Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Backdoor.Agent.adt nothing gets rid of it


  • This topic is locked This topic is locked

#1
healey

healey

    New Member

  • Member
  • Pip
  • 9 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:44:36 AM, on 2/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\mswnt.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Jabber\My Documents\DOWNLOADS\hijackthis\Activate.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Jabber
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {044B50AA-3792-4582-BDC5-00B2349E83DA} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55E6172B-A8D3-4BE2-B313-E6AA19B2A819} - (no file)
O2 - BHO: (no name) - {5C5ACBDA-2200-4707-B435-EED35A1B2467} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7F5A2699-38CD-4B98-B193-5916D6566B01} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O20 - Winlogon Notify: opnno - C:\WINDOWS\
O20 - Winlogon Notify: qomjh - C:\WINDOWS\system32\qomjh.dll (file missing)
O20 - Winlogon Notify: ssqnnll - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Print Spooler Service (uuiy84eiye0iuo) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe (file missing)
O23 - Service: Windows Zero Connection (WinZConn) - Unknown owner - C:\WINDOWS\system32\mswnt.exe

Activescan.txt 2/17/2007
Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jabber\Local Settings\Temporary Internet Files\Content.IE5\EFRXL6FD\smitRem[1].exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jabber\My Documents\DOWNLOADS\NEW DOWNLOADS\SmitfraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jabber\My Documents\DOWNLOADS\NEW DOWNLOADS\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\VundoFix Backups\fmogueth.exe.bad
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\VundoFix Backups\gmlssrhl.exe.bad
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\VundoFix Backups\sehaaihe.exe.bad

smitRem © log file (smitfiles.txt 2/15/07)
version 3.2

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="7.0000"
The current date is: Thu 02/15/2007
The current time is: 22:23:47.91

Running from
C:\Documents and Settings\Jabber\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appinitdll check ........ Thank you Grinler!

dumphive.exe ©2000-2004 Markus Stephany
REGEDIT4

[Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"SecureDesktop"=dword:00000000

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

XP Firewall allowed access

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Documents and Settings\\Jabber\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Jabber\\Desktop\\utorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe:*:Enabled:WinDVD"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\dxdiag.exe"="C:\\WINDOWS\\system32\\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\Documents and Settings\\Jabber\\My Documents\\DOWNLOADS\\NEW DOWNLOADS\\webui_v0.300_beta_1\\utorrent-1.6.1-beta-build-481.exe"="C:\\Documents and Settings\\Jabber\\My Documents\\DOWNLOADS\\NEW DOWNLOADS\\webui_v0.300_beta_1\\utorrent-1.6.1-beta-build-481.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\Outlook Express\\msimn.exe"="C:\\Program Files\\Outlook Express\\msimn.exe:LocalSubNet:Disabled:Outlook Express"
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"
"C:\\Program Files\\Wal-Mart\\Wal-Mart Digital Photo Manager\\PhotoApp.exe"="C:\\Program Files\\Wal-Mart\\Wal-Mart Digital Photo Manager\\PhotoApp.exe:*:Enabled:Wal-Mart Digital Photo Manager"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\Mathematica.exe"="C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\Mathematica.exe:*:Enabled:Mathematica 5.2 for Students"
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\MathKernel.exe"="C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\MathKernel.exe:*:Enabled:Mathematica 5.2 for Students Kernel"
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\math.exe"="C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\math.exe:*:Enabled:math.exe"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present
BraveSentry uninstaller NOT present
AntiVermins uninstaller NOT present
VirusBursters uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

amcompat.tlb
nscompat.tlb
logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1520 'explorer.exe'
Killing PID 1520 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~



~~~ Wininet.dll ~~~

CLEAN! :whistling:




VundoFix V6.3.6 (VundoFix.txt 2/15/07)

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.8

Java version is 1.5.0.9

Scan started at 10:45:35 PM 2/15/2007

Listing files found while scanning....

C:\WINDOWS\system32\crdffjqj.dll
C:\WINDOWS\system32\fmogueth.exe
C:\WINDOWS\system32\gmlssrhl.exe
C:\WINDOWS\system32\isnjmagx.dll
C:\WINDOWS\system32\jqjffdrc.ini
C:\WINDOWS\system32\onnpo.bak1
C:\WINDOWS\system32\onnpo.bak2
C:\WINDOWS\system32\onnpo.ini
C:\WINDOWS\system32\opnno.dll
C:\WINDOWS\system32\qhyudanr.dll
C:\WINDOWS\system32\qomjh.dll
C:\WINDOWS\system32\qwedvlkt.dll
C:\WINDOWS\system32\rnaduyhq.ini
C:\WINDOWS\system32\rvidyohl.dll
C:\WINDOWS\system32\sehaaihe.exe
C:\WINDOWS\system32\ssqnnll.dll
C:\WINDOWS\system32\tklvdewq.ini
C:\WINDOWS\system32\xgamjnsi.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\crdffjqj.dll
C:\WINDOWS\system32\crdffjqj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fmogueth.exe
C:\WINDOWS\system32\fmogueth.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\gmlssrhl.exe
C:\WINDOWS\system32\gmlssrhl.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\isnjmagx.dll
C:\WINDOWS\system32\isnjmagx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jqjffdrc.ini
C:\WINDOWS\system32\jqjffdrc.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\onnpo.bak1
C:\WINDOWS\system32\onnpo.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\onnpo.bak2
C:\WINDOWS\system32\onnpo.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\onnpo.ini
C:\WINDOWS\system32\onnpo.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnno.dll
C:\WINDOWS\system32\opnno.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\qhyudanr.dll
C:\WINDOWS\system32\qhyudanr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qwedvlkt.dll
C:\WINDOWS\system32\qwedvlkt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rnaduyhq.ini
C:\WINDOWS\system32\rnaduyhq.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\sehaaihe.exe
C:\WINDOWS\system32\sehaaihe.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqnnll.dll
C:\WINDOWS\system32\ssqnnll.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\tklvdewq.ini
C:\WINDOWS\system32\tklvdewq.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\xgamjnsi.ini
C:\WINDOWS\system32\xgamjnsi.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\opnno.dll
C:\WINDOWS\system32\opnno.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqnnll.dll
C:\WINDOWS\system32\ssqnnll.dll Has been deleted!

Performing Repairs to the registry.
Done!

I quarantine Backdoor.Agent.adj "WARNING" by AVG Spyware, then Teatimer requests resident deletion of
swg (Program Files\Google\Google toolbar Notifier)
screensave.exe (C:\Windows\System32\Mal-PC.scr)
NWEReboot
value added or deleted letters & numbers (Windows\System32\rsbmsc.exe)
  • 0

Advertisements


#2
healey

healey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Almost forgot! I installed Kerio Personal Firewall yesterday to replace XP firewall
  • 0

#3
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
First of all, open Spybot S&D, click Mode>Advanced>Tools>Resident and remove the check from the Tea Timer box. It interferes more than it helps. Reboot when done.

Check both AVG AntiSpyware and SuperAntiSpyware for updates and run them again.

Reboot again when done and post a new HijackThis log.
  • 0

#4
healey

healey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
After updating both spybot and superantispyware, and running both, spybot cleans Troj.PrintSpool for the umteenth time, superantispy finds Unknown threats, and cleans them. A reboot still has AVG antispyware finding Backdoor.agent.adt. After quarantining this file I ran HJT scan and the uninstall list that follows.

Logfile of HijackThis v1.99.1
Scan saved at 6:53:48 PM, on 2/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\system32\mswnt.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Documents and Settings\Jabber\My Documents\DOWNLOADS\hijackthis\Activate.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Jabber
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {044B50AA-3792-4582-BDC5-00B2349E83DA} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55E6172B-A8D3-4BE2-B313-E6AA19B2A819} - (no file)
O2 - BHO: (no name) - {5C5ACBDA-2200-4707-B435-EED35A1B2467} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7F5A2699-38CD-4B98-B193-5916D6566B01} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: opnno - C:\WINDOWS\
O20 - Winlogon Notify: qomjh - C:\WINDOWS\system32\qomjh.dll (file missing)
O20 - Winlogon Notify: ssqnnll - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Print Spooler Service (uuiy84eiye0iuo) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe (file missing)
O23 - Service: Windows Zero Connection (WinZConn) - Unknown owner - C:\WINDOWS\system32\mswnt.exe


Uninstall list
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe PhotoDeluxe 2.0
Adobe Reader 7.0.9
Adobe Shockwave Player
ArcSoft Software Suite
a-squared Free 2.0
AutoShrinkIso3.1.1
AVG Anti-Spyware 7.5
AVG Free Edition
AviSynth 2.5
Brother MFL-Pro Suite
Canopus ProCoder 2
CCleaner (remove only)
CDRWIN
Cinema Craft Encoder SP Version 2.50
Comcast High-Speed Internet Install Wizard
Corel Paint Shop Pro X
Creative DVD Audio Plugin for Audigy Series
Creative Mass Storage Drivers
Creative MediaSource
Creative System Information
Creative Zen Nano Plus
dBpowerAMP FLAC Codec
dBpowerAMP GoGo Codec
dBpowerAMP Mp3 Blade Codec
dBpowerAMP mp3PRO Input Codec
dBpowerAMP Music Converter
dBpowerAMP Tag From Filename
dBpowerAMP Update ID Tag
dBpowerAMP WMA V9.1 Codec
DivX Player
DivxToDVD 0.5.2
dMC mp3PRO (CLI) Encoder
dMC Power Pack
DVD Decrypter (Remove Only)
DVD Rebuilder
DVD Shrink 3.2
DVD2SVCD 1.0.5 build 4
dvdSanta 4.00
exPressit S.E. 2.2
FLV Player 1.3.3
ForceVision 3.35.1
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Hewlett-Packard Multimedia Keyboard/Mouse Solution
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Huffyuv AVI lossless video codec (Remove Only)
InterActual Player
InterVideo WinDVD 7
IObit SmartDefrag Beta 2.1
iolo technologies' System Mechanic 4
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
LifeGlobe Goldfish Aquarium
LifeGlobe Sharks, Terrors of the Deep
LimeWire PRO 4.9.2
Mathematica 5.2 for Students
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
MightyFax
Mozilla Firefox (2.0.0.1)
Mp3+G Toolz 2
MRU-Blaster v1.5 (Database 3/28/2004)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
MyDSC_CIF
Nero 7 Premium
Panda ActiveScan
PaperPort
PeerGuardian 2.0
Picasa 2
Power CDG To MPG Converter
PowerDVD
PowerISO
PrintMaster Gold 4.00
PS2
QuickTime
Remove DivX Pro Codec
ScanCraft CS-P
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
SereneScreen Marine Aquarium 2
SereneScreen Marine Aquarium Time 2
Simple MP3 Tag Editor version 1.3
SmartFTP Client 2.0
SmartFTP Client 2.0 Setup Files (remove only)
Snappy Fax 2000 Version 3
Sound Blaster Live!
Spybot - Search & Destroy 1.4
Studio DV
Sunbelt Kerio Personal Firewall
SUPER © Version 2007.bld.21 (Jan 4, 2007)
SUPERAntiSpyware Free Edition
The Rosetta Stone
TMPGEnc Plus 2.5
Trillian
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2006
U3Launcher
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
VCDEasy
VideoLAN VLC media player 0.8.4a
Wal-Mart Digital Photo Manager
WexTech AnswerWorks
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Support Tools
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinXP Manager
Wolfram Notebook Indexer 1.1
Yahoo! Toolbar for Internet Explorer
YouTUBE ™ movie downloader
  • 0

#5
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O2 - BHO: (no name) - {044B50AA-3792-4582-BDC5-00B2349E83DA} - (no file)
O2 - BHO: (no name) - {55E6172B-A8D3-4BE2-B313-E6AA19B2A819} - (no file)
O2 - BHO: (no name) - {5C5ACBDA-2200-4707-B435-EED35A1B2467} - (no file)
O2 - BHO: (no name) - {7F5A2699-38CD-4B98-B193-5916D6566B01} - (no file)
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} -
O20 - Winlogon Notify: opnno - C:\WINDOWS\
O20 - Winlogon Notify: qomjh - C:\WINDOWS\system32\qomjh.dll (file missing)
O20 - Winlogon Notify: ssqnnll - C:\WINDOWS\


Exit HijackThis when done.

Go to Jotti's malware scan

Copy and paste the following file path into the "File to upload & scan" box on the top of the page:

C:\WINDOWS\system32\mswnt.exe

Click on the submit button. Please post the results in your next reply.
  • 0

#6
healey

healey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Service load: 0% 100%

File: mswnt.exe
Status: INFECTED/MALWARE
MD5 d114c5b01f15546740d8a91b2d0c8403
Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT

Scanner results
Scan taken on 19 Feb 2007 14:25:13 (GMT)
AntiVir Found HEUR/Malware
ArcaVir Found nothing
Avast Found Win32:SdBot-gen44
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Win32.HLLW.MyBot.based
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Backdoor.Win32.SdBot.aad
Fortinet Found W32/Tilebot.AAD!tr.bdr
Kaspersky Anti-Virus Found Backdoor.Win32.SdBot.aad
NOD32 Found a variant of IRC/SdBot
Norman Virus Control Found W32/SDBot.AOTX
VirusBuster Found nothing
VBA32 Found Backdoor.xBot.1 (paranoid heuristics) (probable variant)
  • 0

#7
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
That's identified it - let's see if we can remove it with this tool. Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

  • 0

#8
healey

healey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
A couple of things I should mention, although I'm not sure if they have any bearing on this problem. For a while now, my system has needed a second hard shutdown b4 it will boot up successfully. It just hangs on the opening HP screen, but boots ok after shutting down by holding the power button in. I've also had trouble getting into safe mode, but seemed ok after using Superantivirus Bootsafe. I used this when first running the fix, and my machine rebooted into safemode again. After using bootsafe to reboot normally, the fix finished it's job, but the Backdoor.Agent.adt showed up again when AVG antivirus loaded. Also it has always needed to be quarantined twice, b4 stopping. After trying the whole process a second time, I found there was no way to circumvent this. The third time I was able to go into safe mode with the F8 key, and everything worked ok, except the BDAgent is still there. Only on the first report does anything show as being cleaned out. I'll paste all 3 reports and my latest HJT log.

Report_old_2 5:26pm

SDFix: Version 1.66

Run by Jabber - Mon 02/19/2007 @ 17:11:44.10

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
uuiy84eiye0iuo

Path:
C:\WINDOWS\system32\rsbmsc.exe /service

uuiy84eiye0iuo Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...




ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Documents and Settings\\Jabber\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Jabber\\Desktop\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe:*:Enabled:WinDVD"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\dxdiag.exe"="C:\\WINDOWS\\system32\\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\Documents and Settings\\Jabber\\My Documents\\DOWNLOADS\\NEW DOWNLOADS\\webui_v0.300_beta_1\\utorrent-1.6.1-beta-build-481.exe"="C:\\Documents and Settings\\Jabber\\My Documents\\DOWNLOADS\\NEW DOWNLOADS\\webui_v0.300_beta_1\\utorrent-1.6.1-beta-build-481.exe:*:Enabled:µTorrent"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\Outlook Express\\msimn.exe"="C:\\Program Files\\Outlook Express\\msimn.exe:LocalSubNet:Disabled:Outlook Express"
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"
"C:\\Program Files\\Wal-Mart\\Wal-Mart Digital Photo Manager\\PhotoApp.exe"="C:\\Program Files\\Wal-Mart\\Wal-Mart Digital Photo Manager\\PhotoApp.exe:*:Enabled:Wal-Mart Digital Photo Manager"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\Mathematica.exe"="C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\Mathematica.exe:*:Enabled:Mathematica 5.2 for Students"
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\MathKernel.exe"="C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\MathKernel.exe:*:Enabled:Mathematica 5.2 for Students Kernel"
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\math.exe"="C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\math.exe:*:Enabled:math.exe"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"="C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe:*:Enabled:Sunbelt Kerio Firewall GUI"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files:
---------------



Checking For Files with Hidden Attributes :

C:\Program Files\eRightSoft\SUPER\cygwin1.dll
C:\Program Files\eRightSoft\SUPER\cygz.dll
C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll
C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll
C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll
C:\WINDOWS\system32\AVSredirect.dll
C:\WINDOWS\system32\cygwin1.dll
C:\WINDOWS\system32\cygz.dll
C:\WINDOWS\system32\flvDX.dll
C:\WINDOWS\system32\i420vfw.dll
C:\WINDOWS\system32\yv12vfw.dll
C:\Documents and Settings\Jabber\Application Data\U3\temp\Launchpad Removal.exe
C:\Program Files\eRightSoft\SUPER\Setup.exe
C:\Program Files\Picasa2\setup.exe
C:\WINDOWS\meta4.exe
C:\WINDOWS\MOTA113.exe
C:\WINDOWS\system32\mswnt.exe
C:\WINDOWS\system32\x.264.exe
C:\WINDOWS\system32\80EDD814D3.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp

Add/Remove Programs List:

MyDSC_CIF
a-squared Free 2.0
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe PhotoDeluxe 2.0
Adobe Shockwave Player
AutoShrinkIso3.1.1
AVG Free Edition
AVG Anti-Spyware 7.5
AviSynth 2.5
CCleaner (remove only)
CDRWIN
Cinema Craft Encoder SP Version 2.50
Comcast High-Speed Internet Install Wizard
Creative DVD Audio Plugin for Audigy Series
dBpowerAMP FLAC Codec
dBpowerAMP GoGo Codec
dBpowerAMP Mp3 Blade Codec
dBpowerAMP mp3PRO Input Codec
dBpowerAMP Music Converter
dBpowerAMP Tag From Filename
dBpowerAMP Update ID Tag
dBpowerAMP WMA V9.1 Codec
Remove DivX Pro Codec
DivX Player
dMC mp3PRO (CLI) Encoder
dMC Power Pack
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVD2SVCD 1.0.5 build 4
dvdSanta 4.00
exPressit S.E. 2.2
FLV Player 1.3.3
ForceVision 3.35.1
HijackThis 1.99.1
Huffyuv AVI lossless video codec (Remove Only)
Microsoft Internationalized Domain Names Mitigation APIs
Windows Internet Explorer 7
QuickTime
TMPGEnc Plus 2.5
Mathematica 5.2 for Students
Hewlett-Packard Multimedia Keyboard/Mouse Solution
InterActual Player
IObit SmartDefrag Beta 2.1
iolo technologies' System Mechanic 4
LifeGlobe Goldfish Aquarium
LifeGlobe Sharks, Terrors of the Deep
LimeWire PRO 4.9.2
Microsoft .NET Framework 2.0
MightyFax
Mozilla Firefox (2.0.0.1)
Mp3+G Toolz 2
MRU-Blaster v1.5 (Database 3/28/2004)
Microsoft Compression Client Pack 1.0 for Windows XP
MSN Music Assistant
Creative Mass Storage Drivers
Microsoft National Language Support Downlevel APIs
Panda ActiveScan
PeerGuardian 2.0
Picasa 2
PowerISO
PrintMaster Gold 4.00
PS2
ScanCraft CS-P
SereneScreen Marine Aquarium 2
SereneScreen Marine Aquarium Time 2
Simple MP3 Tag Editor version 1.3
SmartFTP Client 2.0 Setup Files (remove only)
Snappy Fax 2000 Version 3
Spybot - Search & Destroy 1.4
Studio DV
SUPER c Version 2007.bld.21 (Jan 4, 2007)
Creative System Information
The Rosetta Stone
Trillian
TurboTax Deluxe Deduction Maximizer 2006
VCDEasy
VideoLAN VLC media player 0.8.4a
DivxToDVD 0.5.2
Winamp (remove only)
WinRAR archiver
Microsoft User-Mode Driver Framework Feature Pack 1.0
Yahoo! Toolbar for Internet Explorer
Microsoft Office 2000 Premium
Corel Paint Shop Pro X
Google Toolbar for Internet Explorer
Creative MediaSource
YouTUBE ™ movie downloader
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Brother MFL-Pro Suite
Wal-Mart Digital Photo Manager
Nero 7 Premium
ArcSoft Software Suite
PowerDVD
Canopus ProCoder 2
Microsoft .NET Framework 2.0
MSXML 4.0 SP2 Parser and SDK
Power CDG To MPG Converter
Windows Support Tools
Microsoft Office Professional Edition 2003
InterVideo WinDVD 7
Sound Blaster Live!
PaperPort
Adobe Reader 7.0.9
TurboTax ItsDeductible 2006
DVD Rebuilder
Creative Zen Nano Plus
SmartFTP Client 2.0
QuickTime
TMPGEnc Plus 2.5
SUPERAntiSpyware Free Edition
U3Launcher
Google Toolbar for Internet Explorer
Wolfram Notebook Indexer 1.1
Sunbelt Kerio Personal Firewall
WexTech AnswerWorks
WinXP Manager
Mathematica 5.2 for Students
Hewlett-Packard Multimedia Keyboard/Mouse Solution

Finished

Report_old_1 5:47pm

SDFix: Version 1.66

Run by Jabber - Mon 02/19/2007 @ 17:35:55.54

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:

Path:


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...




ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Documents and Settings\\Jabber\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Jabber\\Desktop\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe:*:Enabled:WinDVD"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\dxdiag.exe"="C:\\WINDOWS\\system32\\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\Documents and Settings\\Jabber\\My Documents\\DOWNLOADS\\NEW DOWNLOADS\\webui_v0.300_beta_1\\utorrent-1.6.1-beta-build-481.exe"="C:\\Documents and Settings\\Jabber\\My Documents\\DOWNLOADS\\NEW DOWNLOADS\\webui_v0.300_beta_1\\utorrent-1.6.1-beta-build-481.exe:*:Enabled:µTorrent"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\Outlook Express\\msimn.exe"="C:\\Program Files\\Outlook Express\\msimn.exe:LocalSubNet:Disabled:Outlook Express"
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"
"C:\\Program Files\\Wal-Mart\\Wal-Mart Digital Photo Manager\\PhotoApp.exe"="C:\\Program Files\\Wal-Mart\\Wal-Mart Digital Photo Manager\\PhotoApp.exe:*:Enabled:Wal-Mart Digital Photo Manager"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\Mathematica.exe"="C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\Mathematica.exe:*:Enabled:Mathematica 5.2 for Students"
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\MathKernel.exe"="C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\MathKernel.exe:*:Enabled:Mathematica 5.2 for Students Kernel"
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\math.exe"="C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\math.exe:*:Enabled:math.exe"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"="C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe:*:Enabled:Sunbelt Kerio Firewall GUI"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files:
---------------



Checking For Files with Hidden Attributes :

C:\Program Files\eRightSoft\SUPER\cygwin1.dll
C:\Program Files\eRightSoft\SUPER\cygz.dll
C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll
C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll
C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll
C:\WINDOWS\system32\AVSredirect.dll
C:\WINDOWS\system32\cygwin1.dll
C:\WINDOWS\system32\cygz.dll
C:\WINDOWS\system32\flvDX.dll
C:\WINDOWS\system32\i420vfw.dll
C:\WINDOWS\system32\yv12vfw.dll
C:\Documents and Settings\Jabber\Application Data\U3\temp\Launchpad Removal.exe
C:\Program Files\eRightSoft\SUPER\Setup.exe
C:\Program Files\Picasa2\setup.exe
C:\WINDOWS\meta4.exe
C:\WINDOWS\MOTA113.exe
C:\WINDOWS\system32\mswnt.exe
C:\WINDOWS\system32\x.264.exe
C:\WINDOWS\system32\80EDD814D3.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp

Add/Remove Programs List:

MyDSC_CIF
a-squared Free 2.0
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe PhotoDeluxe 2.0
Adobe Shockwave Player
AutoShrinkIso3.1.1
AVG Free Edition
AVG Anti-Spyware 7.5
AviSynth 2.5
CCleaner (remove only)
CDRWIN
Cinema Craft Encoder SP Version 2.50
Comcast High-Speed Internet Install Wizard
Creative DVD Audio Plugin for Audigy Series
dBpowerAMP FLAC Codec
dBpowerAMP GoGo Codec
dBpowerAMP Mp3 Blade Codec
dBpowerAMP mp3PRO Input Codec
dBpowerAMP Music Converter
dBpowerAMP Tag From Filename
dBpowerAMP Update ID Tag
dBpowerAMP WMA V9.1 Codec
Remove DivX Pro Codec
DivX Player
dMC mp3PRO (CLI) Encoder
dMC Power Pack
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVD2SVCD 1.0.5 build 4
dvdSanta 4.00
exPressit S.E. 2.2
FLV Player 1.3.3
ForceVision 3.35.1
HijackThis 1.99.1
Huffyuv AVI lossless video codec (Remove Only)
Microsoft Internationalized Domain Names Mitigation APIs
Windows Internet Explorer 7
QuickTime
TMPGEnc Plus 2.5
Mathematica 5.2 for Students
Hewlett-Packard Multimedia Keyboard/Mouse Solution
InterActual Player
IObit SmartDefrag Beta 2.1
iolo technologies' System Mechanic 4
LifeGlobe Goldfish Aquarium
LifeGlobe Sharks, Terrors of the Deep
LimeWire PRO 4.9.2
Microsoft .NET Framework 2.0
MightyFax
Mozilla Firefox (2.0.0.1)
Mp3+G Toolz 2
MRU-Blaster v1.5 (Database 3/28/2004)
Microsoft Compression Client Pack 1.0 for Windows XP
MSN Music Assistant
Creative Mass Storage Drivers
Microsoft National Language Support Downlevel APIs
Panda ActiveScan
PeerGuardian 2.0
Picasa 2
PowerISO
PrintMaster Gold 4.00
PS2
ScanCraft CS-P
SereneScreen Marine Aquarium 2
SereneScreen Marine Aquarium Time 2
Simple MP3 Tag Editor version 1.3
SmartFTP Client 2.0 Setup Files (remove only)
Snappy Fax 2000 Version 3
Spybot - Search & Destroy 1.4
Studio DV
SUPER c Version 2007.bld.21 (Jan 4, 2007)
Creative System Information
The Rosetta Stone
Trillian
TurboTax Deluxe Deduction Maximizer 2006
VCDEasy
VideoLAN VLC media player 0.8.4a
DivxToDVD 0.5.2
Winamp (remove only)
WinRAR archiver
Microsoft User-Mode Driver Framework Feature Pack 1.0
Yahoo! Toolbar for Internet Explorer
Microsoft Office 2000 Premium
Corel Paint Shop Pro X
Google Toolbar for Internet Explorer
Creative MediaSource
YouTUBE ™ movie downloader
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Brother MFL-Pro Suite
Wal-Mart Digital Photo Manager
Nero 7 Premium
ArcSoft Software Suite
PowerDVD
Canopus ProCoder 2
Microsoft .NET Framework 2.0
MSXML 4.0 SP2 Parser and SDK
Power CDG To MPG Converter
Windows Support Tools
Microsoft Office Professional Edition 2003
InterVideo WinDVD 7
Sound Blaster Live!
PaperPort
Adobe Reader 7.0.9
TurboTax ItsDeductible 2006
DVD Rebuilder
Creative Zen Nano Plus
SmartFTP Client 2.0
QuickTime
TMPGEnc Plus 2.5
SUPERAntiSpyware Free Edition
U3Launcher
Google Toolbar for Internet Explorer
Wolfram Notebook Indexer 1.1
Sunbelt Kerio Personal Firewall
WexTech AnswerWorks
WinXP Manager
Mathematica 5.2 for Students
Hewlett-Packard Multimedia Keyboard/Mouse Solution

Finished

Report.txt 6:03pm

SDFix: Version 1.66

Run by Jabber - Mon 02/19/2007 @ 17:55:34.13

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:

Path:


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...




ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Documents and Settings\\Jabber\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Jabber\\Desktop\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe:*:Enabled:WinDVD"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\dxdiag.exe"="C:\\WINDOWS\\system32\\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\Documents and Settings\\Jabber\\My Documents\\DOWNLOADS\\NEW DOWNLOADS\\webui_v0.300_beta_1\\utorrent-1.6.1-beta-build-481.exe"="C:\\Documents and Settings\\Jabber\\My Documents\\DOWNLOADS\\NEW DOWNLOADS\\webui_v0.300_beta_1\\utorrent-1.6.1-beta-build-481.exe:*:Enabled:µTorrent"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\Outlook Express\\msimn.exe"="C:\\Program Files\\Outlook Express\\msimn.exe:LocalSubNet:Disabled:Outlook Express"
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"
"C:\\Program Files\\Wal-Mart\\Wal-Mart Digital Photo Manager\\PhotoApp.exe"="C:\\Program Files\\Wal-Mart\\Wal-Mart Digital Photo Manager\\PhotoApp.exe:*:Enabled:Wal-Mart Digital Photo Manager"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\Mathematica.exe"="C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\Mathematica.exe:*:Enabled:Mathematica 5.2 for Students"
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\MathKernel.exe"="C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\MathKernel.exe:*:Enabled:Mathematica 5.2 for Students Kernel"
"C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\math.exe"="C:\\Program Files\\Wolfram Research\\Mathematica\\5.2\\math.exe:*:Enabled:math.exe"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"="C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe:*:Enabled:Sunbelt Kerio Firewall GUI"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files:
---------------



Checking For Files with Hidden Attributes :

C:\Program Files\eRightSoft\SUPER\cygwin1.dll
C:\Program Files\eRightSoft\SUPER\cygz.dll
C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll
C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll
C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll
C:\WINDOWS\system32\AVSredirect.dll
C:\WINDOWS\system32\cygwin1.dll
C:\WINDOWS\system32\cygz.dll
C:\WINDOWS\system32\flvDX.dll
C:\WINDOWS\system32\i420vfw.dll
C:\WINDOWS\system32\yv12vfw.dll
C:\Documents and Settings\Jabber\Application Data\U3\temp\Launchpad Removal.exe
C:\Program Files\eRightSoft\SUPER\Setup.exe
C:\Program Files\Picasa2\setup.exe
C:\WINDOWS\meta4.exe
C:\WINDOWS\MOTA113.exe
C:\WINDOWS\system32\mswnt.exe
C:\WINDOWS\system32\x.264.exe
C:\WINDOWS\system32\80EDD814D3.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp

Add/Remove Programs List:

MyDSC_CIF
a-squared Free 2.0
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe PhotoDeluxe 2.0
Adobe Shockwave Player
AutoShrinkIso3.1.1
AVG Free Edition
AVG Anti-Spyware 7.5
AviSynth 2.5
CCleaner (remove only)
CDRWIN
Cinema Craft Encoder SP Version 2.50
Comcast High-Speed Internet Install Wizard
Creative DVD Audio Plugin for Audigy Series
dBpowerAMP FLAC Codec
dBpowerAMP GoGo Codec
dBpowerAMP Mp3 Blade Codec
dBpowerAMP mp3PRO Input Codec
dBpowerAMP Music Converter
dBpowerAMP Tag From Filename
dBpowerAMP Update ID Tag
dBpowerAMP WMA V9.1 Codec
Remove DivX Pro Codec
DivX Player
dMC mp3PRO (CLI) Encoder
dMC Power Pack
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVD2SVCD 1.0.5 build 4
dvdSanta 4.00
exPressit S.E. 2.2
FLV Player 1.3.3
ForceVision 3.35.1
HijackThis 1.99.1
Huffyuv AVI lossless video codec (Remove Only)
Microsoft Internationalized Domain Names Mitigation APIs
Windows Internet Explorer 7
QuickTime
TMPGEnc Plus 2.5
Mathematica 5.2 for Students
Hewlett-Packard Multimedia Keyboard/Mouse Solution
InterActual Player
IObit SmartDefrag Beta 2.1
iolo technologies' System Mechanic 4
LifeGlobe Goldfish Aquarium
LifeGlobe Sharks, Terrors of the Deep
LimeWire PRO 4.9.2
Microsoft .NET Framework 2.0
MightyFax
Mozilla Firefox (2.0.0.1)
Mp3+G Toolz 2
MRU-Blaster v1.5 (Database 3/28/2004)
Microsoft Compression Client Pack 1.0 for Windows XP
MSN Music Assistant
Creative Mass Storage Drivers
Microsoft National Language Support Downlevel APIs
Panda ActiveScan
PeerGuardian 2.0
Picasa 2
PowerISO
PrintMaster Gold 4.00
PS2
ScanCraft CS-P
SereneScreen Marine Aquarium 2
SereneScreen Marine Aquarium Time 2
Simple MP3 Tag Editor version 1.3
SmartFTP Client 2.0 Setup Files (remove only)
Snappy Fax 2000 Version 3
Spybot - Search & Destroy 1.4
Studio DV
SUPER c Version 2007.bld.21 (Jan 4, 2007)
Creative System Information
The Rosetta Stone
Trillian
TurboTax Deluxe Deduction Maximizer 2006
VCDEasy
VideoLAN VLC media player 0.8.4a
DivxToDVD 0.5.2
Winamp (remove only)
WinRAR archiver
Microsoft User-Mode Driver Framework Feature Pack 1.0
Yahoo! Toolbar for Internet Explorer
Microsoft Office 2000 Premium
Corel Paint Shop Pro X
Google Toolbar for Internet Explorer
Creative MediaSource
YouTUBE ™ movie downloader
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Brother MFL-Pro Suite
Wal-Mart Digital Photo Manager
Nero 7 Premium
ArcSoft Software Suite
PowerDVD
Canopus ProCoder 2
Microsoft .NET Framework 2.0
MSXML 4.0 SP2 Parser and SDK
Power CDG To MPG Converter
Windows Support Tools
Microsoft Office Professional Edition 2003
InterVideo WinDVD 7
Sound Blaster Live!
PaperPort
Adobe Reader 7.0.9
TurboTax ItsDeductible 2006
DVD Rebuilder
Creative Zen Nano Plus
SmartFTP Client 2.0
QuickTime
TMPGEnc Plus 2.5
SUPERAntiSpyware Free Edition
U3Launcher
Google Toolbar for Internet Explorer
Wolfram Notebook Indexer 1.1
Sunbelt Kerio Personal Firewall
WexTech AnswerWorks
WinXP Manager
Mathematica 5.2 for Students
Hewlett-Packard Multimedia Keyboard/Mouse Solution

Finished


Logfile of HijackThis v1.99.1
Scan saved at 8:39:22 PM, on 2/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mswnt.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jabber\My Documents\DOWNLOADS\hijackthis\Activate.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Jabber
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Windows Zero Connection (WinZConn) - Unknown owner - C:\WINDOWS\system32\mswnt.exe
  • 0

#9
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
OK, it's still there. Do this for me - go to Start->Run and type Services.msc then hit Ok. Scroll down and find the service called "Windows Zero Connection". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. Reboot when done.

Click here to download Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. In the 'Full Path of File to Delete' box, copy and paste the following, clicking the red 'Delete File' button (red circle with a white X) after pasting:

C:\WINDOWS\system32\mswnt.exe

Click 'Exit' when done.

Open HijackThis, click Config... > Misc Tools > Delete an NT Service Tab. In the dialogue box that opens enter Windows Zero Connection in the slot and click OK.

Reboot one more time, rescan with HijackThis and post a new log here.

Do this also. Please download AVG Anti-Rootkit Beta from here and save it to your desktop.

Double click the file to install it. Accept the licence and follow the prompts to install and reboot. After rebooting, you should see the icon for AVG Anti-Rootkit Beta on your desktop. Double click it to open the program. You will see a window with 4 buttons at the bottom of it. Click Search For Rootkits and the program will start a scan, you will see the progress bar moving from left to right. When the scan is complete, a small window will open alerting you to the result. If anything was found, click Save Result To File and post that in your reply.

If nothing was found, please click the Perform in-depth Search saving anything found to file as before.
  • 0

#10
healey

healey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I may be ok now, but I still want to see what spybot turns up. I had to quarantine the BDAgent about six times in a row when I came home from work today. Services.msc finds Windows Zero Connection not running (probably killed by AVG Anti-spyware), but on Automatic. I disabled it, and rebooted, and I don't think the Backdoor Agent showed up this time. I did the killbox routine, then HJT Delete NT service, but no Windows Zero Connection found in registry. OK! Nothing found with AVG Anti-rootkit, both scans.

Here's my latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:19:17 PM, on 2/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Jabber\My Documents\DOWNLOADS\hijackthis\Activate.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Jabber
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Print Spooler Service (uuiy84eiye0iuo) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe (file missing)
  • 0

#11
healey

healey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Clicking on donation link brings up security certificate warning for https://www.paypal.c...rrency_code=GBP


Is this address ok?

How does my log look now?
  • 0

#12
healey

healey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
spybot shows 2 registry entries for Troj.PrintSpool(controlset1 & 2) but HJT log showing file missing. Spybot fix clears it out of out of HJT log, and it doesn't show up on a rescan after rebooting, in either place.
  • 0

#13
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP

Clicking on donation link brings up security certificate warning for https://www.paypal.c...rrency_code=GBP


Is this address ok?

How does my log look now?



Yes the address is OK.

If this new entry is still gone now:

O23 - Service: Print Spooler Service (uuiy84eiye0iuo) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe (file missing)

then your log is OK - that is what SDFix found. If not, use the services.msc approach as before to disable it.

How is it running now?
  • 0

#14
healey

healey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
It's running ok. My machine is only a 1Gig P3, HP Pavilion originally running on Win ME, but all those resident hits pretty much do it in. I'd like to thank you personally for your help, and let everyone know that this is the way to go to solve your PC problems. Think real hard b4 going to the "experts?" in the stores. We all have a chance to learn something this way, too. I will be sending in a donation, and someday I may take a crack at learning this stuff through you guys. Thanks again!
  • 0

#15
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
You're welcome - glad to help :whistling:

One more step then you're all set.

Clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.


To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.

Edited by Daemon, 21 February 2007 - 03:29 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP