[maze7817]

with the online scanner, the active X prompt doesnt come up

[Advertisements]

with the online scanner, the active X prompt doesnt come up

maze7817,

Did you tried with Internet Explorer or some other browser? Kaspersky online scan needs Internet Explorer, let me know did you tried to ran the scan with IE.

[SNOWHITE]

with the online scanner, the active X prompt doesnt come up

maze7817,

Did you tried with Internet Explorer or some other browser? Kaspersky online scan needs Internet Explorer, let me know did you tried to ran the scan with IE.

[maze7817]

i finished scanning with internet explorer but i dont see a button or link to save the results as a text file. any suggestions?

Edited by maze7817, 27 March 2007 - 09:39 PM.

[SNOWHITE]

Hello maze7817

This is how the Kaspersky scan would look like, when the scan is done
You need to press the button where it say Save Report As

• Once the scan is complete it will display if your system has been infected.
• Now click on the Save Report As... button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Edited by SNOWHITE, 28 March 2007 - 02:17 PM.

[SNOWHITE]

Hello maze7817

If you are still having the problems that you have reported about Kaspersky scan, follow the instructions bellow:

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction Here for installation.
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply

[maze7817]

Wednesday, March 28, 2007 5:21:44 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 28/03/2007
Kaspersky Anti-Virus database records: 287146
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 34890
Number of viruses found 4
Number of infected objects 40 / 0
Number of suspicious objects 0
Duration of the scan process 01:44:06

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Comodo\Personal Firewall\Logs\cpf.lock Object is locked skipped
C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\cert8.db Object is locked skipped
C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\history.dat Object is locked skipped
C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\key3.db Object is locked skipped
C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\parent.lock Object is locked skipped
C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Allen\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Allen\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Allen\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Allen\Desktop\SmitfraudFix(2).exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Allen\Desktop\SmitfraudFix(2).exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Allen\Desktop\SmitfraudFix(2).exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Allen\Desktop\SmitfraudFix(2).exe PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Application Data\Mozilla\Firefox\Profiles\e333p88s.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Temp\~DFADE6.tmp Object is locked skipped
C:\Documents and Settings\Allen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Allen\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Allen\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Common Files\System\comio32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\Program Files\Common Files\System\commgr32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\Program Files\Common Files\System\d3db32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\Program Files\Common Files\System\d3ui32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\Program Files\Common Files\System\dbmio32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\Program Files\Common Files\System\dbmmgr32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\Program Files\Common Files\System\kbdb32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\Program Files\Common Files\System\msio32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\Program Files\Common Files\System\msmgr32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\Program Files\Common Files\System\vcui32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\CSC000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\inf\comio32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\inf\commgr32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\inf\d3ui32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\inf\dbmio32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\inf\dbmmgr32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\inf\msio32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\inf\msmgr32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\inf\vcui32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\Media\comio32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\Media\commgr32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\Media\d3db32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\Media\d3ui32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\Media\dbmio32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\Media\dbmmgr32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\Media\kbdb32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\Media\msio32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\Media\msmgr32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\Media\vcdb32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\Media\vcui32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\msmgr32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\security\logs\scepol.log Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\Antivirus.Evt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_270.dat Object is locked skipped
C:\WINNT\system32\ws2_32.dll:fork2:$DATA Infected: Trojan.Win32.Pakes skipped
C:\WINNT\temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\Program Files\Common Files\comio32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\_OTMoveIt\MovedFiles\WINNT\msio32.dll Infected: SpamTool.Win32.Agent.u skipped
C:\_OTMoveIt\MovedFiles\WINNT\system32\videos-access1336.exe/stream Infected: Trojan.Win32.DNSChanger.io skipped
C:\_OTMoveIt\MovedFiles\WINNT\system32\videos-access1336.exe NSIS: infected - 1 skipped
Scan process completed.

[SNOWHITE]

maze7817,

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Step 1

First, please go to UploadMalware to upload a suspicious file for analysis.

• Enter your username from this forum
• Copy and paste the link to this thread
• Browse for this filenames: C:\WINNT\inf\comio32.dll
  C:\WINNT\Media\d3db32.dll
  C:\WINNT\msmgr32.dll
  C:\Program Files\Common Files\System\vcui32.dll
• In the comments, please mention that I asked you to upload this file
• Click on Send File

Step 2

Note: You must run this tool from account with admin privileges!

1. Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\Program Files\Common Files\System\comio32.dll
C:\Program Files\Common Files\System\commgr32.dll
C:\Program Files\Common Files\System\d3db32.dll
C:\Program Files\Common Files\System\d3ui32.dll
C:\Program Files\Common Files\System\dbmio32.dll
C:\Program Files\Common Files\System\dbmmgr32.dll
C:\Program Files\Common Files\System\kbdb32.dll
C:\Program Files\Common Files\System\msio32.dll
C:\Program Files\Common Files\System\msmgr32.dll
C:\Program Files\Common Files\System\vcui32.dll
C:\WINNT\inf\comio32.dll
C:\WINNT\inf\commgr32.dll
C:\WINNT\inf\d3ui32.dll
C:\WINNT\inf\dbmio32.dll
C:\WINNT\inf\dbmmgr32.dll
C:\WINNT\inf\msio32.dll
C:\WINNT\inf\msmgr32.dll
C:\WINNT\inf\vcui32.dll
C:\WINNT\Media\comio32.dll
C:\WINNT\Media\commgr32.dll
C:\WINNT\Media\d3db32.dll
C:\WINNT\Media\d3ui32.dll
C:\WINNT\Media\dbmio32.dll
C:\WINNT\Media\dbmmgr32.dll
C:\WINNT\Media\kbdb32.dll
C:\WINNT\Media\msio32.dll
C:\WINNT\Media\msmgr32.dll
C:\WINNT\Media\vcdb32.dll
C:\WINNT\Media\vcui32.dll
C:\WINNT\msmgr32.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply by using Add/Reply

Step 3

Scan for Hidden Data Streams

• Open HiJackThis
• Click on the "Config..." button on the bottom right
• Click on the tab "Misc Tools"
• Click on "Open ADS Spy.."
• Click on "Scan"
• Click on "Save Log..."
• Copy and past the List from the notepad into your next post

Step 4

Create a Startup List

• Open HiJackThis
• Click on the "Config..." button on the bottom right
• Click on the tab "Misc Tools"
• Check off the 2 boxes next to the Box that says "Generate StartupList log"
• Click on the button "Generate StartupList log"
• Copy and past the StartupList from the notepad into your next post

Post back with Avenger report, Hidden Data Streams list, StartupList and run another scan with dss post the contents of main.txt

[maze7817]

i've just uploaded the files & am proceeding to the next step

[SNOWHITE]

OK, Thank you !

[maze7817]

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bfgxijkj

*******************

Script file located at: \??\C:\Program Files\meajwhgl.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Program Files\Common Files\System\comio32.dll deleted successfully.
File C:\Program Files\Common Files\System\commgr32.dll deleted successfully.
File C:\Program Files\Common Files\System\d3db32.dll deleted successfully.
File C:\Program Files\Common Files\System\d3ui32.dll deleted successfully.
File C:\Program Files\Common Files\System\dbmio32.dll deleted successfully.
File C:\Program Files\Common Files\System\dbmmgr32.dll deleted successfully.
File C:\Program Files\Common Files\System\kbdb32.dll deleted successfully.
File C:\Program Files\Common Files\System\msio32.dll deleted successfully.
File C:\Program Files\Common Files\System\msmgr32.dll deleted successfully.
File C:\Program Files\Common Files\System\vcui32.dll deleted successfully.
File C:\WINNT\inf\comio32.dll deleted successfully.
File C:\WINNT\inf\commgr32.dll deleted successfully.
File C:\WINNT\inf\d3ui32.dll deleted successfully.
File C:\WINNT\inf\dbmio32.dll deleted successfully.
File C:\WINNT\inf\dbmmgr32.dll deleted successfully.
File C:\WINNT\inf\msio32.dll deleted successfully.
File C:\WINNT\inf\msmgr32.dll deleted successfully.
File C:\WINNT\inf\vcui32.dll deleted successfully.
File C:\WINNT\Media\comio32.dll deleted successfully.
File C:\WINNT\Media\commgr32.dll deleted successfully.
File C:\WINNT\Media\d3db32.dll deleted successfully.
File C:\WINNT\Media\d3ui32.dll deleted successfully.
File C:\WINNT\Media\dbmio32.dll deleted successfully.
File C:\WINNT\Media\dbmmgr32.dll deleted successfully.
File C:\WINNT\Media\kbdb32.dll deleted successfully.
File C:\WINNT\Media\msio32.dll deleted successfully.
File C:\WINNT\Media\msmgr32.dll deleted successfully.
File C:\WINNT\Media\vcdb32.dll deleted successfully.
File C:\WINNT\Media\vcui32.dll deleted successfully.
File C:\WINNT\msmgr32.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[maze7817]

when i do step 3, the scan doesnt create a log & it doesnt seem like anything was found. is this normal or okay?

[SNOWHITE]

when i do step 3, the scan doesnt create a log & it doesnt seem like anything was found. is this normal or okay?

hmm... Proceed with step 4, in the meantime i will try to find another way for scanning and dealing with ADS.

[maze7817]

StartupList report, 03/29/2007, 12:27:24 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Hijackthis\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Allen\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
COMODO Firewall Pro = "C:\Program Files\Comodo\Firewall\CPF.exe" /background
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Aim6 =

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE

[>{D6D8B1C1-148C-4146-A9E4-551607CEF13B}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
McAfee.com Update Check (ALLEN-YCZ4CN9JC-Allen).job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky...can_unicode.cab

[{31564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros.../i386/wmvax.cab

[{32564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...i386/wmv8ax.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[MSN Photo Upload Tool]
InProcServer32 = C:\WINNT\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://by18fd.bay18....es/MsnPUpld.cab

[WUWebControl Class]
InProcServer32 = C:\WINNT\system32\wuweb.dll
CODEBASE = http://update.micros...b?1165361061335

[GameLauncher Control]
InProcServer32 = C:\WINNT\DOWNLO~1\GAMELA~1.OCX
CODEBASE = http://www.acclaim.c.../acclaim_v4.cab

[Java Plug-in 1.5.0_11]
InProcServer32 = C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.5.0_11]
InProcServer32 = C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.5.0_11]
InProcServer32 = C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll
Protocol #14: C:\WINNT\system32\msafd.dll
Protocol #15: C:\WINNT\system32\msafd.dll
Protocol #16: C:\WINNT\system32\msafd.dll
Protocol #17: C:\WINNT\system32\msafd.dll
Protocol #18: C:\WINNT\system32\msafd.dll
Protocol #19: C:\WINNT\system32\msafd.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\services.exe (manual start)
AOL Connectivity Service: "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" (autostart)
AOL TopSpeed Monitor: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (autostart)
AOL Spyware Protection Service: C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (autostart)
Application Management: %SystemRoot%\system32\services.exe (manual start)
avast! iAVS4 Control Service: "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" (autostart)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
avast! Antivirus: "C:\Program Files\Alwil Software\Avast4\ashServ.exe" (autostart)
avast! Mail Scanner: "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (manual start)
avast! Web Scanner: "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (manual start)
AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
AWINDIS5 Protocol Driver: \??\C:\WINNT\system32\AWINDIS5.SYS (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (manual start)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Microsoft ACPI Control Method Battery Driver: System32\DRIVERS\CmBatt.sys (manual start)
Comodo Application Agent: C:\Program Files\Comodo\Firewall\cmdagent.exe (autostart)
Comodo Application Engine: System32\DRIVERS\cmdmon.sys (system)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
HID Input Service: %SystemRoot%\system32\hidserv.exe (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (autostart)
Panasonic Hotkey Driver: System32\HOTKEY.SYS (autostart)
Hrmy19: \??\C:\WINNT\system32\Hrmy19.sys (autostart)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (manual start)
Comodo Network Engine: System32\DRIVERS\inspect.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: "C:\Program Files\iPod\bin\iPodService.exe" (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
Lucent Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
Messenger: %SystemRoot%\System32\services.exe (manual start)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
BDA MPE Filter: System32\DRIVERS\MPE.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
NETGEAR WG511T Wireless Adapter Service: System32\DRIVERS\wg511nd5.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Netgroup Packet Filter: system32\drivers\npf.sys (manual start)
npkcrypt: \??\C:\Program Files\NEXON\MapleStory\npkcrypt.sys (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Pcmcia: System32\DRIVERS\pcmcia.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
Realtek RTL8139 Family PCI Fast Ethernet NIC NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Intel 82801 Audio Driver (WDM) - SigmaTel Codec: system32\drivers\STAC97.sys (manual start)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Synaptics TouchPad Driver: System32\DRIVERS\SynTP.sys (manual start)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
User Privilege Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Windows Time: %SystemRoot%\System32\services.exe (manual start)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
WAN Miniport (ATW) Service: "C:\WINNT\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 30,982 bytes
Report generated in 1.562 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

[maze7817]

Deckard's System Scanner v20070318.32
Run by Allen on 2007-03-29 at 12:29:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Allen.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:29:24 PM, on 03/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\Allen\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Allen.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1165361061335
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe


-- Files created between 2007-02-28 and 2007-03-29 -----------------------------

2007-03-29 11:10:13 0 d-------- C:\avenger
2007-03-29 11:08:19 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_274.dat<PEB4EE~1.DAT>
2007-03-27 18:17:02 0 d-------- C:\WINNT\system32\Kaspersky Lab<KASPER~1>
2007-03-24 14:22:01 554932 ---h----- C:\WINNT\ShellIconCache<SHELLI~1>
2007-03-24 13:18:42 0 d-------- C:\Documents and Settings\Allen\DoctorWeb<DOCTOR~1>
2007-03-24 13:09:05 79360 --a------ C:\WINNT\system32\swxcacls.exe
2007-03-24 13:09:05 135168 --a------ C:\WINNT\system32\swreg.exe
2007-03-24 13:09:05 288417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-03-24 13:09:05 51200 --a------ C:\WINNT\system32\dumphive.exe
2007-03-24 12:57:00 40960 --a------ C:\WINNT\system32\swsc.exe
2007-03-22 20:30:10 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_104.dat<PEB8C4~1.DAT>
2007-03-19 17:32:58 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_28c.dat<PE79E2~1.DAT>
2007-03-17 13:27:13 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_288.dat<PEC8EE~1.DAT>
2007-03-17 12:34:22 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_294.dat<PEBCEE~1.DAT>
2007-03-16 19:55:12 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2a4.dat<PEBC83~1.DAT>
2007-03-16 19:50:23 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2ac.dat<PE7D8F~1.DAT>
2007-03-16 19:40:31 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2a8.dat<PECC83~1.DAT>
2007-03-16 19:35:22 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2b0.dat<PEA093~1.DAT>
2007-03-16 19:16:24 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2a0.dat<PEAC83~1.DAT>
2007-03-16 19:03:46 23352 --a------ C:\WINNT\system32\drivers\aswRdr.sys
2007-03-16 19:03:44 43176 --a------ C:\WINNT\system32\drivers\aswTdi.sys
2007-03-16 19:03:42 31560 --a------ C:\WINNT\system32\drivers\aavmker4.sys
2007-03-16 19:03:38 94424 --a------ C:\WINNT\system32\drivers\aswmon2.sys
2007-03-16 19:03:38 85952 --a------ C:\WINNT\system32\drivers\aswmon.sys
2007-03-16 19:03:29 1060864 --a------ C:\WINNT\system32\MFC71.dll
2007-03-16 19:03:29 90112 --a------ C:\WINNT\system32\AVASTSS.scr
2007-03-16 19:03:29 689280 --a------ C:\WINNT\system32\aswBoot.exe
2007-03-16 19:03:21 0 d-------- C:\Program Files\Alwil Software<ALWILS~1>
2007-03-16 18:05:03 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_5fc.dat<PE81A9~1.DAT>
2007-03-16 17:59:32 51328 --a------ C:\WINNT\system32\drivers\inspect.sys
2007-03-16 17:59:32 76800 --a------ C:\WINNT\system32\drivers\cmdmon.sys
2007-03-16 16:49:26 0 d-------- C:\Documents and Settings\Allen\Application Data\Comodo
2007-03-16 16:49:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-03-16 16:38:32 0 d-------- C:\Program Files\Comodo
2007-03-14 18:55:18 2820 --a------ C:\WINNT\system32\temp
2007-03-14 16:25:05 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_1644.dat<PEEED1~1.DAT>


-- Find3M Report ---------------------------------------------------------------

2007-03-27 02:37:39 0 d-------- C:\Program Files\Java
2007-03-24 13:09:16 880 --a------ C:\WINNT\system32\tmp.reg
2007-03-19 17:31:30 69904 --a------ C:\WINNT\system32\ws2_32.dll
2007-03-16 17:00:35 0 d-a------ C:\Program Files\McAfee.com
2007-03-12 07:42:58 0 d-------- C:\Documents and Settings\Allen\Application Data\U3
2007-02-23 16:36:28 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_384.dat<PEC8E8~1.DAT>
2007-02-19 14:48:29 233472 --a------ C:\WINNT\system32\wpcap.dll
2007-02-19 14:48:29 61440 --a------ C:\WINNT\system32\WanPacket.dll<WANPAC~1.DLL>
2007-02-19 14:48:29 53299 --a------ C:\WINNT\system32\pthreadVC.dll<PTHREA~1.DLL>
2007-02-19 14:48:29 81920 --a------ C:\WINNT\system32\Packet.dll
2007-02-18 22:32:14 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_210.dat<PEACCE~1.DAT>
2007-02-18 19:43:50 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2bc.dat<PE719F~1.DAT>
2007-02-18 13:06:15 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_8c8.dat<PED49F~1.DAT>
2007-02-18 03:15:34 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_998.dat<PEDCE4~1.DAT>
2007-02-18 01:56:02 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_1ce4.dat<PERFLI~4.DAT>
2007-02-15 10:37:20 0 --a------ C:\WINNT\NULL
2007-01-28 21:40:30 1168 --a------ C:\WINNT\mozver.dat
2007-01-21 18:18:32 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_10e0.dat<PERFLI~1.DAT>
2007-01-04 21:34:52 8234 --a------ C:\clean.bat


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\
wugroup REG_MULTI_SZ wuauserv\
BITSgroup REG_MULTI_SZ BITS\



-- End of Deckard's System Scanner: finished at 2007-03-29 at 12:29:57 ---------

[SNOWHITE]

maze7817

Logs are looking much better now, but we still have some work to do.

Step 1

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  • C:\WINNT\System32\shmgrate.exe
• Click on the submit button
  
• Please post the results in your next reply.
  
  Step 2
  
  Please go to UploadMalware to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\WINNT\system32\Hrmy19.sys
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File
  Thank you!
  
  Step 3

1. Double-click avenger.exe on your desktop.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
Hrmy19

Files to delete:
C:\WINNT\system32\Hrmy19.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Step 4

Next, using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\McAfee.com << This folder

Step 5

Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Close ALL OTHER PROGRAMS.
• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Under "Processes" select None;
  • Under "Win32 Services" select None;
  • Under "Driver Services" select Non-Microsoft;
  • Under "Files/Folders Created Within" uncheck Non-Microsoft Only;
  • Under "Files/Folders Modified Within" uncheck Non-Microsoft Only;
  • Under "File String Search" select None.
• Now click the Run Scan button on the toolbar.
• The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

Post back with Jotti scan report, Avenger report and WinPFind scan report

Edited by SNOWHITE, 30 March 2007 - 07:19 AM.