Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

outerinfo adware removal help! [RESOLVED]

Started by jettybest , Feb 23 2006 08:36 AM

  • This topic is locked This topic is locked

#1
jettybest
Posted 23 February 2006 - 08:36 AM

jettybest

    Member

  • Member
  • PipPip
  • 32 posts
Hi,

Have tried scan computer at safe mode by Xoft/noadware/spybot, but still popup advertisement from Outerinfo, anyone could help?

Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 21:33:14, on 2006-2-22
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\serverappliance\appmgr.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINDOWS\system32\serverappliance\elementmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\serverappliance\srvcsurg.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\SAV\vptray.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Application Data\Fоnts\spool32.exe
C:\WINDOWS\MCROSO~1\csrss.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\FreePOPs\freepopsd.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis1991.exe

R3 - URLSearchHook: (no name) - {30293F7D-DAE5-D463-C3AC-F68AADAAFDBE} - C:\WINDOWS\system32\iahgme.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30293F7D-DAE5-D463-C3AC-F68AADAAFDBE} - C:\WINDOWS\system32\iahgme.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\GreenV\NTIEHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IPPFRWL] mmc.exe "C:\Program Files\NT Kernel Resources\NeT Firewall\Firewall.msc" /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Vgqa] C:\Documents and Settings\Administrator\Application Data\Fоnts\spool32.exe
O4 - HKCU\..\Run: [Eapt] "C:\WINDOWS\MCROSO~1\csrss.exe" -vt ndrv
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: 使用影音传送带下载 - C:\Program Files\GreenV\NTAddLink.html
O8 - Extra context menu item: 使用影音传送带下载全部链接 - C:\Program Files\GreenV\NTAddList.html
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1137703627746
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3177C4D-140A-41AB-AB00-D5CD27986A75}: NameServer = 192.168.0.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\\NavLogon.dll
O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\SYSTEM32\winzdn32.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SAV\DefWatch.exe
O23 - Service: Intel Alert Handler - Intel? Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel? Corporation - C:\WINDOWS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel? Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel? Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Symantec AntiVirus Server (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SAV\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  • 0

Advertisements

#2
Buckeye_Sam
Posted 23 February 2006 - 08:39 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please download Look2Me-Remover.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Remover.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Remover will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Remover.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX
  • 0

#3
jettybest
Posted 23 February 2006 - 08:43 AM

jettybest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Thank you very much for your help Sam, will post the result soon.....
  • 0

#4
jettybest
Posted 23 February 2006 - 12:03 PM

jettybest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hi Sam,

Have done all.

Problem:
A, when run application Look2Me, popup an error message "NTP service......"

B, when run IE, every 10 sec popup a message "For Your Instant Access Please Click Yes", the button is "OK". I just close it.

C, There is no file missing.....

D, popup message "http://69.50.173.166...wmid=2405&pg=1", script error.


Question: Shall I click OK for that Message popup?

following is the log file:



Look2Me-Destroyer V1.0.6

Scanning for infected files.....
Scan started at 2006-2-23 17:48:16


Attempting to delete infected files...

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded





Logfile of HijackThis v1.99.1
Scan saved at 18:03:58, on 2006-2-23
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\serverappliance\appmgr.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINDOWS\system32\serverappliance\elementmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\serverappliance\srvcsurg.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\SAV\vptray.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Administrator\Application Data\Fоnts\spool32.exe
C:\WINDOWS\MCROSO~1\csrss.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\TEMP\winF0.tmp.exe
C:\WINDOWS\TEMP\winDD.tmp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\TEMP\winF0.tmp.exe
C:\WINDOWS\TEMP\winDD.tmp.exe
C:\WINDOWS\TEMP\winF0.tmp.exe
C:\WINDOWS\TEMP\oemfdpmd.exe
C:\Program Files\HijackThis1991.exe

R3 - URLSearchHook: (no name) - {30293F7D-DAE5-D463-C3AC-F68AADAAFDBE} - C:\WINDOWS\system32\iahgme.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30293F7D-DAE5-D463-C3AC-F68AADAAFDBE} - C:\WINDOWS\system32\iahgme.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\GreenV\NTIEHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IPPFRWL] mmc.exe "C:\Program Files\NT Kernel Resources\NeT Firewall\Firewall.msc" /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Vgqa] C:\Documents and Settings\Administrator\Application Data\Fоnts\spool32.exe
O4 - HKCU\..\Run: [Eapt] "C:\WINDOWS\MCROSO~1\csrss.exe" -vt ndrv
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: 使用影音传送带下载 - C:\Program Files\GreenV\NTAddLink.html
O8 - Extra context menu item: 使用影音传送带下载全部链接 - C:\Program Files\GreenV\NTAddList.html
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1137703627746
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3177C4D-140A-41AB-AB00-D5CD27986A75}: NameServer = 192.168.0.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\\NavLogon.dll
O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\SYSTEM32\winzdn32.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SAV\DefWatch.exe
O23 - Service: Intel Alert Handler - Intel? Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel? Corporation - C:\WINDOWS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel? Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel? Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Symantec AntiVirus Server (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SAV\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  • 0

#5
Buckeye_Sam
Posted 23 February 2006 - 12:17 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
That fix didn't appear to work, but you also have some other issues.
We need to download and prepare some tools that we will need to fix your problem.
  • Please download Ewido Security Suite
    • Install ewido security suite
    • When installing, under "Additional Options" uncheck..
      • Install background guard
      • Install scan via context menu
    • Launch ewido, there should be an icon on your desktop, double-click it.
    • You will need to update ewido to the latest definition files.
      • On the left hand side of the main screen click update.
      • Then click on Start Update.
    • The update will start and a progress bar will show the updates being installed.
      (the status bar at the bottom will display "Update successful")
    • Exit ewido. DO NOT scan yet.
    If you are having problems with the updater, you can use this link to manually update ewido.
    Ewido Manual Updates

  • Please download Adaware SE 1.06
    Install Adaware and check for updates, but don't run it yet.

  • Please download CleanUp 4.0
    Install CleanUp, but don't run it yet.

==============


Now that you have the right tools we can start fixing your problem.

Please make sure that you can View Hidden Files
  • Click Start -> My Computer
  • Select Tools -> Folder options
  • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
  • Also make sure that 'Display the contents of system folders' is checked.
  • Make sure "Hide extensions for known file types" is unchecked
  • Make sure "Hide protected operating system files (recommended)" is unchecked
  • For more info on how to show hidden files click here.

Please print out these instructions as the rest of this fix must be done in Safe mode and you won't be able to access the Internet.

Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.


=============


Once in Safe mode, follow these steps:
  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

    R3 - URLSearchHook: (no name) - {30293F7D-DAE5-D463-C3AC-F68AADAAFDBE} - C:\WINDOWS\system32\iahgme.dll
    O2 - BHO: (no name) - {30293F7D-DAE5-D463-C3AC-F68AADAAFDBE} - C:\WINDOWS\system32\iahgme.dll
    O4 - HKCU\..\Run: [Vgqa] C:\Documents and Settings\Administrator\Application Data\Fоnts\spool32.exe
    O4 - HKCU\..\Run: [Eapt] "C:\WINDOWS\MCROSO~1\csrss.exe" -vt ndrv
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\SYSTEM32\winzdn32.dll


  • Delete these files (Do not be concerned if they do not exist);

    C:\WINDOWS\system32\iahgme.dll
    C:\WINDOWS\SYSTEM32\winzdn32.dll
    C:\Documents and Settings\Administrator\Application Data\Fоnts\spool32.exe
    C:\WINDOWS\MCROSO~1\csrss.exe



  • Now run CleanUp
    IMPORTANT!
    CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
    If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

    Running CleanUp
    • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
    • When CleanUp starts go to the Options button (right side of CleanUp screen)
    • Move the arrow down to "Custom CleanUp!"
    • Now place a checkmark next to the following (Make sure nothing else is checked!):
      • Delete Cookies
        This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
      • Empty Recycle Bins
      • Delete Prefetch files
      • Cleanup! All Users
    • Click OK
    • Then click on the CleanUp button. This will take a short while, let it do its thing.
    • When asked to reboot system select No
    • Close CleanUp

  • Open Ad-aware and do a full scan. Remove everything that it finds.

  • Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop.
    • Close Ewido.

  • Reboot back into normal mode.

  • Please run this online virus scan - Panda Virus Scan
    • Make sure it is set to clean automatically.
    • There may be files that this scan will not remove. Please save that information to include in your next post.

  • Reboot your computer and post the following information in your next reply:
    • A new Hijackthis log
    • The Ewido log
    • The log from Panda online virus scan
Let me know how things are running and what problems you are still having.
  • 0

#6
jettybest
Posted 23 February 2006 - 12:17 PM

jettybest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Till now, I have not seen any advertisement popup.

However, two new problems coming:

1, when run IE, every 10 sec popup a message "For Your Instant Access Please Click Yes", the button is "OK". I just close it.
2, keep on popup message "http://69.50.173.166...wmid=2405&pg=1", script error. it doesnot the matter which website I visit.
  • 0

#7
jettybest
Posted 23 February 2006 - 12:20 PM

jettybest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Just saw your reply. Will do it now...
  • 0

#8
jettybest
Posted 23 February 2006 - 03:21 PM

jettybest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hi Sam,

Have done everything.

Problems:

A, Trying to delete "C:\WINDOWS\SYSTEM32\winzdn32.dll", I was told "make sure file is not in use......", I can not delete it.

B, can not find C:\WINDOWS\MCROSO~1\csrss.exe

C, Run Panda Virus Scan, found scrss.exe is malware. I checked process from task manager, find out that csrss.exe is still in use.


Following is the log:

Logfile of HijackThis v1.99.1
Scan saved at 21:16:43, on 2006-2-23
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\serverappliance\appmgr.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINDOWS\system32\serverappliance\elementmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\serverappliance\srvcsurg.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\SAV\vptray.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kingsoft\PowerWord 2005\XDICT.EXE
C:\Program Files\HijackThis1991.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\GreenV\NTIEHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IPPFRWL] mmc.exe "C:\Program Files\NT Kernel Resources\NeT Firewall\Firewall.msc" /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: 使用影音传送带下载 - C:\Program Files\GreenV\NTAddLink.html
O8 - Extra context menu item: 使用影音传送带下载全部链接 - C:\Program Files\GreenV\NTAddList.html
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1137703627746
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3177C4D-140A-41AB-AB00-D5CD27986A75}: NameServer = 192.168.0.1
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\\NavLogon.dll
O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SAV\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Intel Alert Handler - Intel? Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel? Corporation - C:\WINDOWS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel? Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel? Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Symantec AntiVirus Server (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SAV\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe





Incident Status Location

Adware:Adware/PurityScan Not disinfected C:\WINDOWS\M?crosoft\csrss.exe



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 20:28:23, 2006-2-23
+ Report-Checksum: 6CDEEAFE

+ Scan result:

[276] C:\WINDOWS\system32\winzdn32.dll -> Hijacker.Small.kb : Cleaned with backup
C:\Documents and Settings\Administrator\Application Data\Fоnts\spool32.exe -> Adware.PurityScan : Cleaned with backup
C:\Program Files\backups\backup-20060223-183524-851.dll -> Adware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\oins.exe -> Downloader.PurityScan.bt : Cleaned with backup
C:\WINDOWS\system32\winzdn32.dll -> Hijacker.Small.kb : Cleaned with backup
E:\software\normal\msnpic\MsgPlus-252.exe/70000011.exe -> Downloader.Swizzor.af : Cleaned with backup


::Report End


Any suggestions?

Thanks.
  • 0

#9
jettybest
Posted 23 February 2006 - 03:53 PM

jettybest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
And, after I checked all, I go back to safe mode again. I noticed that even in safe mode, scrss.exe is in use from task manager and I can not end it, windows popup messages says it is a core system file........

I run all the application again, nothing found.

Also, I use search function of windows to search *scrss.* , I can not find any file. I search REGEDIT as well, nothing found. But it is actually showed in task manager...... I looked up my laptop, I found it is also in laptop process.

I search internet again, most of people identified this as virus or spyware. But it seems all software does not recoginise it.......

What is going on with this file?

Edited by jettybest, 23 February 2006 - 04:13 PM.

  • 0

#10
Buckeye_Sam
Posted 24 February 2006 - 08:18 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Fix this line with Hijackthis.

O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)


Download KillBox and unzip it to your desktop.

Open Killbox and select the Delete on reboot option.
Copy and paste the following file to the field labeled "Full path of file to delete"

C:\WINDOWS\MCROSO~1\csrss.exe

Press the Delete button (the button that looks like a red circle with a white X in it).
A first dialog box will ask if you want to delete the file on reboot, press the YES button.
A second dialog box will ask you if you want to REBOOT now. Press the YES button.

Your computer will reboot.


==========


Run a new Panda scan and let me know if that file still shows up.

Post a new hijackthis log and let me know of any problems that you are still having.
  • 0

Advertisements

#11
jettybest
Posted 24 February 2006 - 11:52 AM

jettybest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hi Sam,

A, Clean O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing) , sucessfully.

B, At normal mode, use KillBox, use "standard file kill", after click, then, blue screen, Reboot computer, Normal mode, Run application again, Use "delete on Reboot option", everything is fine. Reboot the computer. Check task manager. Unfortunately, SCRSS.EXE still show up at the process.

Kill box log as follows:
Pocket Killbox version 2.0.0.648
Running on as Administrator(Limited Account)
was started @ Friday, February 24, 2006, 5:24 PM

Killbox Closed(Exit) @ 5:24:32 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on as Administrator(Limited Account)
was started @ Friday, February 24, 2006, 5:24 PM

Killbox Closed(Exit) @ 5:25:21 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on as Administrator(Limited Account)
was started @ Friday, February 24, 2006, 5:33 PM

Pocket Killbox version 2.0.0.648
Running on as Administrator(Limited Account)
was started @ Friday, February 24, 2006, 5:36 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\MCROSO~1\csrss.exe


I Rebooted @ 5:37:10 PM
Killbox Closed(Exit) @ 5:37:12 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on as Administrator(Limited Account)
was started @ Friday, February 24, 2006, 5:42 PM

# 1 [End Process]
Path =
Could not End Task on

# 2 [Delete on Reboot]
Path = C:\WINDOWS\MCROSO~1\csrss.exe


PendingFileRenameOperations Registry Data has been

Removed by External Process! @ 5:44:11 PM
# 3 [Delete on Reboot]
Path = C:\WINDOWS\MCROSO~1\csrss.exe


PendingFileRenameOperations Registry Data has been

Removed by External Process! @ 5:44:26 PM
Killbox Closed(Exit) @ 5:44:30 PM
__________________________________________________


I reboot the computer, go to safe mode. run Killbox again.
This time, popup a message after I click kill:

PendingFileRenameOperations Registry Data has been Removed by external Process!

I click OK, then, nothing happened.

Reboot computer again, SCRSS.EXE still show up.........

What shall I do next?
  • 0

#12
Buckeye_Sam
Posted 24 February 2006 - 09:20 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Open Hijackthis, click "Open the Misc Tools section"
Next to "Generate StartupList log", place a check next to "List also minor sections" (full) and "List empty sections (complete).
Then click "Generate StartupList log"
Click "Yes" to the box that pops-up.
Then copy and paste the notepad text that appears to this topic.
  • 0

#13
jettybest
Posted 25 February 2006 - 03:57 AM

jettybest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
StartupList report, 2006-2-25, 9:56:06
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis1991.EXE
Detected: Windows 2003 SP1 (WinNT 5.02.3790)
Detected: Internet Explorer v6.00 SP1 (6.00.3790.1830)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\serverappliance\appmgr.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINDOWS\system32\serverappliance\elementmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\serverappliance\srvcsurg.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\SAV\vptray.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\FreePOPs\freepopsd.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis1991.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
PHIME2002ASync = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
DrvLsnr = C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
vptray = C:\PROGRA~1\SAV\vptray.exe
IMSCMig = C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
DAEMON Tools-1033 = "C:\Program Files\D-Tools\daemon.exe" -lang 1033
StormCodec_Helper = "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
IPPFRWL = mmc.exe "C:\Program Files\NT Kernel Resources\NeT Firewall\Firewall.msc" /minimize

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{36BBA8D2-CA5C-4847-81CC-4F807DD86C91}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateUser urlmon.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{6D69F546-C1AF-4049-AE9E-28627B91D3F5}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateAdmin urlmon.dll

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
StubPath = %SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

[{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
StubPath = %SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
(no name) - C:\Program Files\GreenV\NTIEHelper.dll - {C56CB6B0-0D96-11D6-8C65-B2868B609932}

--------------------------------------------------

Enumerating Task Scheduler jobs:

XoftSpy.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft....k/?linkid=39204

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.micros...ntent/opuc3.cab

[Malicious Software Removal Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\WebCleaner.dll
CODEBASE = http://download.micr.../WebCleaner.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.micros...b?1137703627746

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoft...free/asinst.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn...pDownloader.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://fpdownload.ma...ent/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\mswsock.dll
Protocol #5: C:\WINDOWS\system32\mswsock.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
Application Experience Lookup Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Server Manager: C:\WINDOWS\system32\serverappliance\appmgr.exe (autostart)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
Broadcom NetXtreme Gigabit Ethernet: system32\DRIVERS\b57xp32.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (disabled)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
Cluster Disk Driver: system32\DRIVERS\ClusDisk.sys (disabled)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
CRC Disk Filter Driver: system32\DRIVERS\crcdisk.sys (system)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost.exe -k DcomLaunch (autostart)
DefWatch: C:\PROGRA~1\SAV\DefWatch.exe (autostart)
Distributed File System: %SystemRoot%\system32\Dfssvc.exe (disabled)
DfsDriver: system32\drivers\Dfs.sys (system)
DHCP Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
3Com EtherLink XL 90XB/C Adapter Driver: system32\DRIVERS\el90xbc5.sys (manual start)
Web Element Manager: C:\WINDOWS\system32\serverappliance\elementmgr.exe (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k WinErr (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (autostart)
ewido security suite control: C:\Program Files\ewido anti-malware\ewidoctrl.exe (autostart)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: C:\WINDOWS\system32\lsass.exe (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
IIS Admin Service: C:\WINDOWS\system32\inetsrv\inetinfo.exe (autostart)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (disabled)
Intel Alert Handler: C:\WINDOWS\system32\ams_ii\hndlrsvc.exe (autostart)
Intel Alert Originator: C:\WINDOWS\system32\ams_ii\iao.exe (autostart)
Intel File Transfer: C:\WINDOWS\system32\cba\xfr.exe (autostart)
Intel PDS: C:\WINDOWS\system32\cba\pds.exe (autostart)
IntelIde: system32\DRIVERS\intelide.sys (system)
Intel Processor Driver: system32\DRIVERS\intelppm.sys (manual start)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Intersite Messaging: %SystemRoot%\System32\ismserv.exe (disabled)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Kerberos Key Distribution Center: %SystemRoot%\System32\lsass.exe (disabled)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
License Logging: %SystemRoot%\System32\llssrv.exe (disabled)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (disabled)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (autostart)
FTP Publishing Service: %SystemRoot%\system32\inetsrv\inetinfo.exe (autostart)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
NAVAP: \??\C:\PROGRA~1\SAV\NAVAP.sys (manual start)
NAVAPEL: \??\C:\PROGRA~1\SAV\NAVAPEL.SYS (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060222.006\NAVENG.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060222.006\NAVEX15.sys (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Symantec AntiVirus Server: C:\PROGRA~1\SAV\Rtvscan.exe (autostart)
File Replication: %SystemRoot%\system32\ntfrs.exe (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Office Source Engine: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
Parvdm: system32\DRIVERS\parvdm.sys (autostart)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Processor Driver: system32\DRIVERS\processr.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k regsvc (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost.exe -k rpcss (autostart)
Resultant Set of Policy Provider: %SystemRoot%\system32\RSoPProv.exe (manual start)
Special Administration Console Helper: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
smwdm: system32\drivers\smwdm.sys (manual start)
SoundMAX Agent Service: C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Remote Administration Service: C:\WINDOWS\system32\serverappliance\srvcsurg.exe (autostart)
st3bus28: system32\DRIVERS\st3bus28.sys (manual start)
st3mp28: system32\DRIVERS\st3mp28.sys (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (disabled)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Microsoft Software Shadow Copy Provider: %SystemRoot%\System32\svchost.exe -k swprv (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k tapisrv (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k termsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Telnet: C:\WINDOWS\system32\tlntsvr.exe (disabled)
Distributed Link Tracking Server: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Terminal Services Session Directory: %SystemRoot%\System32\tssdis.exe (disabled)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (manual start)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: system32\DRIVERS\usbhub.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
Virtual Disk Service: %SystemRoot%\System32\vds.exe (manual start)
vga: system32\DRIVERS\vgapnp.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Storage volumes: system32\DRIVERS\volsnap.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
World Wide Web Publishing Service: %SystemRoot%\System32\svchost.exe -k iissvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WinHTTP Web Proxy Auto-Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Network Load Balancing: system32\DRIVERS\wlbs.sys (manual start)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
XPROTECTOR: \??\C:\WINDOWS\system32\drivers\Xprotector.sys (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsw3.tmp\System.dll||C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsw3.tmp\


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 34,647 bytes
Report generated in 0.203 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
  • 0

#14
jettybest
Posted 25 February 2006 - 10:47 AM

jettybest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
One More thing.

I found out I found out two user folder at

C:\Documents and Settings

\LNSS_MONITOR_USR
\Default User

is these normal?


New log as follows:
Logfile of HijackThis v1.99.1
Scan saved at 16:46:46, on 2006-2-25
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\serverappliance\appmgr.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINDOWS\system32\serverappliance\elementmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\cba\pds.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\serverappliance\srvcsurg.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\SAV\vptray.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\FreePOPs\freepopsd.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Kingsoft\PowerWord 2005\XDICT.EXE
C:\Program Files\NoAdware4\NoAdware4.exe
C:\Program Files\XoftSpy\XoftSpy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis1991.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\GreenV\NTIEHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IPPFRWL] mmc.exe "C:\Program Files\NT Kernel Resources\NeT Firewall\Firewall.msc" /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: 使用影音传送带下载 - C:\Program Files\GreenV\NTAddLink.html
O8 - Extra context menu item: 使用影音传送带下载全部链接 - C:\Program Files\GreenV\NTAddList.html
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1137703627746
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3177C4D-140A-41AB-AB00-D5CD27986A75}: NameServer = 192.168.0.1
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SAV\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Intel Alert Handler - Intel? Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel? Corporation - C:\WINDOWS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel? Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel? Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Symantec AntiVirus Server (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SAV\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  • 0

#15
Buckeye_Sam
Posted 25 February 2006 - 04:28 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts

I found out I found out two user folder at

C:\Documents and Settings

\LNSS_MONITOR_USR
\Default User

is these normal?

Yes they are. I found this info on \LNSS_MONITOR_USR
http://kbase.gfi.com...p?id=KBID002068


Your log is clean. The file csrss.exe is a legitimate file if found in the System32 folder. That's the one you are still seeing show up in your task manager.
http://www.liutiliti...slibrary/csrss/


However, that same file if run out of this folder is malicious.
C:\WINDOWS\MCROSO~1\
That is the file that we have deleted. I don't find any sign of it in your log.


Tell me how your computer is running now. Any problems?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP