Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

multiple repeat infections of trojans generic9, virtumunde, winfixer,

Started by kenc , Feb 24 2008 10:50 PM

  • This topic is locked This topic is locked

#16
sage5
Posted 14 March 2008 - 03:58 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi kenc,

Sometimes that scanner can be problematic to remove. The following seems to work well.

Run HijackThis.
  • Click the Do a system scan only button.
  • Check the boxes for the all the entries listed below:
O23 - Service: setup_7.0.0.180_14.03.2008_07-23 - Kaspersky Lab - C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\setup_7.0.0.180_14.03.2008_07-23.exe
  • Now close all windows other than HijackThis and click Fix Checked.
  • Close HijackThis.


Delete the service:
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat Please save it on your desktop.

@echo off
setup_7.0.0.180_14.03.2008_07-23
exit


Double click FixServices.bat. A window will open and close. This is normal.

Reboot into Safe Mode:
  • Restart your Computer
  • As soon as it starts to boot up, tap your F8 key repeatedly.
  • This should bring up the Windows Advanced Options Menu.
  • Use your arrow keys to select Safe Mode and click the Enter key.

Delete the Kaspersky Lab Tool folder from the Desktop.

Now, can you please update both your AVG Anti-virus & Anti-spyware & run full system scan with both.
Save the logfiles for both & post them back here as your next reply.


Cheers,

sage5
  • 0

Advertisements

#17
kenc
Posted 14 March 2008 - 10:29 PM

kenc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi Sage,
Thanks, your scheme worked to remove the Kaspersky stuff.

As before, I am unable to post the AVG free virus checker logfile as I have no idea how to extract one from AVG Free. It did run fine and found no errors to fix. Below is the logfile from AVG Antispyware.
Thanks,
Ken

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:27:23 PM 3/14/2008

+ Scan result:



:mozilla.126:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.65:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.66:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.67:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.28:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.29:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.30:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.31:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.32:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.24:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.100:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.101:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.102:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.103:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.98:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.99:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.33:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Barbara\Cookies\barbara@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.184:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.205:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.197:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.198:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.199:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.200:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.201:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.10:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Imrworldwide : No action taken.
:mozilla.85:C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt -> TrackingCookie.Imrworldwide : No action taken.
:mozilla.86:C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt -> TrackingCookie.Imrworldwide : No action taken.
:mozilla.9:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Imrworldwide : No action taken.
:mozilla.68:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.104:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.105:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.106:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.107:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.108:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.109:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.110:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.171:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.172:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.190:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.191:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.192:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.195:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.64:C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.69:C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.70:C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.71:C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.72:C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.124:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.125:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.127:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.128:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.193:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.
:mozilla.174:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.175:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.176:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.77:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.78:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.79:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.80:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.81:C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt -> TrackingCookie.Zedo : No action taken.


::Report end
  • 0

#18
sage5
Posted 15 March 2008 - 04:42 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Those files are all cookies which we will clean out later.
Can you tell me if you are you still having any problems with that PC, it looks pretty clean to me.
Are there any performance issues, slow downs, hangs etc?
  • 0

#19
kenc
Posted 15 March 2008 - 09:19 AM

kenc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi Sage,
No problems, except for the fact that my computer takes ages to boot now because of zonealarm and all the other firewall/virus/malware tools that load on startup! My browser hasn't been hijacked in quite a while so I think that issue is cured.
Ken
  • 0

#20
sage5
Posted 15 March 2008 - 04:39 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi kenc,

Lets see if we can speed up that bootup process.

Create a Startup List:
  • Open HiJackThis
  • Click on the Open Misc Tools Section button.
  • Make sure that the 2 boxes next to the Generate StartupList log button are ticked
  • Now click on the Generate StartupList log button.
  • NotePad will open a new window.
  • Copy and paste the text from the log into your next post.

Create an Uninstall List:
  • Open HijackThis, click Open the Misc Tools section
  • Click Open Uninstall Manager
  • Click Save List.
This generates uninstall_list.txt in the same folder as HijackThis. I will need you to paste the text from this file, into a post later

Run HijackThis again:
  • Select the Run a system scan and save a logfile button. The logfile will open in Notepad.
  • Start your Web Browser and navigate back to this thread.
  • Click the Add Reply button
  • Copy and Paste the text into the Reply window.
Please include a note to tell me how your PC is running now.

Cheers,

sage5
  • 0

#21
kenc
Posted 16 March 2008 - 08:11 PM

kenc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi Sage,

Startup list:


StartupList report, 3/16/2008, 7:00:00 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Ken\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Digital Line Detect.lnk = ?

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

EPSON Stylus Photo RX600 = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB002" /M "Stylus Photo RX600"
YBrowser = C:\Program Files\Yahoo!\browser\ybrwicon.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
SSBkgdUpdate = "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
WrtMon.exe = C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
SunJavaUpdateSched = C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
ZoneAlarm Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
AVP = "C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\setup_7.0.0.180_14.03.2008_07-23.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Yahoo! Pager = 1
Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe
EPSON Stylus Photo RX600 = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /M "Stylus Photo RX600" /EF "HKCU"
updateMgr = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} = "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Canon Easy Web Print Helper - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
ZoneAlarm Spy Blocker BHO - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Uniblue SpeedUpMyPC Nag.job
Uniblue SpeedUpMyPC.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[{0000000A-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...86/wmsp9dmo.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft....467&clcid=0x409

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\common\yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\common\yinsthelper.dll

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...386/wmv9dmo.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akama...meInstaller.exe

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.ma...t/ultrashim.cab

[YahooYMailTo Class]
InProcServer32 = C:\Program Files\Yahoo!\common\ymmapi.dll
CODEBASE = http://download.yaho...mail/ymmapi.dll

[YAddBook Class]
InProcServer32 = C:\PROGRA~1\Yahoo!\common\yaddbook.dll
CODEBASE = http://download.yaho...alls/yab_af.cab

[F-Secure Online Scanner 3.3]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\fscax.dll
CODEBASE = http://support.f-sec...m/ols/fscax.cab

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.6.0_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[PhotosCtrl Class]
InProcServer32 = C:\Program Files\Yahoo!\common\YPhotos.dll
CODEBASE = http://photos.yahoo....plorer1_9us.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[Seagate SeaTools English Online]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\npSeaTools_EN.dll
CODEBASE = http://www.seagate.c.../npseatools.cab

[JuniperSetupSP1 Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\JUNIPE~1.OCX
CODEBASE = https://employee.nat...perSetupSP1.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\winrnr.dll
NameSpace #2: C:\Program Files\Neoteris\Secure Application Manager\samnsp.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\System32\mswsock.dll
NameSpace #5: C:\Program Files\Neoteris\Secure Application Manager\samnsp.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Ad-Aware 2007 Service: "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe" (autostart)
abp480n5: \SystemRoot\System32\DRIVERS\ABP480N5.SYS (disabled)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
adpu160m: \SystemRoot\System32\DRIVERS\adpu160m.sys (disabled)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Compaq AGP Bus Filter: \SystemRoot\System32\DRIVERS\agpCPQ.sys (disabled)
Aha154x: \SystemRoot\System32\DRIVERS\aha154x.sys (disabled)
aic78u2: \SystemRoot\System32\DRIVERS\aic78u2.sys (disabled)
aic78xx: \SystemRoot\System32\DRIVERS\aic78xx.sys (disabled)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AliIde: \SystemRoot\System32\DRIVERS\aliide.sys (disabled)
ALI AGP Bus Filter: \SystemRoot\System32\DRIVERS\alim1541.sys (disabled)
AMD AGP Bus Filter Driver: \SystemRoot\System32\DRIVERS\amdagp.sys (disabled)
amsint: \SystemRoot\System32\DRIVERS\amsint.sys (disabled)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
asc: \SystemRoot\System32\DRIVERS\asc.sys (disabled)
asc3350p: \SystemRoot\System32\DRIVERS\asc3350p.sys (disabled)
asc3550: \SystemRoot\System32\DRIVERS\asc3550.sys (disabled)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ati2mpaa: System32\DRIVERS\ati2mpaa.sys (manual start)
ati2mtaa: system32\DRIVERS\ati2mtaa.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (autostart)
AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
AVG7 Clean Driver: \SystemRoot\System32\Drivers\avgclean.sys (system)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
AGN Virtual Network Adapter: system32\DRIVERS\avpnnic.sys (manual start)
basic2: System32\DRIVERS\HSF_BSC2.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
cbidf: \SystemRoot\System32\DRIVERS\cbidf2k.sys (disabled)
cd20xrnt: \SystemRoot\System32\DRIVERS\cd20xrnt.sys (disabled)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
CmdIde: \SystemRoot\System32\DRIVERS\cmdide.sys (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cpqarray: \SystemRoot\System32\DRIVERS\cpqarray.sys (disabled)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
dac2w2k: \SystemRoot\System32\DRIVERS\dac2w2k.sys (disabled)
dac960nt: \SystemRoot\System32\DRIVERS\dac960nt.sys (disabled)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
dpti2o: \SystemRoot\System32\DRIVERS\dpti2o.sys (disabled)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel® PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
3Com EtherLink XL 90XB/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fallback: System32\DRIVERS\HSF_FALL.sys (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Fsks: System32\DRIVERS\HSF_FSKS.sys (autostart)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
hpn: \SystemRoot\System32\DRIVERS\hpn.sys (disabled)
hpt3xx: \SystemRoot\System32\DRIVERS\hpt3xx.sys (disabled)
HSFHWBS2: System32\DRIVERS\HSFHWBS2.sys (manual start)
HSF_DP: System32\DRIVERS\HSF_DP.sys (manual start)
hsf_msft: System32\DRIVERS\HSF_MSFT.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i2omp: \SystemRoot\System32\DRIVERS\i2omp.sys (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
ini910u: \SystemRoot\System32\DRIVERS\ini910u.sys (disabled)
IntelIde: \SystemRoot\System32\DRIVERS\intelide.sys (disabled)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
K56: System32\DRIVERS\HSF_K56K.sys (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Klif: system32\drivers\klif.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
mraid35x: \SystemRoot\System32\DRIVERS\mraid35x.sys (disabled)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: %systemroot%\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
Juniper Networks TDI Filter Driver (NEOFLTR_530_11159): \??\C:\WINDOWS\system32\Drivers\NEOFLTR_530_11159.SYS (system)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NMIndexingService: "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe" (disabled)
NIC Management Service Configuration Driver: \??\C:\WINDOWS\System32\drivers\NMSCFG.SYS (manual start)
Intel® NMS: C:\WINDOWS\System32\NMSSvc.exe (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
nv4: System32\DRIVERS\nv4.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
VSO Software pcouffin: System32\Drivers\pcouffin.sys (manual start)
perc2: \SystemRoot\System32\DRIVERS\perc2.sys (disabled)
perc2hib: \SystemRoot\System32\DRIVERS\perc2hib.sys (disabled)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
ql1080: \SystemRoot\System32\DRIVERS\ql1080.sys (disabled)
Ql10wnt: \SystemRoot\System32\DRIVERS\ql10wnt.sys (disabled)
ql12160: \SystemRoot\System32\DRIVERS\ql12160.sys (disabled)
ql1240: \SystemRoot\System32\DRIVERS\ql1240.sys (disabled)
ql1280: \SystemRoot\System32\DRIVERS\ql1280.sys (disabled)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Rksample: System32\DRIVERS\HSF_SAMP.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SASDIFSV: \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (system)
SASENUM: \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS (manual start)
SASKUTIL: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (system)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
setup_7.0.0.180_14.03.2008_07-23: "C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\setup_7.0.0.180_14.03.2008_07-23.exe" -r (disabled)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: \SystemRoot\System32\DRIVERS\sisagp.sys (disabled)
smwdm: system32\drivers\smwdm.sys (manual start)
SoftFax: System32\DRIVERS\HSF_FAXX.sys (autostart)
Sony USB Filter Driver (SONYPVU1): System32\DRIVERS\SONYPVU1.SYS (manual start)
Sparrow: \SystemRoot\System32\DRIVERS\sparrow.sys (disabled)
SpeakerPhone: System32\DRIVERS\HSF_SPKP.sys (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
srescan: system32\ZoneLabs\srescan.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Still Serial Digital Camera Driver: System32\DRIVERS\serscan.sys (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{B0A2456C-F1A2-47D9-8A39-CB9111F04968} (manual start)
symc810: \SystemRoot\System32\DRIVERS\symc810.sys (disabled)
symc8xx: System32\DRIVERS\symc8xx.sys (system)
sym_hi: \SystemRoot\System32\DRIVERS\sym_hi.sys (disabled)
sym_u3: \SystemRoot\System32\DRIVERS\sym_u3.sys (disabled)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Tones: System32\DRIVERS\HSF_TONE.sys (autostart)
TosIde: \SystemRoot\System32\DRIVERS\toside.sys (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
ultra: \SystemRoot\System32\DRIVERS\ultra.sys (disabled)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB Root Hub (usbport): System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
V124: System32\DRIVERS\HSF_V124.sys (autostart)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: \SystemRoot\System32\DRIVERS\viaagp.sys (disabled)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
winachsf: System32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
WpdUsb: System32\Drivers\wpdusb.sys (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 39,894 bytes
Report generated in 0.125 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only







HJT logfile:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:02:11 PM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://employee.nat..._16/welcome.cgi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB002" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\setup_7.0.0.180_14.03.2008_07-23.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo RX600] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /M "Stylus Photo RX600" /EF "HKCU"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZNfox000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.c.../npseatools.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://employee.nat...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E188631-5C17-4551-8993-EEAEDC10E0DF}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{5E188631-5C17-4551-8993-EEAEDC10E0DF}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{5E188631-5C17-4551-8993-EEAEDC10E0DF}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8027 bytes
  • 0

#22
sage5
Posted 19 March 2008 - 12:14 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi kenc,

Run HijackThis.
  • Click the Do a system scan only button.
  • Check the boxes for the all the entries listed below:
O4 - HKLM\..\Run: [AVP] "C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\setup_7.0.0.180_14.03.2008_07-23.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
  • Now close all windows other than HijackThis and click Fix Checked.
  • Close HijackThis.


Delete bad services
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices2.bat Please save it on your desktop.

@echo off
sc stop cbidf
sc stop setup_7.0.0.180_14.03.2008_07-23
sc delete cbidf
sc delete setup_7.0.0.180_14.03.2008_07-23
exit


Double click FixServices2.bat. A window will open and close. This is normal.


Create a CombFix Script:
  • Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.
  • Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\akbrnhmw.dll
C:\Windows\System32\DRIVERS\cbidf2k.sys


  • Save the above as CFScript.txt
  • Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
    Posted Image
  • After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Cheers,

sage5
  • 0

#23
kenc
Posted 20 March 2008 - 06:40 PM

kenc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Here it is Sage,
Cheers,
Ken


ComboFix 08-03-20.5 - Ken 2008-03-20 17:30:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.227 [GMT -7:00]
Running from: C:\Documents and Settings\Ken\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ken\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\akbrnhmw.dll
C:\Windows\System32\DRIVERS\cbidf2k.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ken\Application Data\inst.exe
C:\kmd.exe
C:\Windows\System32\DRIVERS\cbidf2k.sys

.
((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))
.

2008-03-20 17:31 . 2001-08-17 13:52 13,952 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\cbidf2k.sys
2008-03-15 11:58 . 2008-03-15 13:28 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-03-15 11:57 . 2008-03-15 13:27 <DIR> d-------- C:\Program Files\Avi2Dvd
2008-03-10 08:17 . 2008-03-10 08:17 1,340 --a------ C:\f_secure
2008-03-09 21:04 . 2008-03-09 21:04 <DIR> d-------- C:\fsaua.data
2008-03-05 22:15 . 2008-03-05 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-03-05 20:00 . 2008-03-15 14:13 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\Vso
2008-03-05 20:00 . 2008-03-05 20:00 47,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pcouffin.sys
2008-03-05 20:00 . 2008-03-05 20:00 47,360 --a------ C:\Documents and Settings\Ken\Application Data\pcouffin.sys
2008-03-05 19:59 . 2008-03-05 19:59 <DIR> d-------- C:\Program Files\VSO
2008-03-05 19:59 . 2004-05-04 12:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-03-05 19:59 . 2006-05-20 17:16 1,184,984 --a------ C:\WINDOWS\SYSTEM32\wvc1dmod.dll
2008-03-05 19:59 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\SYSTEM32\vp7vfw.dll
2008-03-05 19:59 . 2006-09-29 13:24 217,127 --a------ C:\WINDOWS\SYSTEM32\drv43260.dll
2008-03-05 19:59 . 2006-09-29 13:25 208,935 --a------ C:\WINDOWS\SYSTEM32\drv33260.dll
2008-03-05 19:59 . 2006-09-29 13:26 176,165 --a------ C:\WINDOWS\SYSTEM32\drv23260.dll
2008-03-05 19:59 . 2007-03-18 21:37 65,602 --a------ C:\WINDOWS\SYSTEM32\cook3260.dll
2008-03-03 16:39 . 2008-03-03 16:39 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-03 16:39 . 2008-03-03 16:47 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\Intuit
2008-03-03 16:36 . 2008-03-03 16:36 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-03-03 16:36 . 2008-03-03 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2008-03-03 16:36 . 2007-10-22 19:58 1,721,712 --------- C:\WINDOWS\SYSTEM32\InetClnt.dll
2008-03-03 16:28 . 2008-03-03 16:28 <DIR> d-------- C:\Program Files\TurboTax
2008-03-01 10:02 . 2008-03-01 10:06 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\Uniblue
2008-02-27 21:24 . 2008-03-13 22:32 <DIR> d-------- C:\Program Files\Panda Security
2008-02-26 18:19 . 2008-02-26 18:19 <DIR> d-------- C:\_OTMoveIt
2008-02-25 10:24 . 2008-02-25 10:24 <DIR> d-------- C:\Documents and Settings\Barbara\Application Data\Grisoft
2008-02-24 13:38 . 2008-02-24 13:38 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\Grisoft
2008-02-24 13:37 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-02-23 12:44 . 2008-03-20 08:32 6,502,432 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-02-23 12:44 . 2008-03-20 08:32 75,992 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-02-23 12:42 . 2008-02-23 12:42 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-02-23 12:40 . 2008-02-23 12:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-23 12:40 . 2007-11-14 17:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-02-23 12:40 . 2008-02-23 12:42 4,212 --ah----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2008-02-23 12:29 . 2008-02-23 12:29 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-23 12:25 . 2008-03-20 17:27 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-23 11:55 . 2007-09-25 00:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-02-23 01:05 . 2008-02-23 01:05 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2008-02-23 00:01 . 2008-02-23 21:18 <DIR> d-------- C:\VundoFix Backups
2008-02-22 19:58 . 2008-03-16 22:15 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-22 18:13 . 2008-02-24 13:19 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-02-22 18:13 . 2008-02-24 13:19 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-02-22 17:46 . 2008-02-22 17:46 <DIR> d-------- C:\Program Files\CleanUp!
2008-02-22 09:48 . 2008-02-22 09:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-21 20:53 . 2008-02-21 20:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-21 18:38 . 2008-02-21 18:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-21 18:38 . 2008-02-21 18:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Juniper Networks
2008-02-21 18:33 . 2008-02-21 18:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-21 17:55 . 2008-02-21 17:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-21 17:54 . 2008-03-03 22:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-21 17:54 . 2008-02-22 09:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-21 17:54 . 2008-02-21 17:54 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 00:11 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-20 14:47 --------- d-----w C:\Documents and Settings\Ken\Application Data\OpenOffice.org2
2008-03-17 05:15 --------- d-----w C:\Program Files\SpywareBlaster
2008-03-16 06:01 68,472 ----a-w C:\Documents and Settings\Ken\Application Data\GDIPFONTCACHEV1.DAT
2008-03-16 05:29 --------- d-----w C:\Documents and Settings\Ken\Application Data\AVG7
2008-03-15 20:29 --------- d-----w C:\Documents and Settings\Ken\Application Data\DivX
2008-03-06 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-03 23:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-01 17:09 --------- d-----w C:\Documents and Settings\Barbara\Application Data\OpenOffice.org2
2008-03-01 17:08 --------- d-----w C:\Program Files\BroadJump
2008-02-24 20:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-24 20:23 --------- d-----w C:\Program Files\QuickTime
2008-02-24 20:23 --------- d-----w C:\Program Files\Digital Line Detect
2008-02-23 19:31 --------- d-----w C:\Program Files\Java
2008-02-22 16:49 --------- d-----w C:\Program Files\Lavasoft
2008-02-20 19:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-20 17:19 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-15 03:09 --------- d-----w C:\Documents and Settings\Ken\Application Data\GrabIt
2008-02-14 01:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-05 05:28 --------- d-----w C:\Program Files\DivX
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2008-01-04 21:58 129,784 ----a-w C:\WINDOWS\SYSTEM32\pxafs.dll
2008-01-04 21:58 120,056 ----a-w C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2008-01-04 21:58 118,520 ----a-w C:\WINDOWS\SYSTEM32\pxinsi64.exe
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\SYSTEM32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\SYSTEM32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\SYSTEM32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\SYSTEM32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\SYSTEM32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\SYSTEM32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2007-10-22 21:05 68,472 ----a-w C:\Documents and Settings\Barbara\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-02-23 12:42 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-02-23 12:42 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"Yahoo! Pager"="1" []
"EPSON Stylus Photo RX600"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo RX600"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.exe" [ ]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"YBrowser"="C:\Program Files\Yahoo!\browser\ybrwicon.exe" [2003-07-11 13:51 57344]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-22 09:50 579072]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 13:16 185896]
"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 08:35 20480]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 17:05 919016]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-24 18:03 185784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-22 09:50 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2002-10-10 17:44:19 45056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-04-10 14:44 679936 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2006-10-11 12:45 75304 C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2003-01-07 22:37 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-06-24 18:03 185784 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\ws_ftp\\WS_FTP32.EXE"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"C:\\sopcast\\SopCast\\SopCast.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 05:00]
R1 NEOFLTR_530_11159;Juniper Networks TDI Filter Driver (NEOFLTR_530_11159);C:\WINDOWS\system32\Drivers\NEOFLTR_530_11159.SYS [2006-09-14 22:10]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08 08:54]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 10:48]
S3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 12:48]
S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-05-03 09:30]
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 09:29]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 11:52]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-11 16:02:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-03-01 17:02:41 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 17:35:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-20 17:37:13
ComboFix-quarantined-files.txt 2008-03-21 00:36:48
.
2008-03-12 19:25:32 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:31 PM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://employee.nat..._16/welcome.cgi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB002" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [EPSON Stylus Photo RX600] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /M "Stylus Photo RX600" /EF "HKCU"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1599196801-163748893-4247568029-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Barbara')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZNfox000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.c.../npseatools.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://employee.nat...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E188631-5C17-4551-8993-EEAEDC10E0DF}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{5E188631-5C17-4551-8993-EEAEDC10E0DF}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{5E188631-5C17-4551-8993-EEAEDC10E0DF}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8228 bytes
  • 0

#24
sage5
Posted 20 March 2008 - 07:26 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi kenc

Congratulations, your new log looks clear, so we can now deal with some final clean up jobs.

Clean out cookies, temp files etc:
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.

      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Cleanup with OTMoveIt:
  • Please double-click OTMoveIt2.exe to run it.
  • Click the Clean up button
  • Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
  • Click Yes to the reboot.


To Clear Restore points, please do the following:
  • Go to Start > Settings > Control Panel.
  • Double-click the System icon.
    • NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.
  • Click the System Restore tab.
  • Put a check by Disable System Restore.
  • Click Apply, OK, OK. Click Yes when you are prompted to restart Windows.
After reboot, you must turn System Restore back on:
  • Go back to the Troubleshooting tab.
  • UNcheck Disable System Restore.
  • Click Apply, OK, OK. Click Yes when you are prompted to restart Windows.

Lastly, some extra or better security for your PC:

The programs recommended below are freeware alternatives to some of your security software & might reduce the potential for spyware infection in the future:-

Spyware Prevention:
Spyware Blaster by JavaCool Software, prevents spyware installing and consumes no system resources.
IE/SpyAd, stops suspect sites loading ActiveX, popups etc onto your PC. An excellent tutorial is Here

Spyware Detection:
AVG Anti-Spyware is my favourite here.

Anti-Virus:
The first line of defence, especially since some will now detect trojans as well.
Avira's Antivir PersonalEdition Classic and Grisoft's Avast! Free Edition are among the best freebies.
*Please note* You should never install more than one anti-virus program on a PC, as it will cause conflicts.

Firewall:
A Firewall is an essential tool in the security of any PC connected to the Internet.
Sunbelt Personal Firewall and Comodo are both excellent freeware.

Alternate Browsers:
Thankfully, there are now some excellent alternatives to MS Internet Explorer. They offer better security, more stability, and better speed.
A couple of good examples are: Firefox and Opera

Other Updates:
Vital security patches and updates are available for Microsoft Windows and Internet Explorer at the Windows Update Site
It is equally important to update the other security software you use, on a regular basis.

Further reading about these issues is available in a very good article: How did I get infected in the first place ? (by Tony Klein and dvk01)

All the best & safe surfing in the future,

sage5
  • 0

#25
kenc
Posted 20 March 2008 - 08:04 PM

kenc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Sage,
Thanks for your help!
Would you rate the two firewalls you mentioned as superior to Zonealarm?
Thanks again,
Ken
  • 0

Advertisements

#26
sage5
Posted 20 March 2008 - 11:16 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
No probably not superior, just other options.
ZoneAlarm used to be an industry standard in the freeware department.
Now, some of the opposition have caught up (& perhaps passed)

Cheeers,

sage5
  • 0

#27
kenc
Posted 21 March 2008 - 06:03 PM

kenc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi Sage,
One thing that's strange. Since the cleanout, some websites - this one for example, and youtube - have gone "simple" in look and feel and are kind of left justified. Any idea what might have changed? I checked my Internet Explorer and everything remains the same (i.e. "good") there.
Ken

P.s. I see this warning on youtube:
Hello, you either have JavaScript turned off or an old version of Adobe's Flash Player. Get the latest Flash player.

Aha, looks like it was the flash. No problem. Fixed.

Edited by kenc, 21 March 2008 - 06:31 PM.

  • 0

#28
sage5
Posted 21 March 2008 - 10:46 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP