[maze7817]

MSTask.exe - Entry Point Not Found

The procedure entry point WSPStartup could not be located in the dynamic link library mswsockh.dll.

[Advertisements]

Hello maze7817

Copy the text below from the codebox into Notepad and Save it to the Desktop with the name find.bat and Save As: All Files

dir \winlogon.exe /a h /s > File.txt

Double click the find.bat and wait for the dos window to close, a file.txt will appear on the desktop. Post the contents of the file.txt back in this thread.

Please download Process Explorer by Systernals from HERE scroll down at the page where you will see the link for downloading, download it and extract it to your Desktop. We will use this tool later.

Next, delete comboscan the tool that you download it before a while.
Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Regards,

[SNOWHITE]

Hello maze7817

Copy the text below from the codebox into Notepad and Save it to the Desktop with the name find.bat and Save As: All Files

dir \winlogon.exe /a h /s > File.txt

Double click the find.bat and wait for the dos window to close, a file.txt will appear on the desktop. Post the contents of the file.txt back in this thread.

Please download Process Explorer by Systernals from HERE scroll down at the page where you will see the link for downloading, download it and extract it to your Desktop. We will use this tool later.

Next, delete comboscan the tool that you download it before a while.
Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Regards,

[maze7817]

Volume in drive C has no label.
Volume Serial Number is 4CC5-1B32

Directory of C:\WINNT\$NtServicePackUninstall$

05/08/2001 04:00a 177,936 winlogon.exe
1 File(s) 177,936 bytes

Directory of C:\WINNT\ServicePackFiles\i386

06/19/2003 11:05a 181,008 winlogon.exe
1 File(s) 181,008 bytes

Directory of C:\WINNT\system32

02/19/2007 05:00p 181,008 WINLOGON.EXE
1 File(s) 181,008 bytes

[maze7817]

i still cant boot up in normal mode. is it ok if i use dss.exe in safe mode?

[SNOWHITE]

Yes, please try Safe Mode

[maze7817]

Deckard's System Scanner v20070318.32
Run by Allen on 2007-03-21 at 17:33:55
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Allen.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:34:08 PM, on 03/21/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Allen\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Allen.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1165361061335
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\Documents and Settings\Allen\ie_updater.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe


-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20060307-220508-366 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dia-traff...in.cgi?homepage
backup-20060307-220508-619 O4 - HKLM\..\Run: [wdskctl] C:\WINNT\wdskctl.exe
backup-20060307-220508-714 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dia-traff...in.cgi?homepage
backup-20060307-220508-880 O4 - HKLM\..\Run: [Bpnze] C:\Program Files\Pfqg\Vrvdxq.exe
backup-20060307-220525-189 O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
backup-20060307-220525-645 O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0029.exe
backup-20060307-220525-775 O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupd...ll/aun_0032.exe
backup-20060307-220525-915 O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0002.exe
backup-20061118-153137-164 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
backup-20061118-153137-364 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
backup-20061118-153137-412 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20061118-153137-417 R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
backup-20061118-153137-700 O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
backup-20061118-153156-638 O21 - SSODL: msbp32.dll - {3F292637-EB4D-79CF-99E4-CC06385FD26E} - c:\winnt\system32\msbp32.dll (file missing)
backup-20061201-162124-432 O4 - HKLM\..\Run: [SVCHOST] C:\WINNT\system\svhost.exe
backup-20061201-162124-656 O4 - HKLM\..\Run: [Task Manager] C:\WINNT\system\svchost32.exe
backup-20061202-143531-663 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
backup-20061202-143531-670 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20061215-182454-773 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20061215-182454-877 O4 - HKCU\..\Run: [ntdll.dll] C:\WINNT\inet20126\services.exe
backup-20061216-115636-545 O4 - HKCU\..\Run: [WinMedia] C:\WINNT\loader285624922.exe
backup-20061216-115636-661 O4 - HKCU\..\Run: [WinUpgrade] "C:\WINNT\loader85641515.exe "
backup-20061216-120019-325 O4 - HKCU\..\Run: [WinMedia] C:\WINNT\loader285624922.exe
backup-20061216-121910-637 O4 - HKCU\..\Run: [WinMedia] C:\WINNT\loader285624922.exe
backup-20070223-160006-169 O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
backup-20070223-160006-178 O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)
backup-20070223-160006-203 O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
backup-20070223-160006-480 O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINNT\inet20126\socks.exe
backup-20070223-160006-711 O21 - SSODL: kwZJYFTNI - {4CC51B33-E66F-B199-FEC8-B5D66FF8906B} - C:\WINNT\system32\qt.dll (file missing)
backup-20070223-160006-838 O20 - Winlogon Notify: ksapgh - ksapgh.dll (file missing)
backup-20070223-160006-891 O2 - BHO: (no name) - {B6F1A4CB-DADD-4D0C-BDFC-E945647302C1} - c:\system.dll (file missing)
backup-20070319-174914-121 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
backup-20070319-174914-136 O17 - HKLM\System\CCS\Services\Tcpip\..\{D0CFD05D-E045-4EA1-9D33-723CFB5D8847}: NameServer = 85.255.116.173,85.255.112.72
backup-20070319-174914-166 O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
backup-20070319-174914-175 O17 - HKLM\System\CCS\Services\Tcpip\..\{FDEE367A-0847-43D8-9172-9299FDE8619D}: NameServer = 85.255.116.173,85.255.112.72
backup-20070319-174914-188 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
backup-20070319-174914-229 F3 - REG:win.ini: run=C:\WINNT\ServicePackFiles\services.exe
backup-20070319-174914-319 O4 - HKCU\..\Run: [xp_sys] C:\WINNT\ServicePackFiles\mm.exe 20000
backup-20070319-174914-562 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.173 85.255.112.72
backup-20070319-174914-582 O4 - HKCU\..\Run: [xp_system] C:\WINNT\ServicePackFiles\services.exe
backup-20070319-174914-605 O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Video ActiveX Object\isadd.dll
backup-20070319-174914-626 O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
backup-20070319-174914-640 O17 - HKLM\System\CCS\Services\Tcpip\..\{2B8D601A-6780-442D-A1A3-2D09D8A106F4}: NameServer = 85.255.116.173,85.255.112.72
backup-20070319-174914-659 O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\Documents and Settings\Allen\ie_updater.exe (file missing)
backup-20070319-174914-828 O4 - HKLM\..\Run: [xp_sys] C:\WINNT\ServicePackFiles\mm.exe 20000
backup-20070319-174914-835 O4 - HKLM\..\Run: [xp_system] C:\WINNT\ServicePackFiles\services.exe
backup-20070319-174914-897 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.173 85.255.112.72
backup-20070319-174914-907 O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\WINNT\ServicePackFiles\31715034.dll
backup-20070319-174914-919 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.173 85.255.112.72
backup-20070319-174914-967 O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 Cdr4_2K - c:\winnt\system32\drivers\cdr4_2k.sys
R1 Cdralw2k - c:\winnt\system32\drivers\cdralw2k.sys
R2 HOTKEY (Panasonic Hotkey Driver) - c:\winnt\system32\hotkey.sys
R3 NETGEAR_WG511_SERVICE (NETGEAR WG511T Wireless Adapter Service) - c:\winnt\system32\drivers\wg511nd5.sys
R3 wanatw (WAN Miniport (ATW)) - c:\winnt\system32\drivers\wanatw4.sys

S1 p81eskse (FWSHIFT service) - c:\winnt\system32\p81eskse.sys (file missing)
S2 ASCTRM - c:\winnt\system32\drivers\asctrm.sys
S2 aswMon (avast! Standard Shield Support) - c:\winnt\system32\drivers\aswmon.sys
S2 Hrmy19 - c:\winnt\system32\hrmy19.sys
S2 npkcrypt - c:\program files\nexon\maplestory\npkcrypt.sys
S3 AWINDIS5 (AWINDIS5 Protocol Driver) - c:\winnt\system32\awindis5.sys
S3 ltmodem5 (Lucent Modem Driver) - c:\winnt\system32\drivers\ltmdmnt.sys
S3 MPE (BDA MPE Filter) - c:\winnt\system32\drivers\mpe.sys
S3 NPF (Netgroup Packet Filter) - c:\winnt\system32\drivers\npf.sys
S3 STAC97 (Intel 82801 Audio Driver (WDM) - SigmaTel Codec) - c:\winnt\system32\drivers\stac97.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 AOL TopSpeedMonitor (AOL TopSpeed Monitor) - c:\program files\common files\aol\topspeed\2.0\aoltsmon.exe
S2 AOLService (AOL Spyware Protection Service) - c:\progra~1\common~1\aol\aolspy~1\\aolserv.exe
S2 Microsoft IEUpdater2 (ieupdater2) - c:\documents and settings\allen\ie_updater.exe /start (file missing)
S3 usprserv (User Privilege Service) - c:\winnt\system32\svchost.exe -k netsvcs


-- Scheduled Tasks -------------------------------------------------------------

2007-03-17 17:34:07 494 --a------ C:\WINNT\Tasks\McAfee.com Update Check (ALLEN-YCZ4CN9JC-Allen).job<MCAFEE~1.JOB>
2007-03-10 13:10:01 284 --a------ C:\WINNT\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>


-- Files created between 2007-02-21 and 2007-03-21 -----------------------------

2007-03-21 17:03:24 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_280.dat<PEA8EE~1.DAT>
2007-03-20 17:31:56 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_278.dat<PEC4EE~1.DAT>
2007-03-19 18:33:27 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_27c.dat<PE75E2~1.DAT>
2007-03-19 18:28:53 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_274.dat<PEB4EE~1.DAT>
2007-03-19 17:32:58 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_28c.dat<PE79E2~1.DAT>
2007-03-17 13:27:13 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_288.dat<PEC8EE~1.DAT>
2007-03-17 12:34:22 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_294.dat<PEBCEE~1.DAT>
2007-03-16 19:55:12 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2a4.dat<PEBC83~1.DAT>
2007-03-16 19:50:23 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2ac.dat<PE7D8F~1.DAT>
2007-03-16 19:40:31 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2a8.dat<PECC83~1.DAT>
2007-03-16 19:35:22 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2b0.dat<PEA093~1.DAT>
2007-03-16 19:30:26 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_29c.dat<PE7DE2~1.DAT>
2007-03-16 19:16:24 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2a0.dat<PEAC83~1.DAT>
2007-03-16 19:03:46 23352 --a------ C:\WINNT\system32\drivers\aswRdr.sys
2007-03-16 19:03:44 43176 --a------ C:\WINNT\system32\drivers\aswTdi.sys
2007-03-16 19:03:42 31560 --a------ C:\WINNT\system32\drivers\aavmker4.sys
2007-03-16 19:03:38 94424 --a------ C:\WINNT\system32\drivers\aswmon2.sys
2007-03-16 19:03:38 85952 --a------ C:\WINNT\system32\drivers\aswmon.sys
2007-03-16 19:03:29 1060864 --a------ C:\WINNT\system32\MFC71.dll
2007-03-16 19:03:29 90112 --a------ C:\WINNT\system32\AVASTSS.scr
2007-03-16 19:03:29 689280 --a------ C:\WINNT\system32\aswBoot.exe
2007-03-16 19:03:21 0 d-------- C:\Program Files\Alwil Software<ALWILS~1>
2007-03-16 18:05:03 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_5fc.dat<PE81A9~1.DAT>
2007-03-16 17:59:32 51328 --a------ C:\WINNT\system32\drivers\inspect.sys
2007-03-16 17:59:32 76800 --a------ C:\WINNT\system32\drivers\cmdmon.sys
2007-03-16 16:49:26 0 d-------- C:\Documents and Settings\Allen\Application Data\Comodo
2007-03-16 16:49:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-03-16 16:38:32 0 d-------- C:\Program Files\Comodo
2007-03-16 15:29:16 42496 --a------ C:\WINNT\system32\mswsock.dll
2007-03-15 20:13:24 61440 --a------ C:\WINNT\system32\arcac.exe
2007-03-14 18:56:13 0 d-------- C:\Program Files\SpyDawn
2007-03-14 18:55:20 197677 --a------ C:\WINNT\system32\videos-access1336.exe<VIDEOS~1.EXE>
2007-03-14 18:55:18 2820 --a------ C:\WINNT\system32\temp
2007-03-14 18:54:34 140288 --a------ C:\WINNT\system32\Hrmy19.sys
2007-03-14 18:54:28 7680 --a------ C:\WINNT\system32\update1.exe
2007-03-14 18:54:06 16896 --a------ C:\WINNT\system32\update9.exe
2007-03-14 18:54:02 0 d-------- C:\Program Files\Video ActiveX Object<VIDEOA~1>
2007-03-14 18:53:50 98816 --a------ C:\WINNT\system32\update6.exe
2007-03-14 18:53:45 19968 --a------ C:\WINNT\system32\update0.exe
2007-03-14 18:53:41 42322 --a------ C:\WINNT\system32\update8.exe
2007-03-14 16:25:05 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_1644.dat<PEEED1~1.DAT>
2007-02-23 16:36:28 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_384.dat<PEC8E8~1.DAT>


-- Find3M Report ---------------------------------------------------------------

2007-03-19 17:31:30 69904 --a------ C:\WINNT\system32\ws2_32.dll
2007-03-16 17:00:35 0 d-a------ C:\Program Files\McAfee.com
2007-03-14 18:54:39 11776 --a-s---- C:\WINNT\system32\geplxss.dll
2007-03-14 18:53:56 60810 --a------ C:\WINNT\system32\vcodec.exe
2007-03-12 07:42:58 0 d-------- C:\Documents and Settings\Allen\Application Data\U3
2007-02-19 17:00:12 181008 --a------ C:\WINNT\system32\WINLOGON.EXE
2007-02-19 16:03:17 233984 --a------ C:\WINNT\system32\update43740624.exe<UPF447~1.EXE>
2007-02-19 15:52:31 91648 --a------ C:\Program Files\Common Files\comio32.dll
2007-02-19 15:41:58 233984 --a------ C:\WINNT\system32\update08371307.exe<UP09B3~1.EXE>
2007-02-19 15:36:45 91648 --a------ C:\Program Files\Common Files\vcdb32.dll
2007-02-19 14:48:29 233472 --a------ C:\WINNT\system32\wpcap.dll
2007-02-19 14:48:29 61440 --a------ C:\WINNT\system32\WanPacket.dll<WANPAC~1.DLL>
2007-02-19 14:48:29 53299 --a------ C:\WINNT\system32\pthreadVC.dll<PTHREA~1.DLL>
2007-02-19 14:48:29 81920 --a------ C:\WINNT\system32\Packet.dll
2007-02-19 14:48:07 233984 --a------ C:\WINNT\system32\update00822631.exe<UPEBC0~1.EXE>
2007-02-18 22:32:14 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_210.dat<PEACCE~1.DAT>
2007-02-18 21:58:18 233984 --a------ C:\WINNT\system32\update20095996.exe<UP03EF~1.EXE>
2007-02-18 21:52:36 233984 --a------ C:\WINNT\system32\update15165068.exe<UP875E~1.EXE>
2007-02-18 21:47:02 233984 --a------ C:\WINNT\system32\update56949033.exe<UP6DDF~1.EXE>
2007-02-18 21:41:57 91648 --a------ C:\WINNT\kbdb32.dll
2007-02-18 21:41:38 233984 --a------ C:\WINNT\system32\update34368022.exe<UP60D6~1.EXE>
2007-02-18 21:36:14 233984 --a------ C:\WINNT\system32\update56867988.exe<UP9CE7~1.EXE>
2007-02-18 21:31:02 233984 --a------ C:\WINNT\system32\update61751384.exe<UPFF5D~1.EXE>
2007-02-18 21:25:21 233984 --a------ C:\WINNT\system32\update10231151.exe<UP6CC7~1.EXE>
2007-02-18 21:19:59 91648 --a------ C:\WINNT\kbui32.dll
2007-02-18 19:43:50 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2bc.dat<PE719F~1.DAT>
2007-02-18 18:10:50 233984 --a------ C:\WINNT\system32\update10521759.exe<UP9FCA~2.EXE>
2007-02-18 18:05:17 233984 --a------ C:\WINNT\system32\update80327372.exe<UPE4E6~1.EXE>
2007-02-18 17:59:47 233984 --a------ C:\WINNT\system32\update33579329.exe<UP8450~1.EXE>
2007-02-18 17:48:55 233984 --a------ C:\WINNT\system32\update60166725.exe<UP0CCE~2.EXE>
2007-02-18 17:37:44 233984 --a------ C:\WINNT\system32\update34241336.exe<UP85CA~1.EXE>
2007-02-18 17:32:15 233984 --a------ C:\WINNT\system32\update29635155.exe<UPF853~1.EXE>
2007-02-18 17:26:36 233984 --a------ C:\WINNT\system32\update27823317.exe<UP0749~1.EXE>
2007-02-18 17:21:03 233984 --a------ C:\WINNT\system32\update39663900.exe<UP7142~1.EXE>
2007-02-18 17:10:24 233984 --a------ C:\WINNT\system32\update39690796.exe<UP8F55~1.EXE>
2007-02-18 17:04:50 91648 --a------ C:\WINNT\msio32.dll
2007-02-18 16:37:30 91648 --a------ C:\WINNT\dbmio32.dll
2007-02-18 13:06:15 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_8c8.dat<PED49F~1.DAT>
2007-02-18 13:00:51 91648 --a------ C:\WINNT\dbmmgr32.dll
2007-02-18 12:54:46 91648 --a------ C:\Program Files\Common Files\d3db32.dll
2007-02-18 05:40:11 91648 --a------ C:\WINNT\vcui32.dll
2007-02-18 04:24:48 91648 --a------ C:\Program Files\Common Files\kbdb32.dll
2007-02-18 03:15:34 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_998.dat<PEDCE4~1.DAT>
2007-02-18 01:56:02 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_1ce4.dat<PERFLI~4.DAT>
2007-02-17 15:07:26 91648 --a------ C:\WINNT\vcdb32.dll
2007-02-17 14:56:07 91648 --a------ C:\WINNT\d3db32.dll
2007-02-17 14:44:47 91648 --a------ C:\WINNT\commgr32.dll
2007-02-17 05:21:40 91648 --a------ C:\Program Files\Common Files\dbmmgr32.dll
2007-02-16 17:48:26 91648 --a------ C:\WINNT\msmgr32.dll
2007-02-16 17:42:43 91648 --a------ C:\Program Files\Common Files\vcui32.dll
2007-02-16 17:20:17 91648 --a------ C:\Program Files\Common Files\commgr32.dll
2007-02-16 16:08:12 1050 --a------ C:\WINNT\system32\tmp.reg
2007-02-15 10:37:20 0 --a------ C:\WINNT\NULL
2007-02-15 10:10:56 91648 --a------ C:\WINNT\d3ui32.dll
2007-02-15 02:37:32 1 --a------ C:\WINNT\system32\kr_done1
2007-02-15 02:37:09 20992 --a------ C:\WINNT\system32\higehsg.dll
2007-01-28 21:40:30 1168 --a------ C:\WINNT\mozver.dat
2007-01-26 20:53:23 0 d-------- C:\Documents and Settings\Allen\Application Data\Mozilla
2007-01-21 18:18:32 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_10e0.dat<PERFLI~1.DAT>
2007-01-04 21:34:52 8234 --a------ C:\clean.bat


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}"="Network Neighborhood"
"{2016a466-91a2-43c6-97d8-2fd380f065ef}"="eitheror"
"{aed6f6a3-183c-488d-9f90-23db99f56e7f}"="apathies"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{20D57A66-F7DF-467d-907B-9B7F4A118AB7}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"xp_system"="C:\\WINNT\\ServicePackFiles\\services.exe"
"WinMedia"="C:\\WINNT\\TEMP\\201880.exe"
"xp_sys"="C:\\WINNT\\ServicePackFiles\\mm.exe 20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\
wugroup REG_MULTI_SZ wuauserv\
BITSgroup REG_MULTI_SZ BITS\



-- End of Deckard's System Scanner: finished at 2007-03-21 at 17:34:34 ---------

[maze7817]

Deckard's System Scanner v20070318.32
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® III Mobile CPU 1000MHz
Percentage of Memory in Use: 28%
Physical Memory (total/avail): 254.98 MiB / 182.43 MiB
Pagefile Memory (total/avail): 616.9 MiB / 526.46 MiB
Virtual Memory (total/avail): 2047.88 MiB / 2008.02 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 18.62 GiB total, 6.83 GiB free.
D: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is not configured.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Allen\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_08\lib\ext\QTJava.zip;C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ALLEN-YCZ4CN9JC
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\
LOGONSERVER=\\ALLEN-YCZ4CN9JC
ntdll.dll=.;
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\wbem;C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 11 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0b01
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
SAFEBOOT_OPTION=NETWORK
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\Allen\LOCALS~1\Temp
TMP=C:\DOCUME~1\Allen\LOCALS~1\Temp
USERDOMAIN=ALLEN-YCZ4CN9JC
USERNAME=Allen
USERPROFILE=C:\Documents and Settings\Allen
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Allen (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINNT\ISUNINST.EXE -a -f"C:\Program Files\Hewlett-Packard\HP DeskJet 1220C Toolbox\Uninst.isu" -c"C:\Program Files\Hewlett-Packard\HP DeskJet 1220C Toolbox\hpwioi.dll" -i"tbxinst.ini" -h"HPZIOU00.DLL"
7-Zip 4.42 --> "C:\Program Files\7-Zip\Uninstall.exe"
Adobe Acrobat 5.0 --> C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINNT\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Shockwave Player --> C:\WINNT\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~1\Install.log
AIM 6.0 --> C:\Program Files\AIM6\uninst.exe
AOL Coach Version 1.0(Build:20020823.1) --> C:\WINNT\AolCInUn.exe
AOL Coach Version 2.0(Build:20041026.5 en) --> C:\Program Files\Common Files\AolCoach\en_en\AolCInUn.exe -lang=en_en -ext=UDP
AOL Connectivity Services --> "C:\Program Files\Common Files\AOL\ACS\AcsUninstall.exe" /c
AOL Deskbar --> "C:\Program Files\AOL Deskbar\UNWISE.EXE" /u "C:\Program Files\AOL Deskbar\INSTALL.LOG"
AOL Explorer --> C:\Program Files\Common Files\AOL\1107404654\ee\services\browser\ver1_1_1042\uninst.exe
AOL Spyware Protection --> C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\UNWISE.EXE C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\INSTALL.LOG
AOL Toolbar 2.0 --> "C:\Program Files\AOL\AOL Toolbar 2.0\uninstall.exe"
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
AOL You've Got Pictures Screensaver --> C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
ATI Display Driver --> rundll32 C:\WINNT\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
COMODO Firewall Pro --> C:\Program Files\Comodo\Firewall\fwconfig.exe -uninstalln
HaxFix 4.37 --> "C:\Program Files\HaxFix\unins000.exe"
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
HP DeskJet 1220C Printer --> C:\WINNT\ISUNINST.EXE -a -f"C:\Program Files\Hewlett-Packard\HP DeskJet 1220C Printer\Uninst.isu" -c"C:\Program Files\Hewlett-Packard\HP DeskJet 1220C Printer\HPWTVW.DLL" -u"comp.ini"
Internet Explorer Security Plugin 2006 --> "C:\Program Files\Video ActiveX Object\iesuninst.exe"
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
LimeWire 4.12.6 --> "C:\Program Files\LimeWire\uninstall.exe"
MapleStory --> MsiExec.exe /I{F99C5427-4D78-43E2-B97E-F4C4E622D612}
Microsoft Office XP Professional --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0050048383C9}
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NETGEAR 108 Mbps Wireless PC Card WG511T --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C9D20484-D3CC-4CD2-B1ED-B72A9CEFD45D}\Setup.exe" -l0x9
Pure Networks Port Magic --> C:\Program Files\Pure Networks\Port Magic\PortAOL.exe -Uninstall -ShowUI
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Synaptics TouchPad --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
System Alert Popup --> C:\WINNT\TEMP\laf73D.tmp /del
Windows 2000 Service Pack 4 --> C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- End of Deckard's System Scanner: finished at 2007-03-21 at 17:34:34 ---------

[SNOWHITE]

maze7817

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Step 1

Boot in Safe Mode, DO NOT boot in Safe Mode with Networking!

Navigate to C:\WINNT\ServicePackFiles\i386 locate winlogon.exe right click on it and select Copy;

Now on the Desktop double click on procexp.exe (Process Explorer)

Locate smss.exe , now right click that process and select "Kill Process"

Next, locate the process winlogon.exe, right click that process and select "Kill Process"

Now, navigate to C:\WINNT\system32 find winlogon.exe right click on it and select delete.

When winlogon.exe is gone, right click on inside the System32 folder and select paste, this should place clean copy of winlogon.exe.

Pull the plug out of the back of the computer to force a shutdown, wait for a while, few minutes, and start the machine again.

Step 2

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  • C:\WINNT\system32\WINLOGON.EXE
• Click on the submit button
  
• Please post the results in your next reply.

If you have any questions please feel free to ask me before you proceed with the above instructions!


Regards,

[maze7817]

when i force the computer to restart, should i restart in safe mode or normal mode?

[SNOWHITE]

Try Normal Mode, if your computer crashes again try Safe Mode and please post back to tell me the results.

[maze7817]

Scanner results
Scan taken on 23 Mar 2007 04:11:06 (GMT)
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Statistics
Last file scanned at least one scanner reported something about: uninstall_onflow.exe (MD5: 9f2c60db017252da0636f40afa8ee5b9, size: 82944 bytes), detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus Generic.GNP
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus not-a-virus:AdWare.Win32.OnFlow (4, 1, 400)
Fortinet X
Kaspersky Anti-Virus not-a-virus:AdWare.Win32.OnFlow
NOD32 X
Norman Virus Control W32/OnFlow.B
Panda Antivirus X
VirusBuster X
VBA32 AdWare.Win32.OnFlow

[SNOWHITE]

maze7817

The results of winlogon.exe are clean, that is good. Now we need to repeat some steps to see what is left and gather more information so i can create new fix for you.

Follow the steps bellow to update and run scan with AVG Anti-Spyware
Step 1

• Locate AVG Anti-Spyware, and double-click on it to start the program
• Update the definition files.
• On the main screen select the icon "Update" then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

• Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  
  Step 2
  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
  If you use Firefox browserClick Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  If you use Opera browserClick Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  Click Exit on the Main menu to close the program.
  For Technical Support, double-click the e-mail address located at the bottom of each menu.
  Step 3
  IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
• Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Post back with AVG Anti-Spyware report scan
Step 4
Download haxfix.exe
and save it to your desktop.

• Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
• Checkmark "Create a desktop icon"
• Click "Next"
• When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
• Click "Finish"

A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix

• Select option 1. Make logfile by typing 1 and then pressing Enter
• Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
• Copy the contents of that logfile and paste it into this thread.

Step 5
Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

OK, post back with AVG Anti-Spyware report scan, Haxfix log and SmitfraudFix report.

Regards,

[maze7817]

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:21:10 AM 03/23/2007

+ Scan result:



C:\Program Files\Video ActiveX Object -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Video ActiveX Object\isamini.exe -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Video ActiveX Object\isamntr.exe -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Video ActiveX Object\ot.ico -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Video ActiveX Object\ts.ico -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006 -> Adware.Generic : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Internet Security -> Adware.IntCodec : Cleaned with backup (quarantined).
HKU\S-1-5-21-1542981812-894584797-231281373-1001\Software\Internet Security -> Adware.IntCodec : Cleaned with backup (quarantined).
C:\Documents and Settings\Allen\Desktop\SmitfraudFix\SmiUpdate.exe -> Adware.SmiUpdate : Cleaned with backup (quarantined).
C:\Program Files\SpyDawn\SpyDawn.exe -> Adware.SpyHeal : Cleaned with backup (quarantined).
C:\WINNT\system32\higehsg.dll -> Adware.WorldSecurityOnline : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/services.exe -> Downloader.CWS.am : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/winvip.exe -> Downloader.Delf.cb : Cleaned with backup (quarantined).
C:\WINNT\system32\update1.exe -> Downloader.Delf.cb : Cleaned with backup (quarantined).
C:\WINNT\winvip.exe.bak -> Downloader.Delf.cb : Cleaned with backup (quarantined).
C:\WINNT\system32\update0.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\update8.exe -> Downloader.Small.dwc : Cleaned with backup (quarantined).
C:\WINNT\system32\vcodec.exe -> Downloader.Zlob.bon : Cleaned with backup (quarantined).
C:\Program Files\Hijackthis\backups\backup-20070319-174914-605.dll -> Downloader.Zlob.bpn : Cleaned with backup (quarantined).
C:\WINNT\system32\update6.exe -> Dropper.Small.ava : Cleaned with backup (quarantined).
C:\Program Files\Hijackthis\backups\backup-20070319-174914-907.dll -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\WINNT\ServicePackFiles\31623131.dll -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\WINNT\ServicePackFiles\316231741.dll -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\WINNT\ServicePackFiles\316232228.dll -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\WINNT\ServicePackFiles\31623278.dll -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\WINNT\ServicePackFiles\316233148.dll -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\WINNT\ServicePackFiles\316233621.dll -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\WINNT\ServicePackFiles\31623417.dll -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\WINNT\ServicePackFiles\31623418.dll -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\WINNT\ServicePackFiles\316234546.dll -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\WINNT\ServicePackFiles\316235029.dll -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\WINNT\ServicePackFiles\31623558.dll -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\WINNT\ServicePackFiles\31623821.dll -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\WINNT\ServicePackFiles\31641325.dll -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\WINNT\ServicePackFiles\31641727.dll -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\WINNT\ServicePackFiles\31642212.dll -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\WINNT\system32\arcac.exe -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\WINNT\system32\arcac.exe.bak -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\WINNT\inf\kbdb32.dll -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/koos.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/kprof -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/poof -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/partnership.dll -> Proxy.Xorpix.bc : Cleaned with backup (quarantined).
C:\WINNT\system32\Hrmy19.sys -> Rootkit.Agent.bt : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/runtime.sys -> Rootkit.Agent.dw : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/main.sys -> Rootkit.EmFive : Cleaned with backup (quarantined).
C:\WINNT\system32\update9.exe -> Trojan.Agent.bou : Cleaned with backup (quarantined).
C:\WINNT\ServicePackFiles\mm.exe.bak -> Trojan.Conycspa.l : Cleaned with backup (quarantined).
C:\WINNT\ServicePackFiles\i386\mswsock.dll -> Trojan.Conycspa.n : Cleaned with backup (quarantined).
C:\WINNT\system32\dllcache\mswsock.dll -> Trojan.Conycspa.n : Cleaned with backup (quarantined).
C:\WINNT\system32\mswsock.bak0 -> Trojan.Conycspa.n : Cleaned with backup (quarantined).
C:\WINNT\system32\mswsock.dll -> Trojan.Conycspa.n : Cleaned with backup (quarantined).
C:\WINNT\system32\geplxss.dll -> Trojan.Dialer.cs : Cleaned with backup (quarantined).
[592] C:\WINNT\system32\geplxss.dll -> Trojan.Dialer.cs : Cleaned with backup (quarantined).


::Report end

[maze7817]

HAXFIX logfile - by Marckie

version 4.39
Fri 03/23/2007 11:38:52.53

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
matching services found
CmBatt

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found


--- Checking for Goldun ---


checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
p81eskse

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected


Finished!

[maze7817]

SmitFraudFix v2.142

Scan done at 11:41:32.44, Fri 03/23/2007
Run from C:\Documents and Settings\Allen\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Allen


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Allen\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Allen\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\SpyDawn\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}"="Network Neighborhood"

[HKEY_CLASSES_ROOT\CLSID\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINNT\Media\kbui32.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}\InProcServer32]
@="C:\WINNT\Media\kbui32.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2016a466-91a2-43c6-97d8-2fd380f065ef}"="eitheror"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{aed6f6a3-183c-488d-9f90-23db99f56e7f}"="apathies"

[HKEY_CLASSES_ROOT\CLSID\{aed6f6a3-183c-488d-9f90-23db99f56e7f}\InProcServer32]
@="C:\WINNT\system32\geplxss.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{aed6f6a3-183c-488d-9f90-23db99f56e7f}\InProcServer32]
@="C:\WINNT\system32\geplxss.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End