbage" files 1 - 2 kb in size that are "fake" malware for the rogue scanner to "find". The scanners will detect and delete everything but those harmless files are not detected. From your Screen shot it is ok to delete these from the System32 folder:

zlbw.dll 46.kb
taskdir~.exe 10kb
winrknj 0
2.txt 0
1.txt 0
winsub.xml 1kb
svcp.csv 1kb
vx.tll 1kb
dlh9jkdq8.exe 3kb
dlh9jkdq1.exe 1kb
d3d8caps.dat 1kb
msnav32.ax 1kb
key.~ 1kb
nt68rrtc12.sys 1kb
bang-006.ico 10kb
VSL05.exe 48kb
zxdnt3d.cfg 1kb


And any of these if found (some have already been deleted)
Some are in the Windows folder, some are in the System32 folder and are already listed above.
:
2006-06-22 16:59:02 143360 ( A.... ) "C:\WINDOWS\ms061878-53406.exe"
2006-06-22 16:41:14 32768 ( A.... ) "C:\WINDOWS\tbggdhbu.exe"
2006-06-22 16:40:26 1392640 ( A.... ) "C:\WINDOWS\cfg32a.exe"
2006-06-22 16:38:58 928 ( A.... ) "C:\WINDOWS\system32\nt68rrtc12.sys"
2006-06-22 16:38:58 928 ( A.... ) "C:\WINDOWS\system32\nt68rrtc12.sys"
2006-06-22 16:38:46 20480 ( A.... ) "C:\stub_sca3.exe"
2006-06-22 16:38:44 48167 ( A.... ) "C:\WINDOWS\system32\VSL05.exe"
2006-06-22 16:38:38 174669 ( A.... ) "C:\WINDOWS\srvdijtuly.exe"
2006-06-22 16:38:04 45056 ( A.... ) "C:\wd7gi8n.exe"
2006-06-22 16:37:56 129649 ( A.... ) "C:\WINDOWS\elpp100drop.exe"
2006-06-22 16:37:52 175362 ( A.... ) "C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe"
2006-06-22 16:37:46 319294 ( A.... ) "C:\WINDOWS\YOINSI.exe"
2006-06-22 16:37:30 234248 ( A.... ) "C:\WINDOWS\Tagasuarus2.exe"
2006-06-22 16:31:52 13373 ( A.... ) "C:\mx.exe"

2006-06-27 11:23:00 2 ( A.... ) "C:\WINDOWS\system32\maxd641.exe"
2006-06-27 10:43:14 46592 ( A.... ) "C:\WINDOWS\system32\zlbw.dll"
2006-06-27 10:42:44 9266 ( A.... ) "C:\WINDOWS\system32\taskdir~.exe"
2006-06-27 10:42:30 35952 ( A.... ) "C:\WINDOWS\system32\vxgame2.exe"
2006-06-27 10:42:30 35952 ( A.... ) "C:\WINDOWS\system32\_zskwrkni05YTWFESJ]_VUT^MYZ.exe"
2006-06-27 10:42:30 22528 ( A.... ) "C:\WINDOWS\system32\vxgame1.exe"
2006-06-27 10:41:56 1510595 ( A.... ) "C:\Documents and Settings\Owner\Application Data\Install.dat"
2006-06-27 10:41:52 17894 ( A.... ) "C:\WINDOWS\xpupdate.exe"
2006-06-27 10:41:52 6630 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq5.exe"
2006-06-27 10:41:50 2518 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq1.exe"
2006-06-27 10:41:50 15 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq8.exe"
2006-06-27 10:41:44 7792 ( A.... ) "C:\WINDOWS\system32\kernels8.exe"
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#20 wnfrench

wnfrench

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 30 June 2006 - 11:14 PM

I was able to delete some of the files but not all of them. In most cases, if I wasn't able to delete them, it was because I couldn't find them anywhere on the system. There was one notable exception.

The files I was able to delete were these:

zlbw.dll 46.kb
taskdir~.exe 10kb
winrknj 0
2.txt 0
1.txt 0
winsub.xml 1kb
svcp.csv 1kb
vx.tll 1kb
dlh9jkdq8.exe 3kb
dlh9jkdq1.exe 1kb
d3d8caps.dat 1kb
msnav32.ax 1kb
key.~ 1kb
nt68rrtc12.sys 1kb
bang-006.ico 10kb
VSL05.exe 48kb
zxdnt3d.cfg 1kb

2006-06-22 16:38:38 174669 ( A.... ) "C:\WINDOWS\srvdijtuly.exe"
2006-06-22 16:37:56 129649 ( A.... ) "C:\WINDOWS\elpp100drop.exe"
2006-06-22 16:37:52 175362 ( A.... ) "C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe"
2006-06-22 16:37:46 319294 ( A.... ) "C:\WINDOWS\YOINSI.exe"
2006-06-22 16:37:30 234248 ( A.... ) "C:\WINDOWS\Tagasuarus2.exe"
2006-06-27 10:41:56 1510595 ( A.... ) "C:\Documents and Settings\Owner\Application Data\Install.dat"
2006-06-27 10:41:50 2518 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq1.exe"
2006-06-27 10:41:50 15 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq8.exe"


The one notable exception was "C:\Windows\system32\maxd641.exe." I found it, but when I tried to delete it, I got the " Cannot delete 'maxd641.exe'. It is being used by another person or program" message. I tried again to pull up taskmanager, to see if I could get any clues there, but it's still being blocked.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users