Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I'm Having Alot of Problems with removing WinAntivirus 2006! P

Started by DonP , Nov 08 2006 06:32 PM

  • Please log in to reply

#1
DonP
Posted 08 November 2006 - 06:32 PM

DonP

    Member

  • Member
  • PipPip
  • 12 posts
I have followed all of the suggested steps for removing malicious software but it's still there.

This is the report log for AVG Anti-spyware.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:22:54 PM 11/8/2006

+ Scan result:



C:\Program Files\Common Files\{14F261BD-0BB0-1033-1221-051229050001}\Update.exe -> Adware.Softomate : No action taken.
C:\Program Files\Common Files\{14F261BD-0BB0-1033-1221-051229050001}\services.dll -> Adware.Softomate : No action taken.
C:\WINDOWS\system32\ishost.exe -> Downloader.Zlob.avb : No action taken.
C:\WINDOWS\system32\ismini.exe -> Downloader.Zlob.avb : No action taken.
:mozilla.117:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.60:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.61:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.62:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Guest\Cookies\guest@2o7[2].txt -> TrackingCookie.2o7 : No action taken.
:mozilla.118:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.128:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Guest\Cookies\guest@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
:mozilla.93:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.94:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.95:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.96:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Guest\Cookies\guest@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
:mozilla.82:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.101:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\Guest\Cookies\guest@casalemedia[1].txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.149:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Coremetrics : No action taken.
:mozilla.17:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.28:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.29:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.30:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.31:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.32:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Guest\Cookies\guest@fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.103:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.126:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.23:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.51:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.52:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.53:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.54:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.55:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.56:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.57:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.58:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.59:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\Guest\Cookies\guest@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.65:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.66:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.67:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Guest\Cookies\guest@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.38:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Revenue : No action taken.
:mozilla.39:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Revenue : No action taken.
:mozilla.40:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Revenue : No action taken.
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.Revenue : No action taken.
C:\Documents and Settings\Guest\Cookies\guest@revenue[1].txt -> TrackingCookie.Revenue : No action taken.
:mozilla.83:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.84:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.85:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.86:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.89:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.90:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Guest\Cookies\guest@statcounter[1].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt -> TrackingCookie.Tracking101 : No action taken.
:mozilla.130:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.131:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.132:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.133:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.134:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.135:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.136:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\Guest\Cookies\guest@trafficmp[2].txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.41:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Guest\Cookies\guest@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Guest\Cookies\guest@valueclick[1].txt -> TrackingCookie.Valueclick : No action taken.
:mozilla.42:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.43:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.44:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\WINDOWS\temp\win124.tmp.exe -> Trojan.Dialer.qs : No action taken.
C:\WINDOWS\temp\win1AE.tmp.exe -> Trojan.Dialer.qs : No action taken.
C:\System Volume Information\_restore{7420FD96-6C8F-4069-B959-922421B1340A}\RP499\A0190604.exe -> Worm.Krepper.c : No action taken.
C:\System Volume Information\_restore{7420FD96-6C8F-4069-B959-922421B1340A}\RP499\A0190605.exe -> Worm.Krepper.c : No action taken.
C:\System Volume Information\_restore{7420FD96-6C8F-4069-B959-922421B1340A}\RP499\A0190606.exe -> Worm.Krepper.c : No action taken.
C:\System Volume Information\_restore{7420FD96-6C8F-4069-B959-922421B1340A}\RP499\A0190607.exe -> Worm.Krepper.c : No action taken.
C:\System Volume Information\_restore{7420FD96-6C8F-4069-B959-922421B1340A}\RP499\A0190608.exe -> Worm.Krepper.c : No action taken.


::Report end




The following is the Panda ActiveScan Log.

Incident Status Location

Adware:Adware/Adservice Not disinfected C:\WINDOWS\system32\drvsev.dll
Adware:adware/pornmagpass Not disinfected c:\windows\system32\ishost.exe
Adware:adware/emediacodec Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\VundoFix\VundoFix\process.exe
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Don Juan\Cookies\don juan@888[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Don Juan\Cookies\don [email protected][1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Don Juan\Cookies\don juan@adultfriendfinder[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Don Juan\Cookies\don juan@atdmt[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Don Juan\Cookies\don juan@azjmp[2].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Don Juan\Cookies\don juan@clickbank[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Don Juan\Cookies\don [email protected][1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Don Juan\Cookies\don [email protected][1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Don Juan\Cookies\don juan@toplist[1].txt
Adware:Adware/Adservice Not disinfected C:\Documents and Settings\Don Juan\Local Settings\Temp\mst2B7.tmp
Adware:Adware/Adservice Not disinfected C:\Documents and Settings\Don Juan\Local Settings\Temp\win2B5.tmp.exe
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Don Juan\Local Settings\Temp\win2B8.tmp.exe
Possible Virus. Not disinfected C:\Documents and Settings\Don Juan\Local Settings\Temp\win2BA.tmp.exe
Adware:Adware/Adservice Not disinfected C:\Documents and Settings\Don Juan\Local Settings\Temporary Internet Files\Content.IE5\CHA7W12N\antzom[1].exe
Possible Virus. Not disinfected C:\Documents and Settings\Don Juan\Local Settings\Temporary Internet Files\Content.IE5\CLCDEFMN\l11[1].exe
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Don Juan\Local Settings\Temporary Internet Files\Content.IE5\OTAJSD2R\mulbin32[1].exe
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[.2o7.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\q9kr20kv.default\cookies.txt[data.coremetrics.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Guest\Cookies\guest@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Guest\Cookies\guest@adtech[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Guest\Cookies\guest@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Guest\Cookies\guest@casalemedia[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Guest\Cookies\guest@fastclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Guest\Cookies\guest@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Guest\Cookies\guest@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Guest\Cookies\guest@realmedia[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Guest\Cookies\guest@revenue[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Guest\Cookies\guest@statcounter[1].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Guest\Cookies\guest@tickle[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Guest\Cookies\guest@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Guest\Cookies\guest@tribalfusion[2].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Guest\Cookies\guest@valueclick[1].txt
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{14F261BD-0BB0-1033-1221-051229050001}\services.dll
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{14F261BD-0BB0-1033-1221-051229050001}\Update.exe


The following is the HiJackThis Scan Log.


Logfile of HijackThis v1.99.1
Scan saved at 7:09:41 PM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BitComet\BitComet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Binnsware, Inc\KaBoom! Popup Blocker\IEAgent.exe
C:\Program Files\Binnsware, Inc\KaBoom! Popup Blocker\IEAgentSvc.exe
C:\Program Files\DAP\DAP.exe
C:\Documents and Settings\Don Juan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13CC1242-D483-91CC-E8E0-0590D8DD8ECE} - C:\WINDOWS\system32\epsyzbn.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsev.dll,startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [SpeedOptimizer] C:\PROGRA~1\SPEEDO~1\SPO.EXE -s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: KaBoom! Popup Blocker.lnk = C:\Program Files\Binnsware, Inc\KaBoom! Popup Blocker\IEAgent.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1149528968921
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhoq32 - C:\WINDOWS\SYSTEM32\winhoq32.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IEAgentSvc - Binns and Company Software, Inc. - C:\Program Files\Binnsware, Inc\KaBoom! Popup Blocker\IEAgentSvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



The following is the HiJackThis Uninstall log.

ABBYY FineReader 6.0 Sprint
Adobe Reader 7.0.8
APC PowerChute Personal Edition
Apple Software Update
ArcSoft Software Suite
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
ATI Problem Report Wizard
AVG Anti-Spyware 7.5
AVG Free Edition
Battle.net
BitComet 0.70
CH Control Manager
Diablo
Download Accelerator Plus (DAP)
Far Cry
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
IsoBuster 1.9.1
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Lexmark 2300 Series
Lexmark Fax Solutions
LimeWire PRO 4.12.3
Macromedia Flash Player 8
Macromedia Shockwave Player
Mailinfo for Outlook Express
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Flight Simulator X
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office FrontPage 2003
Microsoft Office OneNote 2003
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Visio Professional 2003
Microsoft Visual C++ 2005 Redistributable
MSN Music Assistant
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 Parser and SDK
Nero 7 Demo
NETGEAR WG111 Software
NVIDIA Drivers
O&O Defrag Professional Edition
Panda ActiveScan
QuickTime
RealPlayer
Realtek AC'97 Audio
Registry Mechanic 5.0
Rhapsody Player Engine
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
SpeedOptimizer
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
VIA Platform Device Manager
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Safety Scanner
Windows Live Sign-in Assistant
Windows Media Connect
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
ZoneAlarm Pro
  • 0

Advertisements

#2
Noviciate
Posted 10 November 2006 - 02:52 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
Rename your copy of hijackthis.exe to friday.exe and post a fresh log run in Normal Mode. It's possible that this nasty is interfering with the normal working of HJT in order to hide itself and renaming the .exe will get around this.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Download SmitfraudFix.zip by S!Ri from here and save it to your Desktop.
You will then need to extract the files.
To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish

2) Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Press "1" and then <ENTER> to start the search process.
When the search has completed, a text file, rapport.txt, will open with the results in - Copy and paste this report into your next reply.

A copy of the report can be found in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.
For most, this file can be found by double-clicking My Computer and then Local Disk (C:)

IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm
  • 0

#3
DonP
Posted 10 November 2006 - 04:07 PM

DonP

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I have followed your instructions and renamed HiJackThis to friday.exe and ran another scan. I have also downloaded SmitfraudFix and ran a search only.


Here is the fresh scan log for HiJackThis (friday.exe):

Logfile of HijackThis v1.99.1
Scan saved at 4:59:24 PM, on 11/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\DAP\DAP.exe
C:\Documents and Settings\Don Juan\Desktop\friday.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13CC1242-D483-91CC-E8E0-0590D8DD8ECE} - C:\WINDOWS\system32\epsyzbn.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsev.dll,startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1149528968921
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhoq32 - winhoq32.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Here is the log for rapport.txt:

SmitFraudFix v2.120

Scan done at 17:00:38.53, Fri 11/10/2006
Run from C:\Documents and Settings\Don Juan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Don Juan


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Don Juan\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DONJUA~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#4
Noviciate
Posted 10 November 2006 - 04:42 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
Download VundoFix.exe by Atribune from here and save it to your desktop.
  • Close all open programs and windows as this may require a reboot.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Post the contents of C:\vundofix.txt and a new HijackThis log.
Note: It is possible that VundoFix encountered a file it could not remove - in this case, VundoFix will run on reboot - simply repeat the above instructions.
  • 0

#5
DonP
Posted 10 November 2006 - 11:45 PM

DonP

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I have downloaded and ran Vundofix by Atribune, and i have also scanned with hijackthis after vundo.

The following is the Vundofix log:


VundoFix V6.2.8

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.6

Java version is 1.5.0.9

Scan started at 12:27:43 AM 11/11/2006

Listing files found while scanning....

C:\WINDOWS\system32\epsyzbn.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\epsyzbn.dll
C:\WINDOWS\system32\epsyzbn.dll Has been deleted!

Performing Repairs to the registry.
Done!


The following is the hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 12:38:19 AM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\BitComet\BitComet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Documents and Settings\Don Juan\Desktop\friday.exe.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13CC1242-D483-91CC-E8E0-0590D8DD8ECE} - C:\WINDOWS\system32\epsyzbn.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsev.dll,startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1149528968921
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhoq32 - winhoq32.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#6
Noviciate
Posted 11 November 2006 - 05:03 AM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) Download the trial version of AVG Anti-Spyware from here and save it to your Desktop.
If you already have this program installed, skip to Updating AVG Anti-Spyware: below.

* Please note that this program was formerly known as Ewido anti-spyware 4.0.
Taken from the Ewido website -

ewido anti-spyware 4.0 will now continue under the new product name AVG Anti-Spyware 7.5. AVG Anti-Spyware 7.5 contains the same ewido technology, but with some further enhanced features:

Highly improved cleaning
Lower resource usage
Additional languages supported

All current licenses for ewido anti-spyware 4.0 will continue to be valid, and users can change over to the new AVG Anti-Spyware 7.5 for free.

Double click the ewido-setup file to begin installation and follow the prompts.
When the program has been installed, and you click the Finish button, AVG A-S will open.
  • Updating AVG Anti-Spyware:

    By default AVG A-S is configured to update automatically so, if you have an active internet connection, it should do so following installation. If you are unsure whether or not it has done so, do the following:
  • Click the Update icon at the top and under "Manual Update" - click the Start update button.
  • Either AVG A-S will update or inform you that no update was available.
  • If you cannot access the internet with the infected PC, or you are having problems updating, you can download the signatures file from here.
    Once you have installed AVG A-S, double click avgas-signatures-current.exe to update it.

    Disabling the Resident Shield:
  • By default the Resident Shield is active but as it may interfere with the process of cleaning your PC, it will need to be disabled.
    (When the PC has been cleaned you can activate the shield again, if you wish.)
  • Click the Shield icon at the top and under "Resident shield is..." - click active.
  • This should now change to inactive.

    Changing Recommended Actions
  • Click the Scanner icon at the top and then click the Settings Tab.
  • Under "How to act?" click Recommended actions and select "Quarantine" from the menu.
You can now close AVG A-S.

AVG A-S is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that Ewido will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.
Should you wish to benefit from the real-time protection, you will need to upgrade the program. To do this, simply open it and click on the Buy now button.

2) You will need to set Windows to show All Hidden Files and Folders.
Instructions can be found here.
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

3) You will need to know how to boot into Safe Mode.
Instructions can be found here.

4) Log off from the internet and disconnect your modem cable for the duration of the fix.

Removal

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: (no name) - {13CC1242-D483-91CC-E8E0-0590D8DD8ECE} - C:\WINDOWS\system32\epsyzbn.dll (file missing)

O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)

O20 - Winlogon Notify: winhoq32 - winhoq32.dll (file missing)

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

2) Boot into Safe Mode.

3) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.
Do this for all Usernames.

4) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.
Do this for all Usernames.

5) Go to Start > Control Panel > Internet Options and under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

6) Ensure that ALL open Windows / Programs / Folders are closed and then run AVG A-S.
  • If it is not already selected, click the Scanner icon at the top and then select the Scan Tab.
  • Click "Complete System Scan"
  • While the scan is in progress the PC should be left otherwise idle - so if you fancy a cuppa, now's the time to put the kettle on!
  • When the scan has completed, any threats that AVG A-S has detected will be displayed.
  • Click the Apply all actions button at the bottom.
  • When AVG A-S has finished, it will display the message "All actions have been applied".

    Saving a report:
  • Click the Save Report button at the bottom left and the "Reports" window will open.
  • The content of the scan report will be displayed in the right hand pane and a copy will be automatically saved as Report-Scan-date-time.txt into the C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports folder.
  • You will need to post a copy of this report into your next reply, so if it is more convenient, you can save another copy of this report elsewhere:
    Click the Save report as button and select a destination by clicking the down arrow to the right of the Save in: text box and then click Save.
Close Ewido Anti-Spyware.

7) Boot into Normal Mode.

Post a new HJT log (run in Normal Mode), the AVG A-S log AND a description of how your PC is running.
  • 0

#7
DonP
Posted 11 November 2006 - 08:49 AM

DonP

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I followed your instructions and i haven't noticed any change in my pc's performance as well as i am still getting the winantivirus pop-up when windows starts up. My pc is running just a little slower than it normally does and has been doing that since i first started getting the winantivirus pop-up.

Here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:40:57 AM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\BitComet\BitComet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Don Juan\Desktop\friday.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsev.dll,startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1149528968921
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Here is the AVG A-S log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:35:51 AM 11/11/2006

+ Scan result:



C:\System Volume Information\_restore{7420FD96-6C8F-4069-B959-922421B1340A}\RP589\A0219351.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7420FD96-6C8F-4069-B959-922421B1340A}\RP589\A0219352.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).


::Report end
  • 0

#8
Noviciate
Posted 11 November 2006 - 09:29 AM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
Download gmer.zip from here and save it to your Desktop.
You will need to unzip it before you run it.

To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish

Double click gmer.exe to begin:
  • Select the Rootkit Tab at the top.
  • Click the Scan button on the right.
  • When the scan has completed, click the Copy button underneath - this will save the report to your Clipboard.
  • Paste it into Notepad (Start > All Programs > Accessories > Notepad) and save it somewhere convenient.
  • Repeat this for the Autostart Tab.
Copy and paste both reports into your next reply - you may need to post them seperately.
  • 0

#9
DonP
Posted 11 November 2006 - 11:08 AM

DonP

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
GMER Rootkit Scan Log:

GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-11-11 12:03:56
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwMapViewOfSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT sptd.sys ZwOpenKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!ZwYieldExecution + 12E 804E4968 12 Bytes
.text ntoskrnl.exe!ZwYieldExecution + 16E 804E49A8 8 Bytes
.text ntoskrnl.exe!ZwYieldExecution + 12E 804E4968 12 Bytes
.text ntoskrnl.exe!ZwYieldExecution + 16E 804E49A8 8 Bytes

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumPageFilesA + FFFFCF75 76BF10ED 14 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumPageFilesA + FFFFCF84 76BF10FC 16 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumPageFilesA + FFFFCF95 76BF110D 5 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumPageFilesA + FFFFCF9D 76BF1115 15 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumPageFilesA + FFFFCFAD 76BF1125 55 Bytes
.text ...
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetDeviceDriverBaseNameA + 1C 76BF149A 145 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetDeviceDriverBaseNameA + AE 76BF152C 25 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetDeviceDriverBaseNameA + C8 76BF1546 13 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetDeviceDriverBaseNameA + D6 76BF1554 43 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetDeviceDriverBaseNameA + 102 76BF1580 11 Bytes
.text ...
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumDeviceDrivers + 61 76BF16A2 172 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumDeviceDrivers + 10E 76BF174F 77 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetModuleFileNameExW + 26 76BF179D 85 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetModuleFileNameExW + 7C 76BF17F3 85 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetModuleFileNameExW + D3 76BF184A 34 Bytes JMP 76BF1727 C:\WINDOWS\system32\PSAPI.DLL
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetModuleFileNameExW + F6 76BF186D 6 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetModuleFileNameExW + FE 76BF1875 1 Byte
.text ...
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetDeviceDriverFileNameA + B 76BF1CF8 76 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetDeviceDriverFileNameA + 58 76BF1D45 360 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetMappedFileNameW + 8E 76BF1EAE 18 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetMappedFileNameA + 9 76BF1EC1 27 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetMappedFileNameA + 26 76BF1EDE 27 Bytes CALL 76BA2825
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetMappedFileNameA + 43 76BF1EFB 46 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumProcessModules + E 76BF1F2A 262 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumProcessModules + 11A 76BF2036 37 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumProcessModules + 140 76BF205C 11 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumProcessModules + 14C 76BF2068 26 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetModuleFileNameExA + E 76BF2083 26 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetModuleFileNameExA + 29 76BF209E 19 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetModuleFileNameExA + 3D 76BF20B2 3 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetModuleFileNameExA + 41 76BF20B6 19 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetModuleFileNameExA + 55 76BF20CA 20 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetModuleBaseNameW + 2 76BF20DF 20 Bytes CALL 76B7B2C3
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetModuleBaseNameW + 17 76BF20F4 103 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetModuleBaseNameA + 2 76BF215C 4 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetModuleBaseNameA + 7 76BF2161 53 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetModuleBaseNameA + 3F 76BF2199 6 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetModuleBaseNameA + 47 76BF21A1 43 Bytes CALL 0036C9B7
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetModuleInformation + B 76BF21CD 4 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetModuleInformation + 10 76BF21D2 49 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetModuleInformation + 42 76BF2204 141 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EmptyWorkingSet + 31 76BF2292 8 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EmptyWorkingSet + 3A 76BF229B 37 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EmptyWorkingSet + 61 76BF22C2 11 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!QueryWorkingSet + 2 76BF22CE 74 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!QueryWorkingSet + 4E 76BF231A 19 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!QueryWorkingSet + 64 76BF2330 44 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!QueryWorkingSet + 91 76BF235D 6 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!QueryWorkingSet + 98 76BF2364 161 Bytes
.text ...
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumProcesses + 52 76BF3AEC 51 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumProcesses + 86 76BF3B20 354 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetProcessMemoryInfo + 9E 76BF3C83 115 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!InitializeProcessForWsWatch + 1E 76BF3CF7 6 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!InitializeProcessForWsWatch + 25 76BF3CFE 100 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetProcessImageFileNameW + C 76BF3D63 247 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetProcessImageFileNameA + 76 76BF3E5B 55 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetPerformanceInfo + 2A 76BF3E93 32 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetPerformanceInfo + 4B 76BF3EB4 149 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetPerformanceInfo + E1 76BF3F4A 13 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetPerformanceInfo + EF 76BF3F58 28 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!GetPerformanceInfo + 10C 76BF3F75 115 Bytes
.text ...
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumPageFilesW + 48 76BF4051 22 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumPageFilesW + 5F 76BF4068 168 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumPageFilesW + 108 76BF4111 152 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumPageFilesA + 32 76BF41AA 123 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumPageFilesA + AE 76BF4226 1 Byte
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumPageFilesA + B0 76BF4228 93 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumPageFilesA + 10E 76BF4286 12 Bytes
.text C:\WINDOWS\system32\cidaemon.exe[1988] PSAPI.DLL!EnumPageFilesA + 11B 76BF4293 403 Bytes
.text ...
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3508] kernel32.dll!SetUnhandledExceptionFilter 7C84479D 5 Bytes JMP 004E12D0 C:\Program Files\MSN Messenger\MsnMsgr.Exe

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 86F95EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 86F95EB0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 867EBE68
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 867EBE68
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 867EBE68
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 867EBE68
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 867EBE68
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 867EBE68
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 867EBE68
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 867EBE68
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 867EBE68
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 867EBE68
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 867EBE68
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 867EBE68
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 867EBE68
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 867EBE68
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 867EBE68
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 867EBE68
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 867EBE68
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 867EBE68
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [AAEE92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [AAEE92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [AAEE92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4785A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [AAEE92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [AAEE92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [AAEE92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [AAEE92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4785A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [AAEE92A0] vsdatant.sys
Device \Driver\00000075 \Device\00000049 IRP_MJ_POWER [F750
  • 0

#10
DonP
Posted 11 November 2006 - 11:11 AM

DonP

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Device \Driver\00000075 \Device\00000049 IRP_MJ_SYSTEM_CONTROL [F751EA70] sptd.sys
Device \Driver\00000075 \Device\00000049 IRP_MJ_PNP [F7517728] sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 86F96A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 86F96A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 86F96A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 86F96A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 86F96A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86F96A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 86F96A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 86F96A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 86F96A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 86F96A40
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 86F96A40
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 86F630E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 86F630E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 86F630E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 86F630E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 86F630E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 86F630E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86F630E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 86F630E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 86F630E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 86F630E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 86F630E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSE 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 8693E0E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 8693E0E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 86F630E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 86F630E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 86F630E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 86F630E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 86F630E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 86F630E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86F630E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 86F630E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 86F630E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 86F630E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 86F630E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 86F630E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 86F630E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 86F630E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 86F630E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 86F630E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 86F630E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 86F630E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 86F630E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 86F630E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 86F630E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 86F630E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 869470E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 869470E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 869470E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 869470E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 869470E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 869470E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B5CA1FB6-6B51-4561-BAEA-2E98D101C96B} IRP_MJ_CREATE 869470E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B5CA1FB6-6B51-4561-BAEA-2E98D101C96B} IRP_MJ_CLOSE 869470E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B5CA1FB6-6B51-4561-BAEA-2E98D101C96B} IRP_MJ_DEVICE_CONTROL 869470E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B5CA1FB6-6B51-4561-BAEA-2E98D101C96B} IRP_MJ_INTERNAL_DEVICE_CONTROL 869470E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B5CA1FB6-6B51-4561-BAEA-2E98D101C96B} IRP_MJ_CLEANUP 869470E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B5CA1FB6-6B51-4561-BAEA-2E98D101C96B} IRP_MJ_PNP 869470E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 869470E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 869470E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 869470E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 869470E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 869470E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 869470E8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [AAEE92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [AAEE92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [AAEE92A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4785A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [AAEE92A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [AAEE92A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [AAEE92A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [AAEE92A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4785A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [AAEE92A0] vsdatant.sys
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 86F950E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CLOSE 86F950E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ 86F950E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE 86F950E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_FLUSH_BUFFERS 86F950E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_DEVICE_CONTROL 86F950E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86F950E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SHUTDOWN 86F950E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_POWER 86F950E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SYSTEM_CONTROL 86F950E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_PNP 86F950E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 867CC6D0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [AAEE92A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [AAEE92A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [AAEE92A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B4785A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [AAEE92A0] vsdatant.sys
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 867CC6D0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL
  • 0

Advertisements

#11
DonP
Posted 11 November 2006 - 11:14 AM

DonP

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 867FB0E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 867FB0E8

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected] 0AADB625593A79B7534D4CE0A37811FA6F4FB777E2A0A005B33201BCC0BB7A1F132BDAA160F8C71158FC280C5EA9A7DC6F0FA274638450CAC06583E0CBC047C31DDD44A453FEA583B5426EF75B02748F2827F8D9BCB58B071A1D3446AA080EBCE1314E3D24FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A9C6AECB7A5D1407A6A0AC4980AC7933A6171C11EC38DE3D061A853270E5B253FCBC670A583A9D3D875B80D078572291022E3CFCE4BCA6F3F92D62AFB1A95708847D3A647A26A9686EFEF42D2F05AFA4AADBE8F4340CBD5823B49D64D51CE0C64F56AA4386761F9497FCE4F96E018E8715AE55964DB0BAD6159E0C6BAE6F579272A43B39E01DC30FC0461F64502063EDC2C840C59F80BD30B15B7C051E9878D258CB647D03539307784DEABD027A8573074E5A8EAB931D84B3E12A139AD235533D31926D77933B919F88007A46EB7F920AE74C1E89C75FDB27AA4A9C321B35433441A5085F1C9E276EF50DB3EF9392AF47C02D45E13DC19EEB3403CC02B4CFB5A2E971F16FEFD4246F14B026E9D7B00F8D0D0DFAF2DAB59D38FE7073BD2594A2439D3EF1EFD827C802660333B1DF0358027D6DD790C85E0A15129F012DB642E4A252C6F33B5E143A58F4895F5717639B9DCD441C20F314F95E76950E2B7850BDA283B

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Don Juan\Favorites\AVSIM Online .url:favicon
ADS C:\Documents and Settings\Don Juan\Favorites\dolphin-one.eu .url:favicon
ADS C:\Documents and Settings\Don Juan\Favorites\eSkyWorld.com.url:favicon
ADS C:\Documents and Settings\Don Juan\Favorites\FlightSim.Com .url:favicon
ADS C:\Documents and Settings\Don Juan\Favorites\Geeks to Go Free Computer Help.url:favicon
ADS C:\Documents and Settings\Don Juan\Favorites\SurClaro.com.url:favicon
ADS C:\Documents and Settings\Don Juan\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{90CBCC1A-840B-29DE-1187-9E467F8552FC}\01\10-{90CBCC1A-840B-29DE-1187-9E467F8552FC}-v1-{230667ED-C698-42D9-A8F0-11BC5FEEA7D2}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

---- EOF - GMER 1.0.12 ----
  • 0

#12
DonP
Posted 11 November 2006 - 11:16 AM

DonP

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
GMER Autostart Scan Log:

GMER 1.0.12.11889 - http://www.gmer.net
Autostart scan 2006-11-11 12:05:17
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
AtiExtEvent@DLLName = Ati2evxx.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
APC UPS Service /*APC UPS Service*/@ = C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
AVG Anti-Spyware Guard /*AVG Anti-Spyware Guard*/@ = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Avg7Alrt /*AVG7 Alert Manager Server*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
Avg7UpdSvc /*AVG7 Update Service*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
AVGEMS /*AVG E-mail Scanner*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
cisvc /*Indexing Service*/@ = C:\WINDOWS\System32\cisvc.exe
Fax /*Fax*/@ = %systemroot%\system32\fxssvc.exe
MDM /*Machine Debug Manager*/@ = "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
NVSvc /*NVIDIA Display Driver Service*/@ = %SystemRoot%\system32\nvsvc32.exe
O&O Defrag /*O&O Defrag*/@ = C:\WINDOWS\system32\oodag.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SimpTcp /*Simple TCP/IP Services*/@ = %SystemRoot%\System32\tcpsvcs.exe
SNMP /*SNMP Service*/@ = %SystemRoot%\System32\snmp.exe
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@RaidToolC:\Program Files\VIA\RAID\raid_tool.exe = C:\Program Files\VIA\RAID\raid_tool.exe
@SunJavaUpdateSched"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" = "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
@AVG7_CCC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
@LXCGCATSrundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16 = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
@lxcgmon.exe"C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" = "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
@EzPrint"C:\Program Files\Lexmark 2300 Series\ezprint.exe" = "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
@FaxCenterServer"C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s = "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@TkBellExe"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
@Zone Labs Client"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
@DAEMON Tools"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 = "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime
@iTunesHelper"C:\Program Files\iTunes\iTunesHelper.exe" = "C:\Program Files\iTunes\iTunesHelper.exe"
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
@nwiznwiz.exe /install = nwiz.exe /install
@NvMediaCenterRUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
@ViewMgrC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe = C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
@CTDriverundll32.exe C:\WINDOWS\system32\drvsev.dll,startup = rundll32.exe C:\WINDOWS\system32\drvsev.dll,startup
@!AVG Anti-Spyware"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
@DownloadAccelerator"C:\Program Files\DAP\DAP.EXE" /STARTUP = "C:\Program Files\DAP\DAP.EXE" /STARTUP

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MsnMsgr"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
@BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" = "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
@BitComet"C:\Program Files\BitComet\BitComet.exe" = "C:\Program Files\BitComet\BitComet.exe"
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@UPnPMonitor = C:\WINDOWS\system32\upnpui.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1D2680C9-0E2A-469d-B787-065558BC7D43} /*Fusion Cache*/blank /*file not found*/ = blank /*file not found*/
@{e57ce731-33e8-4c51-8354-bb4de9d215d1} /*Universal Plug and Play Devices*/C:\WINDOWS\system32\upnpui.dll = C:\WINDOWS\system32\upnpui.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll = C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Program Files\Grisoft\AVG Free\avgse.dll = C:\Program Files\Grisoft\AVG Free\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Program Files\Grisoft\AVG Free\avgse.dll = C:\Program Files\Grisoft\AVG Free\avgse.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll = C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll
@{506F4668-F13E-4AA1-BB04-B43203AB3CC0} /*{506F4668-F13E-4AA1-BB04-B43203AB3CC0}*/C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL = C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL
@{D66DC78C-4F61-447F-942B-3FB6980118CF} /*{D66DC78C-4F61-447F-942B-3FB6980118CF}*/C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL = C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
DAP_Menu@{BED4C38B-F765-45AC-8C56-613F76BBF43E} = C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL
DAP_ShredMenu@{BED4C38B-F765-45AC-8C56-613F76BBF43E} = C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
DAP_ShredMenu@{BED4C38B-F765-45AC-8C56-613F76BBF43E} = C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll = C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
@{9030D464-4C02-4ABF-8ECC-5164760863C6}C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

HKCU\Control Panel\[email protected] = C:\WINDOWS\System32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\ >>>
application/octet-stream@CLSID = mscoree.dll /*file not found*/
application/x-complus@CLSID = mscoree.dll /*file not found*/
application/x-msdownload@CLSID = mscoree.dll /*file not found*/
text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\ITSS.DLL
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\ITSS.DLL
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\Don Juan\Start Menu\Programs\Startup = Microsoft Office OneNote 2003 Quick Launch.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk
APC UPS Status.lnk = APC UPS Status.lnk
Microsoft Office OneNote 2003 Quick Launch.lnk = Microsoft Office OneNote 2003 Quick Launch.lnk
Smart Wizard Wireless Settings.lnk = Smart Wizard Wireless Settings.lnk

---- EOF - GMER 1.0.12 ----
  • 0

#13
Noviciate
Posted 11 November 2006 - 11:52 AM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
I don't see any entries that I would normally associate with a Winfixer infection, so I am wondering if the culprit is Download Accelerator Plus (DAP). If this is the free version, it is add-supported, which may be the source of the problems.
Uninstall it if it is the free one and replace it with LeechGet which is ad-free.

If it's not, let me know and i'll get the great and the good to take a look and see what it is that i've missed.
  • 0

#14
DonP
Posted 11 November 2006 - 01:52 PM

DonP

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I've uninstalled Download Accelerator Plus (DAP) and i've installed Leechget 2006. I've also scanned using AVG Free Anti-virus and AVG Anti-Spyware. Both scans showed up clean. I then scanned with HijackThis. The Winantivirus 2006 pop-up is still there at windows startup.
Here is the fresh log from HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 2:47:18 PM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\BitComet\BitComet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\LeechGet 2006\LeechGet.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Don Juan\Desktop\Spyware Removal Tools\friday.exe
C:\WINDOWS\system32\verclsid.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsev.dll,startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LeechGet] "C:\Program Files\LeechGet 2006\LeechGet.exe" -intray
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2006\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2006\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2006\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1149528968921
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#15
Noviciate
Posted 11 November 2006 - 02:17 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
1) Download F-Secure's BlackLight from here and save it to your Desktop.

2) Log off from the internet and disconnect your modem cable.

3) Go to Start > Run, copy and paste the following into the text box and hit OK:
"%userprofile%\desktop\blbeta.exe" /expert

The F-Secure Blacklight Beta window should open.
  • Accept the agreement and click Next >.
  • Click the Scan button to begin.
  • Leave the PC idle while the scan takes place.
  • When it has completed, click the Close button.
  • A text file, fsbl-date/time, will be saved onto your Desktop - copy and paste this into your next reply.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP