• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
wnfrench

Badly infected. No Internet Access. Help!

32 posts in this topic

Three types of anti-spyware, active anti-virus protection and what I thought were safe internet browsing habits obviously weren't enough. One of my systems is badly infected and all the things I've done haven't cleaned out the bad stuff. I hope I haven't made the situation worse, but I may have: now I have no internet access (and that was before I physically pulled the plug to the router and cable modem!). The CPU meter in Task Manager is constantly pegged at 100% (except in safe mode) and the system runs as slow as the proverbial molasses in January!

 

I have run AAse multiple times, in both safe mode and regular mode, Ewido the same and Hijack This!(but without taking any actions in HJT). I've run the NewDotNet removal instructions suggested elsewhere in this forum, but am not sure if my responses to the popup spyware warnings/suggested actions of my various anti-spyware programs caused me to not do it the right way. Hence, the probable cause of my loss of internet access.

 

Tell me what you want me to send and do. I'll do it. Thanks in advance for any help you can give me.

 

Here's my latest AAse scan log:

 

 

Ad-Aware SE Build 1.06r1

Logfile Created on:Saturday, June 24, 2006 5:26:03 PM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R112 15.06.2006

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

e2give(TAC index:7):13 total references

MRU List(TAC index:0):6 total references

Prutect(TAC index:8):2 total references

Spyware.E2Give(TAC index:10):3 total references

Win32.Generic.PWS(TAC index:10):18 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Search for low-risk threats

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

6/24/2006 5:26:03 PM - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\Owner\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2237693894-1415581680-2428159654-1003\software\microsoft\search assistant\acmru

Description : list of recent search terms used with the search assistant

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2237693894-1415581680-2428159654-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2237693894-1415581680-2428159654-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2237693894-1415581680-2428159654-1003\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-2237693894-1415581680-2428159654-1003\software\microsoft\windows\currentversion\explorer\runmru

Description : mru list for items opened in start | run

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 684

ThreadCreationTime : 6/24/2006 7:15:26 PM

BasePriority : Normal

 

 

#:2 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 860

ThreadCreationTime : 6/24/2006 7:15:32 PM

BasePriority : High

 

 

Win32.Generic.PWS Object Recognized!

Type : Process

Data : inicfg32.dll

TAC Rating : 10

Category : Monitoring Tool

Comment : iniwin32.dll.dmp

Object : C:\WINDOWS\system32\

 

 

Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

 

 

#:3 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 912

ThreadCreationTime : 6/24/2006 7:15:35 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

Win32.Generic.PWS Object Recognized!

Type : Process

Data : inicfg32.dll

TAC Rating : 10

Category : Monitoring Tool

Comment : iniwin32.dll.dmp

Object : C:\WINDOWS\system32\

 

 

Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

 

 

#:4 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 924

ThreadCreationTime : 6/24/2006 7:15:35 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

Win32.Generic.PWS Object Recognized!

Type : Process

Data : inicfg32.dll

TAC Rating : 10

Category : Monitoring Tool

Comment : iniwin32.dll.dmp

Object : C:\WINDOWS\system32\

 

 

Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

 

 

#:5 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1092

ThreadCreationTime : 6/24/2006 7:15:38 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

Win32.Generic.PWS Object Recognized!

Type : Process

Data : inicfg32.dll

TAC Rating : 10

Category : Monitoring Tool

Comment : iniwin32.dll.dmp

Object : C:\WINDOWS\system32\

 

 

Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

 

 

#:6 [msmpeng.exe]

FilePath : C:\Program Files\Windows Defender\

ProcessID : 1292

ThreadCreationTime : 6/24/2006 7:15:40 PM

BasePriority : Normal

FileVersion : 1.1.1347.0

ProductVersion : 1.1.1347.0

ProductName : Windows Defender

CompanyName : Microsoft Corporation

FileDescription : Service Executable

InternalName : MsMpEng.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : MsMpEng.exe

 

Win32.Generic.PWS Object Recognized!

Type : Process

Data : inicfg32.dll

TAC Rating : 10

Category : Monitoring Tool

Comment : iniwin32.dll.dmp

Object : C:\WINDOWS\system32\

 

 

Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

 

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1352

ThreadCreationTime : 6/24/2006 7:15:41 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

Win32.Generic.PWS Object Recognized!

Type : Process

Data : inicfg32.dll

TAC Rating : 10

Category : Monitoring Tool

Comment : iniwin32.dll.dmp

Object : C:\WINDOWS\System32\

 

 

Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\System32\inicfg32.dll)

 

 

#:8 [brsvc01a.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1760

ThreadCreationTime : 6/24/2006 7:15:47 PM

BasePriority : Normal

FileVersion : 1, 0, 0, 4

ProductVersion : 1, 0, 0, 4

ProductName : brother Industries Ltd brsvc01a

CompanyName : brother Industries Ltd

FileDescription : brsvc01a

InternalName : brsvc01a

LegalCopyright : Copyright © Brother Industries, Ltd 2003

OriginalFilename : brsvc01a.exe

 

#:9 [brss01a.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1808

ThreadCreationTime : 6/24/2006 7:15:47 PM

BasePriority : Normal

FileVersion : 1.004

ProductVersion : 1, 0, 0, 4

ProductName : brother Industries Ltd brss01a.exe

CompanyName : brother Industries Ltd

FileDescription : brss01a.exe

InternalName : brss01a.exe

LegalCopyright : Copyright ? 2001

OriginalFilename : brss01a.exe

Comments : Brsplproc XP wrapper

 

#:10 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1816

ThreadCreationTime : 6/24/2006 7:15:47 PM

BasePriority : Normal

FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

ProductVersion : 5.1.2600.2696

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

Win32.Generic.PWS Object Recognized!

Type : Process

Data : inicfg32.dll

TAC Rating : 10

Category : Monitoring Tool

Comment : iniwin32.dll.dmp

Object : C:\WINDOWS\system32\

 

 

Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

 

 

#:11 [cisvc.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1080

ThreadCreationTime : 6/24/2006 7:15:56 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Content Index service

InternalName : cisvc.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : cisvc.exe

 

#:12 [guard.exe]

FilePath : C:\Program Files\ewido anti-spyware 4.0\

ProcessID : 1232

ThreadCreationTime : 6/24/2006 7:15:57 PM

BasePriority : Normal

FileVersion : 4, 0, 0, 172

ProductVersion : 4, 0, 0, 172

ProductName : ewido anti-spyware

CompanyName : Anti-Malware Development a.s.

FileDescription : ewido anti-spyware guard

InternalName : ewido anti-spywareguard

LegalCopyright : Copyright © 2005 Anti-Malware Development a.s.

OriginalFilename : guard.exe

 

Win32.Generic.PWS Object Recognized!

Type : Process

Data : inicfg32.dll

TAC Rating : 10

Category : Monitoring Tool

Comment : iniwin32.dll.dmp

Object : C:\WINDOWS\system32\

 

 

Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

 

Warning! "C:\Program Files\ewido anti-spyware 4.0\guard.exe"Process could not be terminated!

 

#:13 [lxrjd31s.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1272

ThreadCreationTime : 6/24/2006 7:15:58 PM

BasePriority : Normal

 

 

#:14 [nvsvc32.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1388

ThreadCreationTime : 6/24/2006 7:15:58 PM

BasePriority : Normal

FileVersion : 6.14.10.6176

ProductVersion : 6.14.10.6176

ProductName : NVIDIA Driver Helper Service, Version 61.76

CompanyName : NVIDIA Corporation

FileDescription : NVIDIA Driver Helper Service, Version 61.76

InternalName : NVSVC

LegalCopyright : © NVIDIA Corporation. All rights reserved.

OriginalFilename : nvsvc32.exe

 

#:15 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1484

ThreadCreationTime : 6/24/2006 7:15:59 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

Win32.Generic.PWS Object Recognized!

Type : Process

Data : inicfg32.dll

TAC Rating : 10

Category : Monitoring Tool

Comment : iniwin32.dll.dmp

Object : C:\WINDOWS\system32\

 

 

Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

 

 

#:16 [mxtask.exe]

FilePath : C:\PROGRA~1\VCOM\SYSTEM~1\

ProcessID : 1532

ThreadCreationTime : 6/24/2006 7:16:00 PM

BasePriority : Normal

FileVersion : 6.0.3.5

CompanyName : Avanquest Publishing USA, Inc.

FileDescription : The background task server

InternalName : MXTask

LegalCopyright : Copyright © 1997-2005 Avanquest Publishing USA, Inc.

LegalTrademarks : SystemSuite is a trademark of Avanquest Publishing USA, Inc.

OriginalFilename : MXTask.exe

 

Win32.Generic.PWS Object Recognized!

Type : Process

Data : inicfg32.dll

TAC Rating : 10

Category : Monitoring Tool

Comment : iniwin32.dll.dmp

Object : C:\WINDOWS\system32\

 

 

Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

 

 

#:17 [shwiconem.exe]

FilePath : C:\Program Files\Digital Media Reader\

ProcessID : 1876

ThreadCreationTime : 6/24/2006 7:16:05 PM

BasePriority : Idle

FileVersion : 1, 4, 0, 8

ProductVersion : 1, 4, 0, 8

ProductName : Multimedia Card Reader

CompanyName : Alcor Micro, Corp.

LegalCopyright : Copyright c 2002

Comments : Alcor 9360 4/4.5 Slot XP

 

#:18 [lvcomsx.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1940

ThreadCreationTime : 6/24/2006 7:16:05 PM

BasePriority : Normal

FileVersion : 8.3.0.1096

ProductVersion : 8.3.0.1096

ProductName : Logitech QuickCam

CompanyName : Logitech Inc.

FileDescription : LVCom Server

InternalName : LVComS.exe

LegalCopyright : © 1996-2004 Logitech. All rights reserved.

OriginalFilename : LVComS.exe

 

#:19 [msascui.exe]

FilePath : C:\Program Files\Windows Defender\

ProcessID : 1992

ThreadCreationTime : 6/24/2006 7:16:06 PM

BasePriority : Normal

FileVersion : 1.1.1347.0

ProductVersion : 1.1.1347.0

ProductName : Windows Defender

CompanyName : Microsoft Corporation

FileDescription : Windows Defender User Interface

InternalName : MSASCUI

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : MSASCUI.exe

 

Win32.Generic.PWS Object Recognized!

Type : Process

Data : inicfg32.dll

TAC Rating : 10

Category : Monitoring Tool

Comment : iniwin32.dll.dmp

Object : C:\WINDOWS\system32\

 

 

Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

 

 

#:20 [ewido.exe]

FilePath : C:\Program Files\ewido anti-spyware 4.0\

ProcessID : 2012

ThreadCreationTime : 6/24/2006 7:16:06 PM

BasePriority : Normal

FileVersion : 4, 0, 0, 172

ProductVersion : 4, 0, 0, 172

ProductName : ewido anti-spyware

CompanyName : Anti-Malware Development a.s.

FileDescription : ewido anti-spyware

InternalName : ewido anti-spyware

LegalCopyright : Copyright © 2005 Anti-Malware Development a.s.

OriginalFilename : ewido.exe

 

Win32.Generic.PWS Object Recognized!

Type : Process

Data : inicfg32.dll

TAC Rating : 10

Category : Monitoring Tool

Comment : iniwin32.dll.dmp

Object : C:\WINDOWS\system32\

 

 

Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

 

 

#:21 [aim.exe]

FilePath : C:\Program Files\AIM\

ProcessID : 1648

ThreadCreationTime : 6/24/2006 7:16:07 PM

BasePriority : Normal

FileVersion : 5.9.3861

ProductVersion : 5.9.3861

ProductName : AOL Instant Messenger

CompanyName : America Online, Inc.

FileDescription : AOL Instant Messenger

InternalName : AIM

LegalCopyright : Copyright © 1996-2005 America Online, Inc.

OriginalFilename : AIM.EXE

 

#:22 [taskmgr.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 400

ThreadCreationTime : 6/24/2006 7:16:11 PM

BasePriority : High

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows TaskManager

InternalName : taskmgr

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : taskmgr.exe

 

Win32.Generic.PWS Object Recognized!

Type : Process

Data : inicfg32.dll

TAC Rating : 10

Category : Monitoring Tool

Comment : iniwin32.dll.dmp

Object : C:\WINDOWS\system32\

 

 

Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

 

 

#:23 [wscntfy.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2464

ThreadCreationTime : 6/24/2006 7:16:51 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Security Center Notification App

InternalName : wscntfy.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : wscntfy.exe

 

#:24 [mxtask.exe]

FilePath : C:\PROGRA~1\VCOM\SYSTEM~1\

ProcessID : 2612

ThreadCreationTime : 6/24/2006 7:16:57 PM

BasePriority : Normal

FileVersion : 6.0.3.5

CompanyName : Avanquest Publishing USA, Inc.

FileDescription : The background task server

InternalName : MXTask

LegalCopyright : Copyright © 1997-2005 Avanquest Publishing USA, Inc.

LegalTrademarks : SystemSuite is a trademark of Avanquest Publishing USA, Inc.

OriginalFilename : MXTask.exe

 

Win32.Generic.PWS Object Recognized!

Type : Process

Data : inicfg32.dll

TAC Rating : 10

Category : Monitoring Tool

Comment : iniwin32.dll.dmp

Object : C:\WINDOWS\system32\

 

 

Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

 

 

#:25 [hijackthis.exe]

FilePath : C:\Program Files\Hijackthis\

ProcessID : 2764

ThreadCreationTime : 6/24/2006 7:22:42 PM

BasePriority : Normal

FileVersion : 1.99.0001

ProductVersion : 1.99.0001

ProductName : HijackThis

CompanyName : Soeperman Enterprises Ltd.

FileDescription : HijackThis

InternalName : HijackThis

LegalCopyright : Freeware

OriginalFilename : HijackThis.exe

Comments : Version history is in Help section

 

#:26 [notepad.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 3616

ThreadCreationTime : 6/24/2006 7:23:24 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Notepad

InternalName : Notepad

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : NOTEPAD.EXE

 

Win32.Generic.PWS Object Recognized!

Type : Process

Data : inicfg32.dll

TAC Rating : 10

Category : Monitoring Tool

Comment : iniwin32.dll.dmp

Object : C:\WINDOWS\system32\

 

 

Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

 

 

#:27 [cidaemon.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 3732

ThreadCreationTime : 6/24/2006 7:23:36 PM

BasePriority : Idle

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Indexing Service filter daemon

InternalName : cidaemon.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : cidaemon.exe

 

#:28 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 800

ThreadCreationTime : 6/24/2006 9:15:29 PM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

#:29 [notepad.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2648

ThreadCreationTime : 6/24/2006 9:15:32 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Notepad

InternalName : Notepad

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : NOTEPAD.EXE

 

Win32.Generic.PWS Object Recognized!

Type : Process

Data : inicfg32.dll

TAC Rating : 10

Category : Monitoring Tool

Comment : iniwin32.dll.dmp

Object : C:\WINDOWS\system32\

 

 

Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

 

"C:\WINDOWS\system32\NOTEPAD.EXE"Process terminated successfully

 

#:30 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 2256

ThreadCreationTime : 6/24/2006 9:28:17 PM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

Win32.Generic.PWS Object Recognized!

Type : Process

Data : inicfg32.dll

TAC Rating : 10

Category : Monitoring Tool

Comment : iniwin32.dll.dmp

Object : C:\WINDOWS\system32\

 

 

Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

 

 

#:31 [notepad.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 3056

ThreadCreationTime : 6/24/2006 9:36:43 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Notepad

InternalName : Notepad

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : NOTEPAD.EXE

 

Win32.Generic.PWS Object Recognized!

Type : Process

Data : inicfg32.dll

TAC Rating : 10

Category : Monitoring Tool

Comment : iniwin32.dll.dmp

Object : C:\WINDOWS\system32\

 

 

Warning! Win32.Generic.PWS Object found in memory(C:\WINDOWS\system32\inicfg32.dll)

 

"C:\WINDOWS\system32\notepad.exe"Process terminated successfully

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 24

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

e2give Object Recognized!

Type : Regkey

Data :

TAC Rating : 7

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : appid\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}

 

e2give Object Recognized!

Type : Regkey

Data :

TAC Rating : 7

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}

 

e2give Object Recognized!

Type : RegValue

Data :

TAC Rating : 7

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}

Value : AppID3

 

e2give Object Recognized!

Type : RegValue

Data :

TAC Rating : 7

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}

Value :

 

e2give Object Recognized!

Type : RegValue

Data :

TAC Rating : 7

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : clsid\{3643abc2-21bf-46b9-b230-f247db0c6fd6}

Value : AppID

 

e2give Object Recognized!

Type : Regkey

Data :

TAC Rating : 7

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : typelib\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}

 

Prutect Object Recognized!

Type : Regkey

Data :

TAC Rating : 8

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : appid\iebhos.dll

 

Prutect Object Recognized!

Type : Regkey

Data :

TAC Rating : 8

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{3643abc2-21bf-46b9-b230-f247db0c6fd6}

 

Spyware.E2Give Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\classes\appid\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}

 

Spyware.E2Give Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\classes\typelib\{3b99f202-145a-4e5a-ac7b-88a36910bf5e}

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 10

Objects found so far: 34

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 34

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 34

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 34

 

 

Deep scanning and examining files (D:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for D:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 34

 

 

Deep scanning and examining files (J:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for J:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 34

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 34

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

e2give Object Recognized!

Type : Regkey

Data :

TAC Rating : 7

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : iebhos.control

 

e2give Object Recognized!

Type : Regkey

Data :

TAC Rating : 7

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : iebhos.control.1

 

e2give Object Recognized!

Type : Regkey

Data :

TAC Rating : 7

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\e2g

 

e2give Object Recognized!

Type : Folder

TAC Rating : 7

Category : Malware

Comment : e2give

Object : C:\Program Files\E2G

 

e2give Object Recognized!

Type : Folder

TAC Rating : 7

Category : Malware

Comment : e2give

Object : C:\Program Files\\\E2G

 

e2give Object Recognized!

Type : File

Data : IeBHOs.dll

TAC Rating : 7

Category : Malware

Comment :

Object : C:\Program Files\e2g\

 

 

 

e2give Object Recognized!

Type : File

Data : IeBHOs.dll

TAC Rating : 7

Category : Malware

Comment :

Object : C:\Program Files\\e2g\

 

 

 

Spyware.E2Give Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Data Miner

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : software\classes\appid\iebhos.dll

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 8

Objects found so far: 42

 

6:12:34 PM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:46:30.859

Objects scanned:226853

Objects identified:18

Objects ignored:0

New critical objects:18

Share this post


Link to post
Share on other sites

Please download E2TakeOut by RubbeR DuckY from here:

 

http://www.malwarebytes.org/E2TakeOut.zip

  • Extract the file to your Desktop
  • Double click E2TakeOut.exe
  • Click the Begin Removal button
  • Wait until the program is finished scanning
  • Once done, it will produce a popup stating that the infection has been found and you need to reboot you computer to complete the removal
  • Reboot your computer
  • Once your computer has rebooted E2TakeOut will open and produce a report
  • Please copy/paste that report into your next reply

.......................

Also please post a Fresh Hijack This log.

Share this post


Link to post
Share on other sites

Hi Janie! Thanks for repsonding so quickly. But what were you doing working Sunday night? Anyway, thank you.

 

Shortly after posting the above entry, I was reading some more posts and came across the E2TakeOut. I downloaded it, transferred it to the infected system ( thank goodness for USB flash drives!) and ran it. Here's the log:

 

E2TakeOut v1.00 [http://www.malwarebytes.org]

 

Removed! C:\WINDOWS\system32\inicfg32.dll

Removed directory and files! C:\Program Files\E2G

Removed orphaned leftovers

AppInit key reset

 

I ran it again this morning; it showed nothing to clean or report.

 

Here's the latest HJT log:

 

Logfile of HijackThis v1.99.1

Scan saved at 8:33:39 AM, on 6/26/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\system32\LxrJD31s.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe

C:\Documents and Settings\Owner\Desktop\E2TakeOut.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)

O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - Global Startup: Shortcut to taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Broken Internet access because of LSP provider 'c:\windows\webhdll.dll' missing

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} (InstallShield Setup Player 2K2) - http://host1.tcnet.tv/tcinstall/setup.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132581635578

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7520-b289h-tu...l/java/RntX.cab

O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\dRvclnt.dll (file missing)

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\aqezhvw.exe (file missing)

Share this post


Link to post
Share on other sites

It was WebHancer (not NewDotNet) that took out your internet connectivity.

 

Download LSPfix here:

http://www.cexx.org/lspfix.htm

 

Start the program and then check the *I know what I'm doing* box.

 

Disconnect from the internet.

 

Move all instances of webhdll.dll (and nothing else) to the Remove pane. click the Finish Button.

 

I'll come back with steps for other things to fix on your HijackThis log

Share this post


Link to post
Share on other sites

Open HijackThis and do a *scan only*

When it finishes, checkmark these entries in the list and press the *fix checked* button:

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

 

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)

 

O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll (file missing)

 

O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\dRvclnt.dll (file missing)

 

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\aqezhvw.exe (file missing)

 

Delete this folder (if found)

 

C:\Program Files\E2G

 

Reboot your computer. Let me know if things are back to working ok?

Share this post


Link to post
Share on other sites

Well, CJ, things kind of came back to normal, with one or two exceptions which we can discuss when we get the new major problems resolved.

 

I rebooted, system came back up. I ran HJT scan, Ewido scan, System Suite (Trend Micro) AV scan. Everything appeared to be pretty clean.

 

Brought both systems down, reconnected "was-sick-now-better" system to router and cable modem, fired everything back up. Looked at MSIE settings, didn't look any the worse for wear, cleared out the cache, didn't see any bad cookies, and brought up IE. It went straight to my Comcast homepage and everything looked fine.

 

I then went to one of my favorite sites, a subscription site for technical analysis, and one with which I've never had any problems. A few minutes into my visit, Ewido and SSAV warnings started popping up like mad! I closed down IE but didn't physically disconnect, and ran scans using the tools mentioned above. They came up with a whole new collection of goodies, as you will see below.

 

In addition, my normal desktop had disappeared and been replaced by a black screen with a message something like " Your system is at risk of infection. You should install anti-spyware and anti-virus software!" Ha Ha. One thing you can say about these malware types is they certainly have a sense of humor.

 

After I started to try to look around using Windows Explorer and run some scans, the screens(I have a dual monitors) turned white. That's the way they are as of this posting. I have not rebooted yet.

 

Here are reports from those scans:

 

I. Hijack This

 

Logfile of HijackThis v1.99.1

Scan saved at 11:40:14 AM, on 6/27/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\system32\LxrJD31s.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web

 

Folders\ibm00001.exe"

F3 - REG:win.ini: run=C:\WINDOWS\inet20026\services.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKLM\..\Run: [ÿ_zskVWQEUV] C:\WINDOWS\system32\_zskwrkni05]^JUW_Y]F\VUEQWV.exe

O4 - HKLM\..\RunServices: [ÿ_zskVWQEUV] C:\WINDOWS\system32\_zskwrkni05]^JUW_Y]F\VUEQWV.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [ÿ_zskVWQEUV] C:\WINDOWS\system32\_zskwrkni05]^JUW_Y]F\VUEQWV.exe

O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

O4 - Global Startup: Shortcut to taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} (InstallShield Setup Player 2K2) - http://host1.tcnet.tv/tcinstall/setup.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

 

http://update.microsoft.com/microsoftupdat...b?1132581635578

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

 

http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7520-b289h-tu...l/java/RntX.cab

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

 

II. Ewido:

 

---------------------------------------------------------

ewido anti-spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 1:44:39 PM 6/27/2006

 

+ Scan result:

 

 

 

C:\Documents and Settings\Owner\Local Settings\Temp\vx6.game -> Downloader.Agent.anh : No action taken.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4DM3OHAF\188[1].htm -> Downloader.Agent.at : No action taken.

C:\Documents and Settings\Owner\Application Data\VCOM\SystemSuite\Quarantine\vxgamet1.exe.QUAR00 -> Downloader.Agent.hy : No action taken.

C:\Documents and Settings\Owner\Local Settings\Temp\vxt1.game -> Downloader.Agent.hy : No action taken.

C:\Documents and Settings\Owner\Application Data\VCOM\SystemSuite\Quarantine\vxgame4.exe.QUAR00 -> Downloader.Small.ctk : No action taken.

C:\Documents and Settings\Owner\Local Settings\Temp\vx4.game -> Downloader.Small.ctk : No action taken.

C:\Documents and Settings\Owner\Local Settings\Temp\vx3.game -> Downloader.Small.cxx : No action taken.

C:\Documents and Settings\Owner\Local Settings\Temp\vxt3.game -> Downloader.Small.cyb : No action taken.

C:\Documents and Settings\Owner\Local Settings\Temp\vxt2.game -> Downloader.Small.dbx : No action taken.

C:\Documents and Settings\Owner\Local Settings\Temp\vxt4.game -> Downloader.Small.dbx : No action taken.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0XEZWDUR\win32[1].exe -> Downloader.Tibs.eo : No action taken.

C:\Documents and Settings\Owner\Local Settings\Temp\6.dlb -> Downloader.Tibs.ew : No action taken.

C:\Documents and Settings\Owner\Local Settings\Temp\7.dlb -> Downloader.Tibs.ew : No action taken.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZVLJ79OW\xpl[1].wmf -> Exploit.MS05-053-WMF : No action taken.

C:\Documents and Settings\Owner\Local Settings\Temp\2.dlb -> Hijacker.Spywad.o : No action taken.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O9QNKHAB\new[1].htm -> Not-A-Virus.Constructor.Perl.Msdds.b : No action taken.

C:\Documents and Settings\Owner\Local Settings\Temp\SystemDoctor2006FreeInstall.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : No action taken.

C:\Documents and Settings\Owner\Application Data\VCOM\SystemSuite\Quarantine\comdlj32.dll.QUAR00 -> Proxy.Agent.ji : No action taken.

C:\Documents and Settings\Owner\Application Data\VCOM\SystemSuite\Quarantine\OEM.exe.QUAR00 -> Proxy.Agent.jw : No action taken.

C:\Documents and Settings\Owner\Local Settings\Temp\vx2.game -> Proxy.Agent.km : No action taken.

C:\Documents and Settings\Owner\Application Data\VCOM\SystemSuite\Quarantine\taskdir.dll.QUAR00 -> Proxy.Lager.aq : No action taken.

C:\Documents and Settings\Owner\Application Data\VCOM\SystemSuite\Quarantine\TheMatrixHasYou.exe.QUAR00 -> Proxy.Small.bo : No action taken.

C:\Documents and Settings\Owner\Application Data\VCOM\SystemSuite\Quarantine\socks.exe.QUAR00 -> Proxy.Small.bt : No action taken.

C:\Documents and Settings\Owner\Application Data\VCOM\SystemSuite\Quarantine\select.exe.QUAR00 -> Proxy.Small.em : No action taken.

C:\Documents and Settings\Owner\Application Data\VCOM\SystemSuite\Quarantine\alg.exe.QUAR00 -> Worm.Delf.i : No action taken.

 

::Report end

 

 

III. System Suite (Trend Micro) AV Scan:

 

On-Demand Virus Scanner Results:

 

Run: 6/27/2006 10:46:39 AM

 

Drives scanned:

C:\

D:\

Categories checked:

Boot Sectors

Executables

Macros

 

Results:

 

Found potential threat

In File: C:\WINDOWS\comdlj32.dll

Name: TROJ_AGENT.BPM

Requested action: Remove potential threat.

Results: Potential threat removal attempt failed. File quarantined.

 

Found potential threat

In File: C:\WINDOWS\inet20026\alg.exe

Name: TROJ_CHOPHAR.A

Requested action: Automatically attempt to remove potential threat from infected file.

Result: Potential threat removal attempt failed. File quarantined.

 

Found potential threat

In File: C:\WINDOWS\inet20026\select.exe

Name: TROJ_SMALL.WL

Requested action: Automatically attempt to remove potential threat from infected file.

Result: Potential threat removal attempt failed. File quarantined.

 

Found potential threat

In File: C:\WINDOWS\inet20026\socks.exe

Name: TROJ_PROXY.AC

Requested action: Automatically attempt to remove potential threat from infected file.

Result: Potential threat removal attempt failed. File quarantined.

 

Found potential threat

In File: C:\WINDOWS\OEM.exe

Name: TROJ_PROXY.BN

Requested action: Automatically attempt to remove potential threat from infected file.

Result: Potential threat removal attempt failed. File quarantined.

 

Found potential threat

In File: C:\WINDOWS\system32\taskdir.dll

Name: TROJ_LAGER.Z

Requested action: Automatically attempt to remove potential threat from infected file.

Result: Potential threat removal attempt failed. File quarantined.

 

Found potential threat

In File: C:\WINDOWS\system32\TheMatrixHasYou.exe

Name: TROJ_DAEMONIZ.AM

Requested action: Automatically attempt to remove potential threat from infected file.

Result: Potential threat removal attempt failed. File quarantined.

 

Found potential threat

In File: C:\WINDOWS\system32\vxgame4.exe

Name: TROJ_SMALL.BBN

Requested action: Automatically attempt to remove potential threat from infected file.

Result: Potential threat removal attempt failed. File quarantined.

 

Found potential threat

In File: C:\WINDOWS\system32\vxgamet1.exe

Name: TROJ_DLOADER.CTO

Requested action: Automatically attempt to remove potential threat from infected file.

Result: Potential threat removal attempt failed. File quarantined.

 

Files not scanned:

C:\hiberfil.sys

C:\pagefile.sys

 

11115 Executables scanned

1596 Macros scanned

12 Files inside archives scanned

2 Files that could not be scanned (files in use, encrypted archives, etc.)

12753 Total files scanned

 

 

If you don't need or want the Ewido or AV scans, I won't paste them into future postings.

 

My biggest questions are where does this stuff come from, how does it get through and what do I have to do to prevent it? I have some specific questions for you once. and if, we get this mess cleaned up.

 

Thanks,

 

Bill

Share this post


Link to post
Share on other sites

Something that I forgot to add is that whenever I go directly to the Desktop folder using Windows Explorer (one of the only ways I can access those desktop shortcuts now!), I get an AV popup warning me of something call "PE_Generic." It's probably one of, if not the main, culprits responsible for these pretty blank, white screens looking at me now.

Share this post


Link to post
Share on other sites

I have to wonder if you have a rootkit and a backdoor trojan (I know you have a backdoor trojan and some other very nasty things...and your PC is also being used to send spam by a spambot).

 

Keep this PC off the net. Run these two tools to produce a log:

 

Post a report from this tool

 

Download the free beta trial of this tool from F-Secure called Blacklight

F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml

Doubleclick on bibeta.exe to run it.

Click the *I accept* button near the bottom of that page.

Download and run blacklite click > scan then > next, next again then exit

there will be a new text file near blacklite.Post it please. The text file is named:

fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

!!Do not rename any files yet

 

..................

And this tool:

 

Please download Rootkit Revealer

http://www.sysinternals.com/utilities/rootkitrevealer.html

(link is at the very bottom of the page)

 

Unzip it to your desktop.

Open the rootkitrevealer folder and double-click rootkitrevealer.exe

Click the Scan button (bottom right)

It may take a while to scan (don't do anything while it's running - leave the PC idle during the scan!)

When it's done, go up to File > Save. Choose to save it to your desktop.

Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

Share this post


Link to post
Share on other sites

Oh, and the Ewido report...says "no action taken"

 

Here's what you need to be doing. At the end of the scan you are presented with a list of infected files found.

 

Press the *Recommended Action* link and choose *quarantine* from the list....then hit the *Apply to all* button

 

EwidoSetAllElementsQuarantine.gif

 

Then *Apply to all*

EwidoApplyAllActions.gif

Share this post


Link to post
Share on other sites

BlackLight Beta could not run. It returned this message:

 

"F-Secure BlackLight could not acquire necessary privileges (SeDebugPrivilege)."

"- Your computer settings may prevent acquiring these privileges.

-A malicious program might have disabled these privileges."

 

I encountered a similar message when I tried to run ListDLLs a few days ago: "No debug privilege." I then proceeded to manually start debug in a DOS window just fine.

 

Must not be the same thing.

 

Here is the scan report from Root Kit Reveal:

 

S-1-5-21-2237693894-1415581680-2428159654-1003 0 bytes Error dumping hive: The system cannot find the file specified.

HKLM\SOFTWARE\Classes\webcal\URL Protocol 2/17/2005 12:26 PM 13 bytes Data mismatch between Windows API and raw hive data.

C:\System Volume Information\catalog.wci\0001000A.ci 6/27/2006 5:46 PM 332.00 KB Hidden from Windows API.

C:\System Volume Information\catalog.wci\0001000A.dir 6/27/2006 5:46 PM 1.31 KB Hidden from Windows API.

C:\System Volume Information\catalog.wci\0001000C.ci 6/27/2006 5:47 PM 4.00 KB Hidden from Windows API.

C:\System Volume Information\catalog.wci\0001000C.dir 6/27/2006 5:47 PM 320 bytes Hidden from Windows API.

C:\System Volume Information\catalog.wci\0001000E.ci 6/27/2006 5:52 PM 4.00 KB Hidden from Windows API.

C:\System Volume Information\catalog.wci\0001000E.dir 6/27/2006 5:52 PM 320 bytes Hidden from Windows API.

C:\System Volume Information\catalog.wci\CiFLfffc.000 6/27/2006 5:52 PM 240 bytes Hidden from Windows API.

C:\System Volume Information\catalog.wci\CiFLfffc.001 6/27/2006 5:52 PM 576.00 KB Hidden from Windows API.

C:\System Volume Information\catalog.wci\CiFLfffc.002 6/27/2006 5:52 PM 576.00 KB Hidden from Windows API.

C:\System Volume Information\catalog.wci\CiFLfffd.000 6/27/2006 5:47 PM 240 bytes Visible in Windows API, but not in MFT or directory index.

C:\System Volume Information\catalog.wci\CiFLfffd.001 6/27/2006 5:47 PM 576.00 KB Visible in Windows API, but not in MFT or directory index.

C:\System Volume Information\catalog.wci\CiFLfffd.002 6/27/2006 5:47 PM 576.00 KB Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 6/27/2006 5:40 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.

D: 0 bytes Error mounting volume

 

- end -

 

Drive D: on this system is a partition on physical drive C: in which all the system backup files are stored.

Share this post


Link to post
Share on other sites

SeDebugPrivilege error is usually as result of damage by the Look2me pest. This tool fixes that one and a couple of others, plus a good log of diagnostic stuff for me to look at ;)

 

1. Download this file - combofix.exe

http://download.bleepingcomputer.com/sUBs/combofix.exe

 

2. Double click on combofix.exe & follow the prompts.

 

Note: If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no)

Y is recommended (if you put N, the tool will exit without fixing and will remove the combofix file and folders)

 

Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.

 

3. When finished, it shall produce a log for you. Post that log in your next reply

Share this post


Link to post
Share on other sites

Here is the log from combofix.exe (You're right. This is quite a file. I have added a note at the end.):

 

Start Time= Tue 06/27/2006 21:31:52.85

Running from: C:\Bleeping Computer

 

(((((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

21:32:57.84

 

* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

2006-06-22 16:38:44 48,167 "C:\WINDOWS\system32\VSL05.exe"

2006-06-27 11:23:00 2 "C:\WINDOWS\system32\maxd641.exe"

2006-06-27 10:42:30 22,528 "C:\WINDOWS\system32\vxgame1.exe"

2006-06-27 10:42:30 35,952 "C:\WINDOWS\system32\vxgame2.exe"

2006-06-22 16:38:22 8,464 "C:\WINDOWS\system32\sporder.dll"

2006-06-22 17:04:44 53 "C:\WINDOWS\nqocec.dat"

 

 

* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

06/22/2006 05:04 PM 53 nqocec.dat.vir

 

 

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO

 

 

* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

2006-06-27 11:23:00 2 "C:\WINDOWS\system32\maxd641.exe"

2006-06-27 10:42:30 22,528 "C:\WINDOWS\system32\vxgame1.exe"

2006-06-27 10:42:30 35,952 "C:\WINDOWS\system32\vxgame2.exe"

2006-06-22 16:38:44 48,167 "C:\WINDOWS\system32\VSL05.exe"

2006-06-22 16:38:22 8,464 "C:\WINDOWS\system32\sporder.dll"

 

 

((((((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\SYSTEM32\BK.EXE

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

 

21:36:33.23

((((((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\drsmartload1.exe

C:\drsmartload45g.exe

C:\drsmartload46g.exe

C:\drsmartload849a.exe

C:\drsmartload849g.exe

C:\Mendoza1.exe

C:\dfndra.exe

C:\nwnm.exe

C:\kybrd.exe

C:\WINDOWS\newname.dat

C:\WINDOWS\keyboard1.dat

C:\Program Files\Common Files\misc001

C:\Program Files\Common Files\simtest

C:\Program Files\Common Files\svchostsys

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-06-27 11:23:00 2 ( A.... ) "C:\WINDOWS\system32\maxd641.exe"

2006-06-27 10:43:14 46592 ( A.... ) "C:\WINDOWS\system32\zlbw.dll"

2006-06-27 10:42:44 9266 ( A.... ) "C:\WINDOWS\system32\taskdir~.exe"

2006-06-27 10:42:30 35952 ( A.... ) "C:\WINDOWS\system32\vxgame2.exe"

2006-06-27 10:42:30 35952 ( A.... ) "C:\WINDOWS\system32\_zskwrkni05YTWFESJ]_VUT^MYZ.exe"

2006-06-27 10:42:30 22528 ( A.... ) "C:\WINDOWS\system32\vxgame1.exe"

2006-06-27 10:41:56 1510595 ( A.... ) "C:\Documents and Settings\Owner\Application Data\Install.dat"

2006-06-27 10:41:52 17894 ( A.... ) "C:\WINDOWS\xpupdate.exe"

2006-06-27 10:41:52 6630 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq5.exe"

2006-06-27 10:41:50 2518 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq1.exe"

2006-06-27 10:41:50 15 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq8.exe"

2006-06-27 10:41:44 7792 ( A.... ) "C:\WINDOWS\system32\kernels8.exe"

2006-06-26 12:26:58 ( .D... ) "C:\Program Files\LSPFixer"

2006-06-24 16:32:46 ( .D... ) "C:\Program Files\SysInternals"

2006-06-24 16:24:16 0 ( A.... ) "C:\Program Files\New Shortcut"

2006-06-24 14:22:42 ( .D... ) "C:\Program Files\Hijackthis"

2006-06-23 16:52:16 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"

2006-06-22 16:59:02 143360 ( A.... ) "C:\WINDOWS\ms061878-53406.exe"

2006-06-22 16:41:14 32768 ( A.... ) "C:\WINDOWS\tbggdhbu.exe"

2006-06-22 16:40:26 1392640 ( A.... ) "C:\WINDOWS\cfg32a.exe"

2006-06-22 16:38:58 928 ( A.... ) "C:\WINDOWS\system32\nt68rrtc12.sys"

2006-06-22 16:38:58 928 ( A.... ) "C:\WINDOWS\system32\nt68rrtc12.sys"

2006-06-22 16:38:46 20480 ( A.... ) "C:\stub_sca3.exe"

2006-06-22 16:38:44 48167 ( A.... ) "C:\WINDOWS\system32\VSL05.exe"

2006-06-22 16:38:38 174669 ( A.... ) "C:\WINDOWS\srvdijtuly.exe"

2006-06-22 16:38:22 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"

2006-06-22 16:38:04 45056 ( A.... ) "C:\wd7gi8n.exe"

2006-06-22 16:37:56 129649 ( A.... ) "C:\WINDOWS\elpp100drop.exe"

2006-06-22 16:37:52 175362 ( A.... ) "C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe"

2006-06-22 16:37:46 319294 ( A.... ) "C:\WINDOWS\YOINSI.exe"

2006-06-22 16:37:30 234248 ( A.... ) "C:\WINDOWS\Tagasuarus2.exe"

2006-06-22 16:31:52 13373 ( A.... ) "C:\mx.exe"

2006-06-17 23:41:48 ( .D... ) "C:\Program Files\SideCar"

2006-06-02 09:59:04 ( .D... ) "C:\Documents and Settings\Owner\Application Data\ArcSoft"

2006-06-01 15:19:22 4608 ( A.... ) "C:\WINDOWS\system32\w95inf32.dll"

2006-06-01 15:19:22 2272 ( A.... ) "C:\WINDOWS\system32\w95inf16.dll"

2006-06-01 15:18:42 ( .D... ) "C:\Program Files\ArcSoft"

2006-05-30 18:19:18 2088960 ( A.... ) "C:\WINDOWS\cfg32.exe"

2006-05-30 18:09:20 24576 ( A.... ) "C:\WINDOWS\Uninstall.exe"

2006-05-01 22:40:40 ( .D... ) "C:\Program Files\Windows Defender"

 

 

((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"

"SunKistEM"="C:\\Program Files\\Digital Media Reader\\shwiconem.exe"

"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

"nwiz"="nwiz.exe /install"

"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\

6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00

"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"

"Fix-It AV"="C:\\PROGRA~1\\VCOM\\SYSTEM~1\\MemCheck.exe"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]

"flags"=dword:00000008

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"ÿ_zskVWQEUV"="C:\\WINDOWS\\system32\\_zskwrkni05]^JUW_Y]F\\VUEQWV.exe"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=dword:00000000

"DisableTaskMgr"=dword:00000001

"Wallpaper"="C:\\WINDOWS\\desktop.html"

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000000

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

"Source"="C:\\Program Files\\Outlook Express\\kyfewyqe.html"

"SubscribedURL"=""

"FriendlyName"=""

"Flags"=dword:00002000

"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\

03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00

"CurrentState"=dword:40000001

"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\

00,00,01,00,00,40

"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]

"Source"="C:\\Program Files\\Online Services\\hocy.html"

"SubscribedURL"=""

"FriendlyName"=""

"Flags"=dword:00002000

"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\

03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00

"CurrentState"=dword:40000001

"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\

00,00,01,00,00,40

"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

00,00,00,00,00,00

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

"Flags"=dword:00000002

"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,ec,\

03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00

"CurrentState"=dword:40000004

"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\

00,00,04,00,00,40

"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\

00,00,01,00,00,00

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "

"item"="Adobe Reader Speed Launch"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]

"backup"="C:\\WINDOWS\\pss\\BigFix.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\BigFix\\BigFix.exe /atstartup"

"item"="BigFix"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"

"item"="Logitech Desktop Messenger"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideCar DCIS Authentication.lnk]

"backup"="C:\\WINDOWS\\pss\\SideCar DCIS Authentication.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\SideCar\\SideCar.exe "

"item"="SideCar DCIS Authentication"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Zeno.lnk]

"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\Zeno.lnk"

"backup"="C:\\WINDOWS\\pss\\Zeno.lnkStartup"

"location"="Startup"

"command"="C:\\WINDOWS\\system32\\owinrqez.exe GID003"

"item"="Zeno"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Z_Start.lnk]

"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\Z_Start.lnk"

"backup"="C:\\WINDOWS\\pss\\Z_Start.lnkStartup"

"location"="Startup"

"command"="C:\\WINDOWS\\system32\\ZICORN~1.EXE CORN003"

"item"="Z_Start"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"=""

"hkey"="HKLM"

"command"=""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aqezhvwA]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="aqezhvwA"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\aqezhvwA.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="owinrqez"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\system32\\owinrqez.exe GID003"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="cfg32"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\cfg32.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpue]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="dexplore"

"hkey"="HKCU"

"command"="\"C:\\DOCUME~1\\Owner\\MYDOCU~1\\SMANTE~1\\dexplore.exe\" -vt yazr"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="dfndra"

"hkey"="HKLM"

"command"="C:\\\\dfndra.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="iTunesHelper"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kbdoc3]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="kbdoc3"

"hkey"="HKCU"

"command"="C:\\WINDOWS\\system32\\kbdoc3.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="kybrd"

"hkey"="HKLM"

"command"="C:\\\\kybrd.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="ISStart"

"hkey"="HKLM"

"command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="LogiTray"

"hkey"="HKLM"

"command"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ms061878-53406]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="ms061878-53406"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\ms061878-53406.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="NEWDOT~2"

"hkey"="HKLM"

"command"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="nwnm"

"hkey"="HKLM"

"command"="C:\\\\nwnm.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="NvMcTray"

"hkey"="HKLM"

"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="NVMixerTray"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSSelectorReinstall]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="oss_reinstall"

"hkey"="HKLM"

"command"="C:\\Program Files\\Common Files\\Acronis\\Acronis Disk Director\\oss_reinstall.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PECarlin]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="PECarlin"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\PECarlin\\PECarlin.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pop06ap]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="pop06ap2"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\pop06ap2.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pop06apelt]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="thiselt"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\thiselt.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="qttask"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="PDVDServ"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"

"item"="services"

"hkey"="HKCU"

"command"="C:\\WINDOWS\\inet20026\\services.exe"

"inimapping"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys_up1]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="svchostsys"

"hkey"="HKCU"

"command"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="CCZoop05"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\CCZoop05.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="realsched"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="AdobeUpdateManager"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{AD-DC-CC-CA-ZN}]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="pqdsregs"

"hkey"="HKLM"

"command"="C:\\windows\\system32\\pqdsregs.exe GID003"

"inimapping"="0"

 

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\ISP signup reminder 3.job

C:\WINDOWS\tasks\MP Scheduled Scan.job

C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Owner.job

 

Completion time: Tue 06/27/2006 21:36:37.81

ComboFix ver 06.06.26 - This logfile is located at C:\ComboFix.txt

 

WNF note: I see a reference to Elite Media above. In going through the IE settings screens, I saw Elite Media had been added as a trusted site. I manually deleted it. Later, I thought of it and used RegEdit to find numerous registry entries referencing Elite Media. I left them alone.

 

Thanks.

Share this post


Link to post
Share on other sites

This is quite a mess :P

 

1. Make a copy of these instructions to have handy as all cleaning needs to be done in Safe mode with all browsers closed. First, Open Ewido and select *Update* at the top and download and install any new updates.

 

2. Please download Brute Force Uninstaller to your desktop.

  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.

Save it in the same folder you made earlier (c:\BFU).

 

Do not do anything with these yet!

 

4. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

5. Once in safe mode, start Ewido AntiMalware

 

a. Click on scanner

 

b. Click on *complete system scan*

 

c. Let the program scan the machine.

 

d. When the scan is done you will see a list of infected objects (if any found) At the bottom of the list, Please click on "recommended action"/and choose to Set all Elements to quarantine and check the box "Perform action with all infections".

If you get a warning about a file being in an archive, please choose *yes* to quarantine the entire archive

 

[5]When the scanner finishes, click on "Save Report" at the bottom. This will create a text file. Make sure you know where to find this file again.

 

6. Then, please go to Start > My Computer and navigate to the C:\BFU folder.

  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Checkmark the "Show log after script ends" box before running the program.
  • Behind the scriptline to execute field click the folder icon foldericon.png and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • click "save"
    IN "filename" enter log.txt
  • click exit to exit the BFU program.

Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder

 

 

7. Stay in safe mode and run a full system scan with your Trend-Micro AV and let it remove any infected files found.

 

Reboot back into normal mode

 

8. Now please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

 

Logs needed in your next post are:

 

log.txt will be in the C:\BFU\ folder

 

Ewido Scan log

 

Fresh HijackThis log

Share this post


Link to post
Share on other sites

Here are the logs you requested:

 

BFU Log:

 

BFU v1.00.9

Windows XP SP2 (WinNT 5.01.2600 SP2)

Script started at 1:43:34 PM, on 6/28/2006

 

Option Unload Explorer: Yes

Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)

Failed: ServiceStop Network Monitor (service not found)

Failed: ServiceStop cmdService (service not found)

Failed: ServiceDisable Network Monitor (service not found)

Failed: ServiceDisable cmdService (service not found)

Failed: ServiceDelete Network Monitor (service not found)

Failed: ServiceDelete cmdService (service not found)

Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)

Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)

Option pause between commands: 300 ms

Option pause between commands: 50 ms

Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)

Failed: FolderDelete C:\Program Files\winupdates (folder not found)

Failed: FolderDelete C:\Program Files\winupdate (folder not found)

Failed: FolderDelete C:\Program Files\winsupdater (folder not found)

Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)

Failed: FolderDelete C:\Program Files\MsMovies (folder not found)

Failed: FolderDelete C:\Program Files\wmplayer (folder not found)

Failed: FolderDelete C:\Program Files\outlook (folder not found)

Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)

Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)

Failed: FileDelete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Perflib_Perfdata_46c.dat (operation failed)

Failed: FileDelete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFBA9E.tmp (operation failed)

Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)

Failed: FolderDelete C:\Program Files\DNS (folder not found)

Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)

Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\svchostsys (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\simtest (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\misc001 (folder not found)

Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)

Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)

Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)

Failed: FolderDelete C:\Program Files\Update06 (folder not found)

Failed: FolderDelete C:\Program Files\Update03 (folder not found)

Failed: FolderDelete C:\Program Files\Update04 (folder not found)

Failed: FolderDelete C:\Program Files\Update08 (folder not found)

Failed: FolderDelete C:\Program Files\W-Update (folder not found)

Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)

Failed: FolderDelete C:\Program Files\Cas (folder not found)

Failed: FolderDelete C:\Program Files\CasStub (folder not found)

Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)

Failed: FolderDelete C:\Program Files\ipwins (folder not found)

Failed: FolderDelete C:\WINDOWS\mdrive (folder not found)

Failed: FolderDelete C:\Program Files\PECarlin (folder not found)

Failed: FolderDelete C:\Program Files\AXVenore (folder not found)

Failed: FolderDelete C:\Program Files\SDVita (folder not found)

Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)

Script completed.

 

 

Ewido Log:

 

---------------------------------------------------------

ewido anti-spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 1:35:09 PM 6/28/2006

 

+ Scan result:

 

C:\WINDOWS\cfg32.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).

C:\WINDOWS\cfg32a.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).

C:\WINDOWS\tbggdhbu.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).

C:\stub_sca3.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).

C:\RECYCLER\S-1-5-21-2237693894-1415581680-2428159654-500\Dc1.0000 -> Adware.ClickSpring : Cleaned with backup (quarantined).

C:\WINDOWS\Downloaded Program Files\amm06.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).

C:\wd7gi8n.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).

C:\WINDOWS\system32\dlh9jkdq5.exe -> Downloader.Small.cwj : Cleaned with backup (quarantined).

C:\WINDOWS\system32\kernels8.exe -> Downloader.Tibs.eo : Cleaned with backup (quarantined).

C:\WINDOWS\ms061878-53406.exe -> Downloader.VB.aga : Cleaned with backup (quarantined).

C:\WINDOWS\xpupdate.exe -> Hijacker.Spywad.o : Cleaned with backup (quarantined).

C:\mx.exe -> Hijacker.VB.lb : Cleaned with backup (quarantined).

C:\WINDOWS\desktop.html -> Not-A-Virus.Hoax.Win32.Renos.cy : Cleaned with backup (quarantined).

C:\WINDOWS\inet20026\ICQ2003Decrypt.dll -> Not-A-Virus.PSWTool.Win32.ICQ.l : Cleaned with backup (quarantined).

C:\WINDOWS\system32\_zskwrkni05YTWFESJ]_VUT^MYZ.exe -> Proxy.Agent.km : Cleaned with backup (quarantined).

C:\WINDOWS\system32\vxgame2.exe -> Proxy.Agent.km : Cleaned with backup (quarantined).

C:\WINDOWS\inet20026\Icq.exe -> Trojan.Agent.gq : Cleaned with backup (quarantined).

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.aa : Cleaned with backup (quarantined).

 

 

::Report end

 

 

HijackThis Log:

 

Logfile of HijackThis v1.99.1

Scan saved at 3:42:24 PM, on 6/28/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.trendmicro.com/vinfo/virusencyc...=TROJ_MUDROP.BQ

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKLM\..\RunServices: [ÿ_zskVWQEUV] C:\WINDOWS\system32\_zskwrkni05]^JUW_Y]F\VUEQWV.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Shortcut to taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} (InstallShield Setup Player 2K2) - http://host1.tcnet.tv/tcinstall/setup.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

 

http://update.microsoft.com/microsoftupdat...b?1132581635578

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

 

http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7520-b289h-tu...l/java/RntX.cab

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

 

 

WNF notes:

 

1. I noticed the following lines in the BFU log:

 

"Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)

Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation faile)"

 

I could not find any files named "mc-" with any extension anywhere on the affected computer.

 

"Failed: FileDelete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Perflib_Perfdata_46c.dat (operation failed)

Failed: FileDelete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFBA9E.tmp (operation failed)"

 

I found the first file to see if I could manually delete it and went as far as "Are you sure you want to send 'XXXX.XXX' to the Recycle Bin?" It appeared as if it were going to let me do it. I could not find the second file anywhere.

 

2. The malware has set up at least one new user account, or group -- I'm not sure --"Administrators," which may or may not be the one(s) controlling the desktop, control panel, task manager, etc. When I try to get into various parts of the system, I get "Access Denied" a lot. At one point, a window came up that said that the system was locked and under control of the administrator. It gave me the opportunity to access the administrator's account, but denied me when I didn't have the correct password.

 

This is probably something you've seen a lot. But it was new to me!

Share this post


Link to post
Share on other sites

Oh yes, I was able to get rid of something with the Trend Micro AV scan. Here is the log:

 

Virus Scan Results:

 

Run: 6/28/2006 2:08:56 PM

 

Scanned:

Boot Sector

Boot Sector

All files, including those in archives, on all local hard drives

 

Results:

 

Found potential threat

In File: C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-74b2599d-6c8d0e29.zip\BlackBox.class

Name: JAVA_BYTEVER.AC

Results: File containing potential threat deleted successfully.

 

Files not scanned:

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG

C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_46c.dat

C:\Documents and Settings\Administrator\NTUSER.DAT

C:\Documents and Settings\Administrator\ntuser.dat.LOG

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3f5c463bc7fa7648ac74ef4eb7ca5df9_00d5b920-6ffd-439b-a2e1-f9df8a983e91

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5314f00bea62d4683d9436f8fca474a2_00d5b920-6ffd-439b-a2e1-f9df8a983e91

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5c9f5bd6a10426cae28ec0563461571b_00d5b920-6ffd-439b-a2e1-f9df8a983e91

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a583fb0c2a5247d9bcadf03cc8d33ae3_00d5b920-6ffd-439b-a2e1-f9df8a983e91

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG

C:\Documents and Settings\NetworkService\NTUSER.DAT

C:\Documents and Settings\NetworkService\ntuser.dat.LOG

C:\Documents and Settings\Owner\My Documents\S?mantec

C:\pagefile.sys

C:\System Volume Information

C:\WINDOWS\system32\config\default

C:\WINDOWS\system32\config\default.LOG

C:\WINDOWS\system32\config\SAM

C:\WINDOWS\system32\config\SAM.LOG

C:\WINDOWS\system32\config\SECURITY

C:\WINDOWS\system32\config\SECURITY.LOG

C:\WINDOWS\system32\config\software

C:\WINDOWS\system32\config\software.LOG

C:\WINDOWS\system32\config\system

C:\WINDOWS\system32\config\system.LOG

 

10994 Executables scanned

1595 Macros scanned

6935 Files inside archives scanned

25 Files that could not be scanned (files in use, encrypted archives, etc.)

224221 Total files scanned

 

WNF Notes:

 

1. I see that "C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_46c.dat" shows up again, this time not scanned. Should I just go out and delete it manually?

 

2. I've never seen this many files excluded from a scan before. Normally it's just C:\pagefile.sys and maybe one or two others. Is this normal? Or a sign of things that should be available to us that now aren't?

Share this post


Link to post
Share on other sites

That's looking a LOT better. I think the problem was that Ewido had not been told to clean up and that last log you did run it correct and it eliminated a lot of the trojans that were downloading malware to your system.

 

FYI, the BFU Alcanshorty log only shows me what it did NOT find on your system from a long list of known malware installed by the worm. And don't worry about the Trend files it didn't scan, that is normal.

 

Scan with HijackThis and checkmark this entry in the list:

 

O4 - HKLM\..\RunServices: [ÿ_zskVWQEUV] C:\WINDOWS\system32\_zskwrkni05]^JUW_Y]F\VUEQWV.exe

 

Then delete these folders (if found). If not found they have been already been removed by a prior cleaning step.

 

C:\WINDOWS\system32\_zskwrkni05]^JUW_Y]F

 

C:\Documents and Settings\Owner\My Documents\S?mantec (That question mark in the name is a wildcard letter, could be anything)

 

Then, please open HijackThis and instead of scan, choose *Open Misc Tools Section*

In the first section (Generate Startup List), please checkmark the two boxes to the right and then press the *Generate StartupList log* button

HJTstartuplist.gif

 

When it finishes, please the *Save List* button and copy the results back here please.

Share this post


Link to post
Share on other sites

CJ, here's what I did, based on your latest instructions:

 

1. Checked the box next to:

 

O4 - HKLM\..\RunServices: [ÿ_zskVWQEUV] C:\WINDOWS\system32\_zskwrkni05]^JUW_Y]F\VUEQWV.exe

 

Then I ran a scan immediately afterward. Guess what? It showed up again! I did the same thing once or twice more with the same result.

 

2.Went to C:\WINDOWS\system32\ and tried to delete:

 

C:\WINDOWS\system32\_zskwrkni05]^JUW_Y]F.

 

It wasn't there! I used Windows Explorer Search to look for all kinds of variations of its name throughout the entire system, but had no success. I then used Registry Magic to search for any entries with "vueq". It came up with two: one is obviously the same as the HJT scan entry; the second is located in:

 

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Software Explorers\Disabled RunKey\Run"

 

Does this mean that it has been disabled and/or removed by Windows Defender? What will happen if we manually delete the first registry entry?

 

3. While I couldn't find the above referenced file, I did find a number of suspicious files in C:\WINDOWS\system32\, all dated between 6/22/06, when all this started, and 6/27/06, when it became even worse. I'm going to try to paste a screen shot below so you can see what I mean.

 

4. Here is the HJT StartUp List Log:

 

StartupList report, 6/29/2006, 1:25:06 PM

StartupList version: 1.52.2

Started from : C:\Program Files\Hijackthis\HijackThis.EXE

Detected: Windows XP SP2 (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)

* Using default options

* Including empty and uninteresting sections

* Showing rarely important sections

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\system32\LxrJD31s.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]

*No files*

 

Shell folders AltStartup:

*Folder not found*

 

User shell folders Startup:

*Folder not found*

 

User shell folders AltStartup:

*Folder not found*

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Shortcut to taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe

 

Shell folders Common AltStartup:

*Folder not found*

 

User shell folders Common Startup:

*Folder not found*

 

User shell folders Alternate Common Startup:

*Folder not found*

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = c:\windows\system32\userinit.exe,

 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

*Registry value not found*

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE

SunKistEM = C:\Program Files\Digital Media Reader\shwiconem.exe

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

nwiz = nwiz.exe /install

LVCOMSX = C:\WINDOWS\system32\LVCOMSX.EXE

Fix-It AV = C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe

QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide

!ewido = "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

 

ÿ_zskVWQEUV = C:\WINDOWS\system32\_zskwrkni05]^JUW_Y]F\VUEQWV.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

[OptionalComponents]

*No values found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

File association entry for .EXE:

HKEY_CLASSES_ROOT\exefile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .COM:

HKEY_CLASSES_ROOT\comfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .BAT:

HKEY_CLASSES_ROOT\batfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .PIF:

HKEY_CLASSES_ROOT\piffile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .SCR:

HKEY_CLASSES_ROOT\scrfile\shell\open\command

 

(Default) = "%1" /S

 

--------------------------------------------------

 

File association entry for .HTA:

HKEY_CLASSES_ROOT\htafile\shell\open\command

 

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

 

--------------------------------------------------

 

File association entry for .TXT:

HKEY_CLASSES_ROOT\txtfile\shell\open\command

 

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

 

--------------------------------------------------

 

Enumerating Active Setup stub paths:

HKLM\Software\Microsoft\Active Setup\Installed Components

(* = disabled by HKCU twin)

 

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]

StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

 

[>{26923b43-4d38-484f-9b9e-de460746276c}] *

StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

 

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *

StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

 

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub

 

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *

StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

 

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

 

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

 

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *

StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

 

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

 

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

 

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

 

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *

StubPath = regsvr32.exe /s /n /i:U shell32.dll

 

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *

StubPath = %SystemRoot%\system32\ie4uinit.exe

 

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *

StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

 

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

 

--------------------------------------------------

 

Enumerating ICQ Agent Autostart apps:

HKCU\Software\Mirabilis\ICQ\Agent\Apps

 

*Registry key not found*

 

--------------------------------------------------

 

Load/Run keys from C:\WINDOWS\WIN.INI:

 

load=*INI section not found*

run=*INI section not found*

 

Load/Run keys from Registry:

 

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=

HKCU\..\Windows NT\CurrentVersion\Windows: run=

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=explorer.exe

SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry value not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

Checking for EXPLORER.EXE instances:

 

C:\WINDOWS\Explorer.exe: PRESENT!

 

C:\Explorer.exe: not present

C:\WINDOWS\Explorer\Explorer.exe: not present

C:\WINDOWS\System\Explorer.exe: not present

C:\WINDOWS\System32\Explorer.exe: not present

C:\WINDOWS\Command\Explorer.exe: not present

C:\WINDOWS\Fonts\Explorer.exe: not present

 

--------------------------------------------------

 

Checking for superhidden extensions:

 

.lnk: HIDDEN! (arrow overlay: yes)

.pif: HIDDEN! (arrow overlay: yes)

.exe: not hidden

.com: not hidden

.bat: not hidden

.hta: not hidden

.scr: not hidden

.shs: HIDDEN!

.shb: HIDDEN!

.vbs: not hidden

.vbe: not hidden

.wsh: not hidden

.scf: HIDDEN! (arrow overlay: NO!)

.url: HIDDEN! (arrow overlay: yes)

.js: not hidden

.jse: not hidden

 

--------------------------------------------------

 

Verifying REGEDIT.EXE integrity:

 

- Regedit.exe found in C:\WINDOWS

- .reg open command is normal (regedit.exe %1)

- Company name OK: 'Microsoft Corporation'

- Original filename OK: 'REGEDIT.EXE'

- File description: 'Registry Editor'

 

Registry check passed

 

--------------------------------------------------

 

Enumerating Browser Helper Objects:

 

*No BHO's found*

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

ISP signup reminder 3.job

MP Scheduled Scan.job

Norton AntiVirus - Scan my computer - Owner.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[PCPitstop Utility]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitstop.dll

CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

 

[Windows Genuine Advantage Validation Tool]

InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL

CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

 

[Microsoft PID Sniffer]

InProcServer32 = C:\WINDOWS\system32\odc.dll

CODEBASE = https://support.microsoft.com/OAS/ActiveX/odc.cab

 

[installShield Setup Player 2K2]

CODEBASE = http://host1.tcnet.tv/tcinstall/setup.exe

 

[Office Update Installation Engine]

InProcServer32 = C:\WINDOWS\opuc.dll

CODEBASE = http://office.microsoft.com/officeupdate/content/opuc2.cab

 

[symantec RuFSI Utility Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll

CODEBASE = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

 

[MUWebControl Class]

InProcServer32 = C:\WINDOWS\system32\muweb.dll

CODEBASE = http://update.microsoft.com/microsoftupdat...b?1132581635578

 

[HouseCall Control]

InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx

CODEBASE = http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

 

[Java Plug-in]

InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

 

[snapfish File Upload ActiveX Control]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\SnapfishUpload1407.ocx

CODEBASE = http://www.costcophotocenter.com/CostcoUpload.cab

 

[Crucial cpcScan]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\cpcScan.dll

CODEBASE = http://www.crucial.com/controls/cpcScanner.cab

 

[Java Plug-in]

InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

 

[Java Plug-in]

InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

 

[Java Plug-in 1.5.0_06]

InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

 

[Live Collaboration]

InProcServer32 = C:\WINDOWS\DOWNLO~1\RntX.dll

CODEBASE = https://livewc01.custhelp.com/7520-b289h-tu...l/java/RntX.cab

 

--------------------------------------------------

 

Enumerating Winsock LSP files:

 

NameSpace #1: C:\WINDOWS\System32\mswsock.dll

NameSpace #2: C:\WINDOWS\System32\winrnr.dll

NameSpace #3: C:\WINDOWS\System32\mswsock.dll

NameSpace #4: C:\WINDOWS\system32\pnrpnsp.dll

NameSpace #5: C:\WINDOWS\system32\pnrpnsp.dll

Protocol #1: C:\WINDOWS\system32\mswsock.dll

Protocol #2: C:\WINDOWS\system32\mswsock.dll

Protocol #3: C:\WINDOWS\system32\mswsock.dll

Protocol #4: C:\WINDOWS\system32\rsvpsp.dll

Protocol #5: C:\WINDOWS\system32\rsvpsp.dll

Protocol #6: C:\WINDOWS\system32\mswsock.dll

Protocol #7: C:\WINDOWS\system32\mswsock.dll

Protocol #8: C:\WINDOWS\system32\mswsock.dll

Protocol #9: C:\WINDOWS\system32\mswsock.dll

Protocol #10: C:\WINDOWS\system32\mswsock.dll

Protocol #11: C:\WINDOWS\system32\mswsock.dll

Protocol #12: C:\WINDOWS\system32\mswsock.dll

Protocol #13: C:\WINDOWS\system32\mswsock.dll

Protocol #14: C:\WINDOWS\system32\mswsock.dll

Protocol #15: C:\WINDOWS\system32\mswsock.dll

Protocol #16: C:\WINDOWS\system32\mswsock.dll

Protocol #17: C:\WINDOWS\system32\mswsock.dll

Protocol #18: C:\WINDOWS\system32\mswsock.dll

Protocol #19: C:\WINDOWS\system32\mswsock.dll

Protocol #20: C:\WINDOWS\system32\mswsock.dll

Protocol #21: C:\WINDOWS\system32\mswsock.dll

Protocol #22: C:\WINDOWS\system32\mswsock.dll

 

--------------------------------------------------

 

Enumerating Windows NT/2000/XP services

 

IPv6 Helper Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

abp480n5: system32\DRIVERS\ABP480N5.SYS (system)

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)

adpu160m: system32\DRIVERS\adpu160m.sys (system)

Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)

AFD: \SystemRoot\System32\drivers\afd.sys (system)

Intel AGP Bus Filter: system32\DRIVERS\agp440.sys (system)

Compaq AGP Bus Filter: system32\DRIVERS\agpCPQ.sys (system)

Aha154x: system32\DRIVERS\aha154x.sys (system)

aic78u2: system32\DRIVERS\aic78u2.sys (system)

aic78xx: system32\DRIVERS\aic78xx.sys (system)

Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)

Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)

AliIde: system32\DRIVERS\aliide.sys (system)

ALI AGP Bus Filter: system32\DRIVERS\alim1541.sys (system)

AMD AGP Bus Filter Driver: system32\DRIVERS\amdagp.sys (system)

AMD K7 Processor Driver: system32\DRIVERS\amdk7.sys (system)

amsint: system32\DRIVERS\amsint.sys (system)

Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

asc: system32\DRIVERS\asc.sys (system)

asc3350p: system32\DRIVERS\asc3350p.sys (system)

asc3550: system32\DRIVERS\asc3550.sys (system)

ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)

RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)

Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)

ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)

Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)

Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

BrSplService: C:\WINDOWS\system32\brsvc01a.exe (autostart)

Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

BrPar: \SystemRoot\System32\drivers\BrPar.sys (autostart)

cbidf: system32\DRIVERS\cbidf2k.sys (system)

Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)

cd20xrnt: system32\DRIVERS\cd20xrnt.sys (system)

CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)

cirrus: system32\DRIVERS\cirrus.sys (manual start)

Indexing Service: C:\WINDOWS\system32\cisvc.exe (autostart)

ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)

CmdIde: system32\DRIVERS\cmdide.sys (system)

Microsoft Composite Battery Driver: system32\DRIVERS\compbatt.sys (system)

COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)

Cpqarray: system32\DRIVERS\cpqarray.sys (system)

Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

dac2w2k: system32\DRIVERS\dac2w2k.sys (system)

dac960nt: system32\DRIVERS\dac960nt.sys (system)

DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)

DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Disk Driver: system32\DRIVERS\disk.sys (system)

Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)

dmboot: System32\drivers\dmboot.sys (disabled)

dmio: System32\drivers\dmio.sys (disabled)

dmload: System32\drivers\dmload.sys (disabled)

Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)

DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)

dpti2o: system32\DRIVERS\dpti2o.sys (system)

Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)

Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Event Log: %SystemRoot%\system32\services.exe (autostart)

COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)

ewido anti-spyware 4.0 driver: \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys (system)

ewido anti-spyware 4.0 guard: C:\Program Files\ewido anti-spyware 4.0\guard.exe (autostart)

Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Fax: %systemroot%\system32\fxssvc.exe (autostart)

Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)

Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)

FltMgr: system32\DRIVERS\fltMgr.sys (system)

Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)

GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)

Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)

Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

HID UPS Battery Driver: system32\DRIVERS\HidBatt.sys (manual start)

Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)

hpn: system32\DRIVERS\hpn.sys (system)

HSFHWBS2: system32\DRIVERS\HSFHWBS2.sys (manual start)

HSF_DP: system32\DRIVERS\HSF_DP.sys (manual start)

HSF_DPV: system32\DRIVERS\HSF_DPV.sys (manual start)

HTTP: System32\Drivers\HTTP.sys (manual start)

HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)

i2omp: system32\DRIVERS\i2omp.sys (system)

i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)

InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)

CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)

IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)

ini910u: system32\DRIVERS\ini910u.sys (system)

IntelIde: system32\DRIVERS\intelide.sys (system)

IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)

IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)

IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)

IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)

iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)

RIP Listener: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

IPSEC driver: system32\DRIVERS\ipsec.sys (system)

IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)

PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)

Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)

Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)

Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)

Logitech USB Monitor Filter: system32\drivers\lvusbsta.sys (manual start)

LxrJD31d: \??\C:\WINDOWS\system32\Drivers\LxrJD31d.sys (autostart)

Lexar JD31: LxrJD31s.exe (autostart)

mdmxsdk: system32\DRIVERS\mdmxsdk.sys (autostart)

Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)

NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)

Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)

Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)

mraid35x: system32\DRIVERS\mraid35x.sys (system)

WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)

MRXSMB: system32\DRIVERS\mrxsmb.sys (system)

Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)

Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)

Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)

Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)

Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)

Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)

Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)

Macronix MX987xx Family Fast Ethernet NT Driver: system32\DRIVERS\mxnic.sys (manual start)

NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)

Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)

Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)

NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)

Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)

NetBIOS Interface: system32\DRIVERS\netbios.sys (system)

NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)

Network DDE: %SystemRoot%\system32\netdde.exe (disabled)

Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)

Net Logon: %SystemRoot%\system32\lsass.exe (manual start)

Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)

Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

nv: system32\DRIVERS\nv4_mini.sys (manual start)

Service for NVIDIA® nForce Audio Enumerator: system32\drivers\nvax.sys (manual start)

NVIDIA nForce Networking Controller Driver: system32\DRIVERS\NVENETFD.sys (manual start)

NVIDIA Network Bus Enumerator: system32\DRIVERS\nvnetbus.sys (manual start)

Service for NVIDIA® nForce Audio: system32\drivers\nvapu.sys (manual start)

NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)

NVIDIA nForce AGP Bus Filter: system32\DRIVERS\nv_agp.sys (system)

IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)

IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)

Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)

Peer Networking Group Authentication: %SystemRoot%\system32\svchost.exe -k p2psvc (manual start)

Peer Networking Identity Manager: %SystemRoot%\system32\svchost.exe -k p2psvc (manual start)

Peer Networking: %SystemRoot%\system32\svchost.exe -k p2psvc (manual start)

Intel PentiumIII Processor Driver: system32\DRIVERS\p3.sys (system)

Parallel port driver: system32\DRIVERS\parport.sys (manual start)

PCI Bus Driver: system32\DRIVERS\pci.sys (system)

PCIIde: system32\DRIVERS\pciide.sys (system)

perc2: system32\DRIVERS\perc2.sys (system)

perc2hib: system32\DRIVERS\perc2hib.sys (system)

Logitech QuickCam Pro 3000(PID_08B1): system32\DRIVERS\CamDrL20.sys (manual start)

Plug and Play: %SystemRoot%\system32\services.exe (autostart)

Peer Name Resolution Protocol: %SystemRoot%\system32\svchost.exe -k p2psvc (manual start)

IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)

WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)

PrismXL: C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (manual start)

Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)

QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)

Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)

ql1080: system32\DRIVERS\ql1080.sys (system)

Ql10wnt: system32\DRIVERS\ql10wnt.sys (system)

ql12160: system32\DRIVERS\ql12160.sys (system)

ql1240: system32\DRIVERS\ql1240.sys (system)

ql1280: system32\DRIVERS\ql1280.sys (system)

Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)

Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)

Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)

Direct Parallel: system32\DRIVERS\raspti.sys (manual start)

Rdbss: system32\DRIVERS\rdbss.sys (system)

RDPCDD: System32\DRIVERS\RDPCDD.sys (system)

Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)

Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)

Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)

Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)

Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)

Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)

QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)

Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)

Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)

Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Secdrv: system32\DRIVERS\secdrv.sys (autostart)

Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)

Serial port driver: system32\DRIVERS\serial.sys (system)

Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Simple TCP/IP Services: %SystemRoot%\system32\tcpsvcs.exe (autostart)

SIS AGP Bus Filter: system32\DRIVERS\sisagp.sys (system)

BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)

Acronis Snapshots Manager: system32\DRIVERS\snapman.sys (system)

SNMP Service: %SystemRoot%\System32\snmp.exe (manual start)

SNMP Trap Service: %SystemRoot%\System32\snmptrap.exe (manual start)

Sparrow: system32\DRIVERS\sparrow.sys (system)

Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)

Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)

System Restore Filter Driver: \SystemRoot\system32\DRIVERS\sr.sys (disabled)

System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Srv: system32\DRIVERS\srv.sys (manual start)

SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)

Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)

BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)

Alcor Micro Corp Reader: \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys (manual start)

Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)

Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)

MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{63C33B1B-E9A2-4399-8C21-F59FA31488FA} (manual start)

symc810: system32\DRIVERS\symc810.sys (system)

symc8xx: system32\DRIVERS\symc8xx.sys (system)

sym_hi: system32\DRIVERS\sym_hi.sys (system)

sym_u3: system32\DRIVERS\sym_u3.sys (system)

Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)

Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)

SystemSuite Task Manager: C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe -Service (autostart)

Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)

Microsoft IPv6 Protocol Driver: system32\DRIVERS\tcpip6.sys (system)

Terminal Device Driver: system32\DRIVERS\termdd.sys (system)

Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)

Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

tmpreflt: \??\C:\PROGRA~1\VCOM\SYSTEM~1\tmpreflt.sys (autostart)

tmxpflt: \??\C:\PROGRA~1\VCOM\SYSTEM~1\tmxpflt.sys (autostart)

TosIde: system32\DRIVERS\toside.sys (system)

Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Microsoft Tun Miniport Adapter Driver: system32\DRIVERS\tunmp.sys (manual start)

ultra: system32\DRIVERS\ultra.sys (system)

Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)

Microcode Update Driver: system32\DRIVERS\update.sys (manual start)

Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)

Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)

USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)

Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)

Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)

Microsoft USB Standard Hub Driver: system32\DRIVERS\usbhub.sys (manual start)

Microsoft USB Open Host Controller Miniport Driver: system32\DRIVERS\usbohci.sys (manual start)

Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)

USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)

USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)

Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)

VgaSave: \SystemRoot\System32\drivers\vga.sys (system)

VIA AGP Bus Filter: system32\DRIVERS\viaagp.sys (system)

ViaIde: system32\DRIVERS\viaide.sys (system)

Vsapint: \??\C:\PROGRA~1\VCOM\SYSTEM~1\Vsapint.sys (autostart)

Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)

Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)

Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)

WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)

winachsf: system32\DRIVERS\HSF_CNXT.sys (manual start)

Windows Defender Service: "C:\Program Files\Windows Defender\MsMpEng.exe" (autostart)

Windows Overlay Components: C:\WINDOWS\aqezhvw.exe (disabled)

Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)

Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)

Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)

Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)

Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)

Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

 

 

--------------------------------------------------

 

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

 

Windows NT checkdisk command:

BootExecute = autocheck autochk *

 

Windows NT 'Wininit.ini':

PendingFileRenameOperations: *Registry value not found*

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\system32\webcheck.dll

SysTray: C:\WINDOWS\system32\stobject.dll

UPnPMonitor: C:\WINDOWS\system32\upnpui.dll

 

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

 

*Registry key not found*

 

--------------------------------------------------

 

End of report, 38,677 bytes

Report generated in 0.141 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history onl

 

- end -

Share this post


Link to post
Share on other sites

Here's that screen shot, if it works.....

 

post-4856-1151612126_thumb.jpg

Share this post


Link to post
Share on other sites

Thanks for the screenshot :wub:

 

Ewido deleted the offending file:

C:\WINDOWS\system32\_zskwrkni05YTWFESJ]_VUT^MYZ.exe -> Proxy.Agent.km : Cleaned with backup (quarantined).

 

So that's why it's not there. I suspect you have some security program blocking changes to the registry is why the entry keeps coming back in HJT. Make sure if anything pops up on alert after *fixing* that item in HijackThis, that choose to "allow" rather than block that change.

....................................

This infection drops a bunch of "garbage" files 1 - 2 kb in size that are "fake" malware for the rogue scanner to "find". The scanners will detect and delete everything but those harmless files are not detected. From your Screen shot it is ok to delete these from the System32 folder:

 

zlbw.dll 46.kb

taskdir~.exe 10kb

winrknj 0

2.txt 0

1.txt 0

winsub.xml 1kb

svcp.csv 1kb

vx.tll 1kb

dlh9jkdq8.exe 3kb

dlh9jkdq1.exe 1kb

d3d8caps.dat 1kb

msnav32.ax 1kb

key.~ 1kb

nt68rrtc12.sys 1kb

bang-006.ico 10kb

VSL05.exe 48kb

zxdnt3d.cfg 1kb

 

 

And any of these if found (some have already been deleted)

Some are in the Windows folder, some are in the System32 folder and are already listed above.

:

2006-06-22 16:59:02 143360 ( A.... ) "C:\WINDOWS\ms061878-53406.exe"

2006-06-22 16:41:14 32768 ( A.... ) "C:\WINDOWS\tbggdhbu.exe"

2006-06-22 16:40:26 1392640 ( A.... ) "C:\WINDOWS\cfg32a.exe"

2006-06-22 16:38:58 928 ( A.... ) "C:\WINDOWS\system32\nt68rrtc12.sys"

2006-06-22 16:38:58 928 ( A.... ) "C:\WINDOWS\system32\nt68rrtc12.sys"

2006-06-22 16:38:46 20480 ( A.... ) "C:\stub_sca3.exe"

2006-06-22 16:38:44 48167 ( A.... ) "C:\WINDOWS\system32\VSL05.exe"

2006-06-22 16:38:38 174669 ( A.... ) "C:\WINDOWS\srvdijtuly.exe"

2006-06-22 16:38:04 45056 ( A.... ) "C:\wd7gi8n.exe"

2006-06-22 16:37:56 129649 ( A.... ) "C:\WINDOWS\elpp100drop.exe"

2006-06-22 16:37:52 175362 ( A.... ) "C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe"

2006-06-22 16:37:46 319294 ( A.... ) "C:\WINDOWS\YOINSI.exe"

2006-06-22 16:37:30 234248 ( A.... ) "C:\WINDOWS\Tagasuarus2.exe"

2006-06-22 16:31:52 13373 ( A.... ) "C:\mx.exe"

 

2006-06-27 11:23:00 2 ( A.... ) "C:\WINDOWS\system32\maxd641.exe"

2006-06-27 10:43:14 46592 ( A.... ) "C:\WINDOWS\system32\zlbw.dll"

2006-06-27 10:42:44 9266 ( A.... ) "C:\WINDOWS\system32\taskdir~.exe"

2006-06-27 10:42:30 35952 ( A.... ) "C:\WINDOWS\system32\vxgame2.exe"

2006-06-27 10:42:30 35952 ( A.... ) "C:\WINDOWS\system32\_zskwrkni05YTWFESJ]_VUT^MYZ.exe"

2006-06-27 10:42:30 22528 ( A.... ) "C:\WINDOWS\system32\vxgame1.exe"

2006-06-27 10:41:56 1510595 ( A.... ) "C:\Documents and Settings\Owner\Application Data\Install.dat"

2006-06-27 10:41:52 17894 ( A.... ) "C:\WINDOWS\xpupdate.exe"

2006-06-27 10:41:52 6630 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq5.exe"

2006-06-27 10:41:50 2518 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq1.exe"

2006-06-27 10:41:50 15 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq8.exe"

2006-06-27 10:41:44 7792 ( A.... ) "C:\WINDOWS\system32\kernels8.exe"

Share this post


Link to post
Share on other sites

I was able to delete some of the files but not all of them. In most cases, if I wasn't able to delete them, it was because I couldn't find them anywhere on the system. There was one notable exception.

 

The files I was able to delete were these:

 

zlbw.dll 46.kb

taskdir~.exe 10kb

winrknj 0

2.txt 0

1.txt 0

winsub.xml 1kb

svcp.csv 1kb

vx.tll 1kb

dlh9jkdq8.exe 3kb

dlh9jkdq1.exe 1kb

d3d8caps.dat 1kb

msnav32.ax 1kb

key.~ 1kb

nt68rrtc12.sys 1kb

bang-006.ico 10kb

VSL05.exe 48kb

zxdnt3d.cfg 1kb

 

2006-06-22 16:38:38 174669 ( A.... ) "C:\WINDOWS\srvdijtuly.exe"

2006-06-22 16:37:56 129649 ( A.... ) "C:\WINDOWS\elpp100drop.exe"

2006-06-22 16:37:52 175362 ( A.... ) "C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe"

2006-06-22 16:37:46 319294 ( A.... ) "C:\WINDOWS\YOINSI.exe"

2006-06-22 16:37:30 234248 ( A.... ) "C:\WINDOWS\Tagasuarus2.exe"

2006-06-27 10:41:56 1510595 ( A.... ) "C:\Documents and Settings\Owner\Application Data\Install.dat"

2006-06-27 10:41:50 2518 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq1.exe"

2006-06-27 10:41:50 15 ( A.... ) "C:\WINDOWS\system32\dlh9jkdq8.exe"

 

 

The one notable exception was "C:\Windows\system32\maxd641.exe." I found it, but when I tried to delete it, I got the " Cannot delete 'maxd641.exe'. It is being used by another person or program" message. I tried again to pull up taskmanager, to see if I could get any clues there, but it's still being blocked.

Share this post


Link to post
Share on other sites

Another thing I did was to search for files that were modified on 6/22 and 6/27, the two days when most of the damage seems to have taken place. I captured some screens of those searches. I hope they may be of some help. Thank you.

 

 

post-4856-1151706362_thumb.jpg post-4856-1151706440_thumb.jpg post-4856-1151706469_thumb.jpg post-4856-1151706492_thumb.jpg post-4856-1151706519_thumb.jpgpost-4856-1151706547_thumb.jpgpost-4856-1151706577_thumb.jpgpost-4856-1151706605_thumb.jpg

Share this post


Link to post
Share on other sites

There is too much junk in there that needs cleaning out first and visual inspection of screen shots doesn't tell me much about files. There are good ones in there mixed in with bad ones, mixed in with garbage files and junk in quarantines of various programs.

 

maxd641.exe <---upload that file as instructed below:

 

Go here to upload the files as attachments

http://www.thespykiller.co.uk/forum/index.php?board=1.0

Just press new topic (Make the subject: For CalamityJane from at LS ),

fill in a short message & then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press Post to upload the files

 

Files to upload:

 

C:\Windows\system32\maxd641.exe

 

(Do not post HJT logs there as they will not get dealt with)

 

You DO NOT need to be a member to upload, anybody can upload the files

 

You will not see the files that have been uploaded as they only show to the authorized users who can download them

................

Then, do some cleanup.

 

For each program you used for cleaning (Adaware, Ewido, Vcom, etc.) empty the quarantines for all of them.

 

Next: Navigate to C:\Windows\Temp

Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

 

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp

Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

 

Clean out your Temporary Internet files.

  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
     
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

 

Then do your searches, that should cut down the junk considerably.

 

Also, have you updated and scanned again with Adaware after getting the June 28th reference file (updates). If not, you need to do that

Share this post


Link to post
Share on other sites

Thanks for trying to upload the file. It came in empty (0 bytes) so either your AV or firewall blocked the uploaded file.

 

 

Please download the Killbox by Option^Explicit.

http://www.downloads.subratam.org/KillBox.zip

 

Unzip/Extract the contents to your desktop

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

(Be prepared for a reboot at the end of this step)

 

1. Open Killbox by clicking on Killbox.exe

 

2. Select *Delete on Reboot* in the first column

 

DeleteOnReboot.gif

 

3. In the white box under "Full Path of file to delete" copy & paste the following line:

 

C:\Windows\system32\maxd641.exe

 

4. Press the red button with a white x in it

 

5. When asked if you want to reboot now, choose *yes*

 

Note: Backups will be stored in the following directory created on the Hard-drive (usually C):

C:\!KillBox

 

6. After the reboot, navigate to the Killbox backup folder:

C:\!KillBox

 

a. Right–click the file or folder

 

b. Point to Send To

 

c. Then click Compressed (zipped) Folder

 

This will make a compressed folder, identified by a zipper icon, which displays the same name as the file you compressed.

C:\!KillBox.zip

 

7. Encrypt the zip file with a password of: infected

To password protect the contents of a compressed folder:

1. Double-click the compressed folder that you want to password protect.

2. On the File menu, click Add a Password.

3. In the Password box, type the password that you want to use (infected). Type the same password in the Confirm Password box, and then click OK.

 

8. Go here to upload the files as attachment as you did before...just press *reply* to your topic and add the file: http://www.thespykiller.co.uk/forum/index.php?topic=2004.0

 

C:\!KillBox.zip

Share this post


Link to post
Share on other sites

Well, got the file. It was all of 2 bytes :) So it has either been nuked or was one of those garbage "fake" files. But it's gone now. You can delete the !Killbox folder and the zip file you created

Share this post


Link to post
Share on other sites

I. Here's the last Log of HJT I ran:

 

Logfile of HijackThis v1.99.1

Scan saved at 12:57:25 PM, on 7/3/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\system32\LxrJD31s.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - Global Startup: Shortcut to taskmgr.exe.lnk = C:\WINDOWS\system32\taskmgr.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886} (InstallShield Setup Player 2K2) - http://host1.tcnet.tv/tcinstall/setup.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

 

http://update.microsoft.com/microsoftupdat...b?1132581635578

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

 

http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7520-b289h-tu...l/java/RntX.cab

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

 

 

 

II. Here's the last Ewido scan I ran:

 

---------------------------------------------------------

ewido anti-spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 4:55:35 PM 7/3/2006

 

+ Scan result:

 

 

 

HKU\S-1-5-21-2237693894-1415581680-2428159654-1003\Software\Microsoft\Internet Explorer\Keywords -> Adware.CoolWebSearch : Cleaned with backup (quarantined).

 

 

::Report end

 

 

 

III. Here are some problems I am still having with this computer:

 

1. No Desktop. It's just a blank screen - no wallpaper, no icons - with the Start Button, Quick Start, Task Bar and SysTray at the bottom.

 

2. Right-clicking in the DeskTop area produces nothing - no context menu items or anything.

 

3. In Control Panel>Display>Desktop, I can't change the background. I can't even get the slider bar to move up or down. I do seem to be able to make changes in other areas of Display Properties, although I'm reluctant to make too many changes in there, just to see if they work.

 

3. Until sometime yesterday or the day before, I wasn't able to access Windows Task Manager. Normally, I have it come up as a startup item so I can keep a little better track of what's going on in the system. But when all these infections started, it wouldn't start at boot up; nor would it start by right-clicking the Task Bar. When I tried to

 

right-click there to try to start it, a message would pop up, "Task Manager has been disabled by the System Administrator," or something like that. I finally searched the registry and found an entry that said "disable Task Mgr". I deleted it and Task Mgr came back. However, there still are a whole bunch of things I'm not allowed access to, e.g. "System Volume Information." It's pretty obvious to me that something has gotten into the registry and messed it up. I don't know how extensive it is, nor do I know how to fix it.

 

4. I still get the "You do not have the DEBUG privilege, which is required to run this program," when I try to run LISTDLLS.EXE from SysInternals.

 

5. The programs we've been using, while they've cleaned up a lot, still seem to be missing things. Some suspicious files I've found just by nosing around manually:

 

c:\windows\zabstract\asi5aff.bsx

c:\windows\zabstract\bspace.html

c:\windows\zabstract\mygeek3.bsx

c:\windows\zabstract\spz5.bsx

c:\windows\zabstract\asi_spec.bsx

 

c:\program files\common files\microsoft shared\web folders\ibm00001.dll

c:\program files\common files\microsoft shared\web folders\ibm00001.exe

 

c:\windows\inet20026\mm.pid

 

There's probably a lot more, but I don't know how to find them and differentiate what's good from bad, or how to get rid of them without messing something else up.

 

Are there other things we can do, programs we can download and run,etc.

At what point can I dare rehook this system back up to the internet and try some of the online tools?

 

As always, any help you can give is greatly appreciated.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0