Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Banker Trojan (unsrvc.exe)


  • This topic is locked This topic is locked
19 replies to this topic

#1 DeLuk

DeLuk

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:12:24 PM

Posted 11 January 2008 - 12:33 PM

Greetings to the forum. :)

It's been a while since I last had to bother you, yet, I'm once more found in need of your expert help.

A couple weeks back, I was to find our home PC (running XP SP2) infected with a banker trojan and some another malware. (By the time, I thought it all was part of the same infection, yet I was to learn from my brother that it actually was not, as seemingly each of the infections had occurred on different occasions. He told me that he got the other malware in some chat on MSN Messenger, and the trojan, a couple days later, from some Hotmail e-mail with a link to watch some video on some YouTube-alike video hoster, he told, and, when accessing that page, he was prompted to install some additional program in order to be able to watch the video, and, unaware of danger as he always has been, he ran the program, and bam, got the trojan installed.)

Symptoms of the other malware were:

WinPatrol warnings of bpfvmo.exe attempting to set as a startup entry and as a Windows Service (entry name: Print Spooler Service).

Sygate Firewall warning of bpfvmo.exe attempting to connect to bpdyttrlp.yi.org (64.21.149.167) on port 447 / DDM-DFM/RFM protocol.

(bpfvmo.exe was located in C:\WINDOWS\system32\.)

Symptoms of the banker trojan were:

A fake message being displayed (when the blue screen for the desktop loads but still before any icon has appeared) saying that Adobe FlashPlayer 9 ActiveX was being installed. The window message had a cancel button and an installation progress bar which however was static at less than half way through completion.

WinPatrol warning of unsrvc.exe attempting to set as a startup entry.

Sygate Firewall warning of unsrvc.exe attempting to connect to spectrum.iitalia.com (82.196.5.223) on port 80 / HTTP protocol.

(unsrvc.exe was located in C:\WINDOWS\system32\.)

I denied each warning at once, of course. (Yet, don't know whether my brother permitted any at any occasion; he didn't take notice/doesn't recall, he says...) Then again, note that, when denying unsrvc.exe to set as a startup entry via WinPatrol, that would cause that fake message window of FlashPlayer being installed to be closed. Also, still regarding this message window, I did never click its cancel button nor the [X] to close it, since I didn't know whether those might just have some twisted function and instead of cancelling/closing the message window, it might instead fire up some other unwanted/malicious process/action. So, just to be on the safer side, I always got that to close from the WinPatrol warning. (Again, don't know whether my brother ever did otherwise, though...)

As every other time I was to deal with malware infections, so I started out with the preliminary cleaning. Cleaned out all temp files (with CCleaner) which at once deleted one of the malware files, flash_wizard.exe, which was stored among the temporary internet files. (Previous to starting the preliminary cleaning, I ran a search for files with the same creation/modification dates/times as unsrvc.exe and bpfvmo.exe, for reference, for some clue on what other potentially malicious stuff might be spread around, and there was this flash_wizard.exe among the temporary internet files, which had also exactly the same size and file info properties as unsrvc.exe, thus I presumed one to be a copy of the other. As I say, this file was so removed at once, when cleaning all temp files with CCleaner.)

Next ran Ad-Aware + SpyBot + AVG Anti-Spyware + SuperAntiSpyware, all in Safe Mode. (A note, to say that, as I booted to Safe Mode, even then the fake message window of FlashPlayer being installed appeared. I checked on Windows Task Manager, and unsrvc.exe was among the processes running. As I didn't want to risk closing the message window by hitting its cancel button or [X], so I chose to terminate the unsrvc.exe process via Task Manager. This indeed caused the message window to close. I presume, then, that the opposite must also have happened, i.e. when in Normal Mode, when the message window would close after denying unsrvc.exe to set as a startup entry via WinPatrol, I would guess that would equally cause the unsrvc.exe process to be terminated then, perhaps?... I don't recall having checked this in Task Manager, thus I cannot be sure, though...) Ad-Aware and SuperAntiSpyware, both found nothing. SpyBot reported the Print Spooler Service (the respective entry in the registry, if I remember it right), which I chose to fix. AVG Anti-Spyware detected bpfvmo.exe as well as the zip file which my brother received via MSN Messenger and which originally included the malware, plus another 4 entries in System Restore, all of these 6 items being reported as the same infection/malware, and which as well I chose to quarentine.

I rebooted back to Normal Mode afterwards, and neither the file bpfvmo.exe nor the related Print Spooler Service existed anymore when checking via services.msc, and neither Sygate Firewall nor WinPatrol warned about any action of bpfvmo.exe anylonger either. As none of those previous anti-spyware scans had however detected the banker trojan, unsrvc.exe, obviously the fake message window of FlashPlayer being installed still appeared, as so unsrvc.exe was still present as well, of course. When I first took notice of the infection, as per usual at once I submitted the suspicious files for analysis at virustotal.com, and by then, actually not many of the scanners detected unsrvc.exe. So I held on a couple days more, and then ran a new scan on the file. More scanners detected it now, including Panda, so I proceeded to run Panda's online ActiveScan. It found and disinfected 3 items, all of which it reported as being the same malware/infection: unsrvc.exe, install_flash_player.exe which was stored on My Documents (and which, as I had previously checked, also had the same creation/modification date/time as unsrvc.exe, though a different size, and which I presume must have been the program which my brother initially ran and which got the trojan installed), and yet sysstr.sys on C:\WINDOWS\ (I don't recall noticing this one on my search for files with the same creation/modification date/time as unsrvc.exe, but perhaps I overlooked it?...). So, after this cleaning by Panda, I went for a new reboot. My intention was to follow up with a couple other online antivirus scans (F-Secure and Kaspersky) to check if and what else might still be left, yet I thought of rebooting after this cleaning by Panda, also to run a new HJT scan, to check if the entries referring to unsrvc.exe were also already gone by now.

(There was, for sure, at least this entry: F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\unsrvc.exe -runservice. Can't say for sure whether there was also this other: O4 - HKLM\..\Run: [unsrvc] C:\WINDOWS\system32\unsrvc.exe -runservice; sincerely I can't recall it, and then, after all the many similar logs I've gone through in my search for helpful hints over the forums, honestly I can't confirm it anymore, whether this entry was on my own HJT log or not, I'm sorry... Though I'm also in doubt about it, cos of WinPatrol; I mean, if denying unsrvc.exe attempt to set as a startup entry, is it possible that that entry in the registry would still be created nonetheless? Or does it all depend on whether WinPatrol detects that on time to prevent such entry from being created or not? Hmm, that wouldn't make WinPatrol all too efficient in such purpose, then, or?... This really has caused me some doubt, all of a sudden... Then again, I also am not certain whether C:\WINDOWS\system32\unsrvc.exe appeared as a running process on my HJT log, shamingly haven't taken notice of this detail... As I was saying above, I don't recall having confirmed it, in Task Manager, whether unsrvc.exe kept running after closing the fake message window for FlashPlayer via WinPatrol, thus I'm not certain whether the process would still be running when the HJT scan was ran... I'm also in doubt seen that Panda was able to delete the file; would it be possible that Panda had deleted unsrvc.exe in case it was a running process?)

Thing is, when rebooting after this cleaning by Panda, the computer got stuck in the login screen. (Note that, previously, it was not set for no login screen, it would enter Windows directly and load the desktop after the welcome screen.) And as attempting to login, it just automatically logged off again. It would only say "loading your personal definitions", show the blue background (as when it's about to load the desktop) for only a couple seconds, and then automatically logoff, saying "saving your personal definitions", and that was it. And this would happen even in Safe Mode. So, I'm just stuck in this login/logoff loop, and wondering of what step to take next?...

(After some research, I understand now that this is caused by UserInit currently being referred to C:\WINDOWS\system32\unsrvc.exe for login, instead of to C:\WINDOWS\system32\userinit.exe as it should, and as that file C:\WINDOWS\system32\unsrvc.exe isn't there anymore since Panda had it be deleted, so this causes the loop and the impossibility to login at all, correct? I wasn't at all aware of the importance on this UserInit detail, otherwise I wouldn't have dared to proceed with even the preliminary cleaning without asking for guidance from the start... Guess it goes to show that it may just not always be the most advisable, to start off with such preliminary cleaning on our own, to only then come for expert help at the forum... Also I always thought that any antimalware/antivirus scanner would also always "take care" of any related correction necessary to be made to the registry when removing malware, I always trusted this was how "things worked"?... Just painfully learned otherwise, so I see...)

This is also why unfortunately I'm not able to post in here any of the scan logs saved referring to this infection, since I have no access to those as I cannot enter Windows... (Still I'm hoping I'm posting the topic at the correct section of the forum, as everytime before?...)

So, as our home PC was just stuck, so my brother brought his girlfriend's laptop, for me to try and do some research in order to try to solve the problem. Later he also asked me to, since I was at it, run all scanners on the laptop and check whether it too was clean. Obviously, so I started by updating every antimalware/antivirus program, as well as replacing the old HJT 1.99.1 by the new version 2.0.2, to get me a preliminary log for starters. And here came up the biggest of all surprises, as I was to find out that this laptop was also infected and with the very same trojan unsrvc.exe!!! :thumbsup: Now, how much of a coincidence is that, so I thought!!!

(I'm wondering whether this may be perhaps a different "version" of the trojan, than that which infected our home PC, as on this laptop there is no such fake message saying that FlashPlayer is being installed, as there was in our home PC... At least, not ever since I've been working with the laptop. Also, I asked both my brother and his girlfriend, whether they had at any time noticed any "sign" that there might be something wrong/that the laptop might be infected, and they said that no, they hadn't noticed anything "unusual"... Hmm... Something odd, though, that I could notice, from checking the respective reports, it's that curiously and by coincidence all antimalware/antivirus scanners have been run, exactly on the same day on which supposedly the infection occurred, and after the time of infection, December 22 at 10:00H, considering the date and time of creation of unsrvc.exe. Ad-Aware, SpyBot, AVG Anti-Spyware and Avast, all were ran on that day, sometime later than that hour. Now, if one takes into consideration that none of those scanners was ran since August (!), and AVG Anti-Spyware even since the last time I myself had run it back in March (!), which certainly denotes that they must not care much on doing periodic checkups for threats, so maybe the fact that they ran all scanners on that day, it perhaps indicates that maybe they did notice some "unusual sign" that something might be wrong, I wonder?... And I wonder then, what that sign might had been and if it might even had been that same fake install message for FlashPlayer... But anyway, whatever... Back to unsrvc.exe, I can however confirm that both the file on this laptop, as that found in our home PC, both do have the same modification date and time, December 14 at 02:30H, so perhaps it's even the very same version of the trojan after all?... In any case, and since it's the same infection on both machines, so I'm hoping it's ok to post both cases in this one thread, to make it more practical both for me to track it all as well as hopefully for you to help me, since this way it'll be one and the same helper "dealing" with my case of this unsrvc.exe trojan infection... I hope I'm doing it right, then?)

So, at this point, I'm also "stuck" with the laptop, uncertain of what to do in order to properly remove this trojan, without coming to the same result as with our home PC (the login/logoff loop)?... (I suppose, first fix the necessary registry entries, and get rid of the malicious files only afterwards, no?...)

A few other details regarding this trojan infection in this laptop.

I also ran Ad-Aware + SpyBot + AVG Anti-Spyware + Avast, just to check whether anything would be found by any of these scanners. Nothing relevant was found at this point, though. (Then again, I did not risk on running Panda ActiveScan on the laptop, though, for obvious reasons!)

On the preliminary HJT log, I noticed on the running processes, along with C:\WINDOWS\system32\unsrvc.exe, also C:\WINDOWS\system32\winsrvc.exe, which I had seen already in various HJT logs across the forums, of other users "complaining" of similar infections.

As later I used the laptop offline, I could notice that, then, only unsrvc.exe appeared in the running processes list in Task Manager, but not winsrvc.exe. Adding to it the fact that this file winsrvc.exe had also been created on the same date as unsrvc.exe, and at about the same time (1 minute later, in fact, at 10:01H), so I assumed winsrvc.exe to be part of the same infection too (and as I could as well confirm afterwards, when analysing the file at virustotal.com), and thus I guessed that the launching of winsrvc.exe should possibly be somehow "dependent" of unsrvc.exe getting connected first?...

At this point at once I installed Sygate Firewall (as this is the firewall we use in our home PC as well, and the one I'm most used to), in order to get unsrvc.exe blocked from getting connected. (This laptop had no other firewall than XP's, by then.)

Though, for somehow "testing" the possible relation between both unsrvc.exe and winsrvc.exe, for one last time so I allowed unsrvc.exe to get connected. Uppon it first connecting to spectrum.iitalia.com 82.196.5.223 on port 80, followingly it made various connections to 70.85.197.2 on port 8080, and it was then that winsrvc.exe popped up in the running processes list. According to the firewall traffic log, winsrvc.exe itself, on the other hand, did not attempt to make any connection. Also, from the time I set Sygate Firewall to permanently block unsrvc.exe, not ever again did winsrvc.exe appear as a running process in Task Manager.

(This also has me wondering on whether the file winsrvc.exe actually existed in our home PC. Panda does still not detect this file as malware, up untill the last analysis at virustotal.com (today), so, the fact alone that it wasn't among the files deleted by Panda ActiveScan when I ran it in our home PC is obviously no "proof" that the file didn't exist; I know. Though actually I also don't think I recall noticing such file, winsrvc.exe, when I ran the search for files with the same creation/modification date/time as unsrvc.exe... Or perhaps I overlooked it too?... But then, the fact that, in the laptop, winsrvc.exe shows to have been created 1 minute after unsrvc.exe, and also the fact that it is lauched only after unsrvc.exe gets connected, I wonder, could it be then that winsrvc.exe eventually only gets created, or even only gets downloaded to the infected computer, only upon unsrvc.exe is able to establish its very first connection?... And, if unsrvc.exe in our home PC had never been able to establish that first connection, assuming that it had ever since been blocked by Sygate Firewall, then it could even be that winsrvc.exe had never gotten into our home PC and it actually didn't exist there, no?... Hmm...)

On the search for files with the same creation/modification date/time as unsrvc.exe, that I had also ran on this laptop, a few other files were found, besides winsrvc.exe as already mentioned. Those other files were: Instalar.exe on the Shared Documents folder C:\Documents and Settings\All Users\Documents\ (this file has the same size as unsrvc.exe and, considering the analysis at virustotal.com, one is to be a copy of the other), sysstr.sys on C:\WINDOWS\, and iospc.sys (0 bytes), drvsrvc.dll (0 bytes), filetemp.tmp and mswinsck.ocx, all the 4 of which on C:\WINDOWS\system32\.

Having submitted filetemp.tmp and mswinsck.ocx to analysis at virustotal.com, everytime it reported nothing found for both files. Checking the properties of mswinsck.ocx, it says to be Microsoft Winsock Control DLL and copyright Microsoft Corporation, also processlibrary.com rates this file to be safe. As for filetemp.tmp, however, I do believe that it must be related with this trojan infection as well. Also sysstr.sys, although up untill now only Panda detects it as malware (currently it detects it as "Suspicious file", whereas previously it would detect it as Trj/Agent.HFM, the same as it has always detected unsrvc.exe), it must certainly be part of the infection too. Note: the first time I checked the properties of sysstr.sys, version tab, the original file name was "iospc.exe" and the internal name was "iospc", whereas on TrendMicro iospc.sys is reported as also being related to this trojan infection. (The file iospc.sys which exists in the laptop is currently a 0 bytes file. Yet perhaps sysstr.sys somehow had/has some relation with it?... Perhaps it's its "substitute" in the current "version" of this trojan infection?...) Also I did open the file sysstr.sys with Notepad (not sure whether that was even recommendable, or if it was a careless action?... I just wanted to check whether there was any "readable" hopefully helpful info in there), and among the "readable" lines there, this one did stand out: \ A F : \ F Y A S S \ P r o g r a m a ç ã o \ S p e c t r u m P r o j e c t 0 8 - 1 2 - 2 0 0 7 \ w s c r n t f y - W o r m \ S p e c t r u m A n t i - G B u s t e r \ A n t i G B u s t e r . v b p. spectrum.iitalia.com being the site to which unsrvc.exe always first attempts to connect, so I'm guessing this to somehow confirm that sysstr.sys must indeed be also related with this trojan infection, no?...

Also, I could notice that, meanwhile, both the properties and also file size of sysstr.sys have changed. As so did the filesize of filetemp.tmp.

I also by now noticed that, when booting while having the modem cable already connected, on the Temporary Internet Files folder, there appears the file url.txt (as TrendMicro also details it), and then almost always also the file config.rar, and sometimes also yet a third file, exe1.rar. (Analysing both rar files at virustotal.com, it reports nothing found for config.rar, and "Suspicious file" for exe1.rar by Panda, the same detection as for sysstr.sys.) Also I could notice that, if the file config.rar is created (downloaded from somewhere, right?), then the modification date and time of filetemp.tmp changes, to the same as the date and time of when the file config.rar has been created. (This is also why I believe that the file filetemp.tmp must indeed be related with this trojan infection too.) The same way, if the file exe1.rar is created (downloaded), then the modification date and time of sysstr.sys also changes, to the same as the date and time of when the file exe1.rar has been created. (If though only config.rar is created, and exe1.rar isn't, then respectively the modification date and time changes only for filetemp.tmp, and not for sysstr.sys.) As if those two rar files in the Temporary Internet Files folder were for updating the "corresponding" files in the Windows and System32 folders or something (config.rar for updating filetemp.tmp and exe1.rar for updating sysstr.sys, respectively)... Curiously, when the modification date and time happens to change for both files, then that of sysstr.sys always is 2 seconds later than that of filetemp.tmp (i.e. seemingly filetemp.tmp always get to be modified ahead of sysstr.sys). Curiously, also, each of the temporary rar files has only 2 bytes less in size than the "corresponding installed file" (latest config.rar is 8562 bytes while filetemp.tmp is currently 8564 bytes, and latest exe1.rar is 69632 bytes while sysstr.sys is currently 69634 bytes); plus, if opening each of those 4 files with Notepad, config.rar and filetemp.tmp appear to have the same "characters" contents except for config.rar having one less "blank line" at the end, and the same goes for exe1.rar and sysstr.sys which also appear to have the same "characters" content except for exe1.rar having one less "blank line" at the end too (so I suppose it's that one less "blank line" which makes the temporary rar files to be 2 bytes less in size than the "corresponding installed file", thus in the end config.rar and exe1.rar must indeed be copies of filetemp.tmp and sysstr.sys, respectively, meant for updating those files, no?)... (Note, however, that, although each time config.rar or exe1.rar are created it does always cause the modification date and time to change respectively for filetemp.tmp and sysstr.sys, I believe it does not necessarily cause the size of filetemp.tmp and the size and/or properties details of sysstr.sys to also change everytime, i.e. it's not like "the contents" of filetemp.tmp and sysstr.sys always gets "updated" everytime config.rar or exe1.rar get into the Temporary Internet Files folder; at least not from what I could notice anyway... Logically the "corresponding installed files", filetemp.tmp and sysstr.sys, must be due to get updated when actual updated versions of config.rar and exe1.rar are "released" by the server site, I guess, of course...)

In any case, for the time being and to be on the safe side, I'm since booting offline everytime, i.e. not having the modem cable connected, and only when the laptop finishes booting and Sygate Firewall icon actually loads in the System Tray, only then I connect the modem cable and get online. (No url.txt or config.rar or exe1.rar, or any other files for the matter, are to appear on the Temporary Internet Files folder, this way.)

(This whole episode, though, has got me wondering again, about whether firewalls do keep a computer protected "from the start" along boot... I mean, how come do those temporary internet files get downloaded, while having the firewall set to start with Windows? Or is it actually Sygate's which doesn't load quite early enough to be able to prevent those files from being downloaded? Hmm, and XP's firewall, if that one's to prevent data from getting in and if it's supposed to provide boot time protection, how come the files get downloaded even if having XP's firewall on? Or is that because the download of those files results of a previous "outgoing action", by unsrvc.exe I assume, and thus XP's firewall doesn't detect it as "potentially malicious" then?... Hmm... Or does the fact that the files get to be downloaded come somehow "in consequence" of the fact that unsrvc.exe is there in the Winlogon\Userinit entry in the registry, making it load before all else including the firewall, and therefore making it capable of downloading those files before any firewall can/could actually prevent it?... Hmm, suddenly I do wonder about all this...)

Here's as well all logs/reports concerning the laptop, for your analysis/reference:

preliminary HJT log
(First scan I ran, after having cleaned the temp stuff with CCleaner various times already, and before knowing the laptop was even infected.)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:33:18, on 29-12-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\unsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\winsrvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\unsrvc.exe -runservice
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [PelSetupRun] E:\setup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [unsrvc] C:\WINDOWS\system32\unsrvc.exe -runservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 7988 bytes

----------

latest HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:05:03, on 11-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\unsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\unsrvc.exe -runservice
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [PelSetupRun] E:\setup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [unsrvc] C:\WINDOWS\system32\unsrvc.exe -runservice
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 9023 bytes

----------

latest Kaspersky Online Virus Scanner report
(I'm including only the entries referring to infected files, to make it shorter. If those referring to all of the locked objects are needed too, though, please let me know, and I'll post the full report promptly.)

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, January 11, 2008 1:14:50 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/01/2008
Kaspersky Anti-Virus database records: 507550
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 68300
Number of viruses found: 1
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 00:40:40

Infected Object Name / Virus Name / Last Action

C:\WINDOWS\system32\unsrvc.exe Infected: Trojan-Downloader.Win32.VB.bzh skipped
C:\WINDOWS\system32\winsrvc.exe Infected: Trojan-Downloader.Win32.VB.bzh skipped
C:\Documents and Settings\All Users\Documents\Instalar.exe Infected: Trojan-Downloader.Win32.VB.bzh skipped
C:\System Volume Information\_restore{CC2C7A74-EDAE-4F7B-85A2-D4751CC14365}\RP60\A0012364.exe Infected: Trojan-Downloader.Win32.VB.bzh skipped
C:\System Volume Information\_restore{CC2C7A74-EDAE-4F7B-85A2-D4751CC14365}\RP60\A0012461.exe Infected: Trojan-Downloader.Win32.VB.bzh skipped
C:\System Volume Information\_restore{CC2C7A74-EDAE-4F7B-85A2-D4751CC14365}\RP61\A0012503.exe Infected: Trojan-Downloader.Win32.VB.bzh skipped
C:\System Volume Information\_restore{CC2C7A74-EDAE-4F7B-85A2-D4751CC14365}\RP61\A0012555.exe Infected: Trojan-Downloader.Win32.VB.bzh skipped
C:\System Volume Information\_restore{CC2C7A74-EDAE-4F7B-85A2-D4751CC14365}\RP61\A0012590.exe Infected: Trojan-Downloader.Win32.VB.bzh skipped

Scan process completed.

----------

(For all VirusTotal reports, I'm as well only including the results for the scanners which actually detect each of the analysed files, for keeping it more practical.)

latest report of VirusTotal for unsrvc.exe
(As previously mentioned, the same report is given for Instalar.exe which is identified at VirusTotal as being the same file.)

File unsrvc.exe received on 01.11.2008 14:27:53 (CET)

Antivirus Version Last Update Result

AntiVir 7.6.0.46 2008.01.11 TR/Dldr.VB.bzh.1
AVG 7.5.0.516 2008.01.11 Downloader.Generic6.AAMU
BitDefender 7.2 2008.01.11 Trojan.Downloader.VB.VLM
CAT-QuickHeal 9.00 2008.01.10 TrojanDownloader.VB.bzh
ClamAV 0.91.2 2008.01.11 Trojan.Downloader-20164
DrWeb 4.44.0.09170 2008.01.11 modification of BackDoor.Generic.1629
Ewido 4.0 2008.01.11 Downloader.VB.bzh
FileAdvisor 1 2008.01.11 High threat detected
Fortinet 3.14.0.0 2008.01.11 W32/VB.BZH!tr.dldr
F-Secure 6.70.13030.0 2008.01.11 Trojan-Downloader.Win32.VB.bzh
Ikarus T3.1.1.20 2008.01.11 Trojan-Downloader.Win32.VB.bzh
Kaspersky 7.0.0.125 2008.01.11 Trojan-Downloader.Win32.VB.bzh
McAfee 5204 2008.01.10 Generic PWS.o
Microsoft 1.3109 2008.01.11 TrojanDownloader:Win32/VB.KF
NOD32v2 2783 2008.01.11 a variant of Win32/VB.NKM
Norman 5.80.02 2008.01.10 W32/DLoader.ESHA
Panda 9.0.0.4 2008.01.11 Trj/Agent.HFM
Prevx1 V2 2008.01.11 Heuristic: Suspicious Downloader
Symantec 10 2008.01.11 Downloader
TheHacker 6.2.9.186 2008.01.11 Trojan/Downloader.VB.bzh
VBA32 3.12.2.5 2008.01.11 Trojan-Downloader.Win32.VB.bzh
Webwasher-Gateway 6.6.2 2008.01.11 Trojan.Dldr.VB.bzh.1

Additional information
File size: 323584 bytes
MD5: 112fc78ad176d7076225450973ff1c7e
SHA1: ea806cc7040242c1c4aba5a55c99ccdc7a542918
PEiD: -
Bit9 info: http://fileadvisor.bit9.com/services/extin...225450973ff1c7e
Prevx info: http://info.prevx.com/aboutprogramtext.asp...EB606003EB66A0E

----------

latest report of VirusTotal for winsrvc.exe

File winsrvc.exe received on 01.11.2008 14:39:47 (CET)

Antivirus Version Last Update Result

AntiVir 7.6.0.46 2008.01.11 TR/Dldr.VB.bzh
AVG 7.5.0.516 2008.01.11 Generic9.AGFE
CAT-QuickHeal 9.00 2008.01.10 TrojanDownloader.VB.bzh
ClamAV 0.91.2 2008.01.11 Trojan.Downloader-18692
DrWeb 4.44.0.09170 2008.01.11 modification of BackDoor.Generic.981
Fortinet 3.14.0.0 2008.01.11 W32/VB.BZH!tr.dldr
F-Secure 6.70.13030.0 2008.01.11 Trojan-Downloader.Win32.VB.bzh
Ikarus T3.1.1.20 2008.01.11 Trojan-Downloader.Win32.VB.bzh
Kaspersky 7.0.0.125 2008.01.11 Trojan-Downloader.Win32.VB.bzh
NOD32v2 2783 2008.01.11 Win32/VB.NKH
Norman 5.80.02 2008.01.10 W32/DLoader.ETGQ
Prevx1 V2 2008.01.11 Heuristic: Suspicious File With Covert Attributes
Symantec 10 2008.01.11 Downloader
TheHacker 6.2.9.186 2008.01.11 Trojan/Downloader.VB.bzh
VBA32 3.12.2.5 2008.01.11 Trojan-Downloader.Win32.VB.bzh
Webwasher-Gateway 6.6.2 2008.01.11 Trojan.Dldr.VB.bzh

Additional information
File size: 45058 bytes
MD5: 5e12f6def4b5b5e3341eedb0a30c1341
SHA1: f770b986b1d6c93647046a18bc9f2a2ca7ce677c
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp...6B76F00DD3EB47C

----------

latest report of VirusTotal for sysstr.sys

File sysstr.sys received on 01.11.2008 14:56:01 (CET)

Antivirus Version Last Update Result

Panda 9.0.0.4 2008.01.11 Suspicious file

Additional information
File size: 69634 bytes
MD5: 34e785ab8a6173f15fed31aa47a1a8f7
SHA1: 2741e8606b17212f11a0af0a0b9fdfa10db800e2
PEiD: -

(As mentioned before, Panda previously detected this file as Trj/Agent.HFM.)

----------

Ad-Aware info on the processes unsrvc.exe and winsrvc.exe

[unsrvc.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 896
ThreadCreationTime : 05-01-2008 20:21:18
BasePriority : Normal
FileVersion : 5.01.2600
ProductVersion : 5.01.2600
ProductName : Microsoft Windows Operation System
CompanyName : Microsoft Corporation
InternalName : setup_
OriginalFilename : setup_.exe

(Mind the "Microsoft Windows Operation System", lol...)

[winsrvc.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2588
ThreadCreationTime : 22-12-2007 10:03:12
BasePriority : Normal
FileVersion : 3.00
ProductVersion : 3.00
ProductName : Protect Service
CompanyName : Home
InternalName : protect
OriginalFilename : protect.rar

(On a side note, I've seen in other threads in other forums, other users, who complained to be infected with this trojan too, mentioning that such a file protect.rar was found among the temporary internet files...)

----------

Properties (Version tab) info details for sysstr.sys

File version: 3.3.0.4 (previously: 1.0.0.0)
Description: Deecttonee (previously: Dectone)
Copyright: DDeeccttooncee (previously: Dectone)

Comments: DDecctonne (previously: Dectone)
Company: DDecctonne SSollutiionnss (previously: Dectone Solutions)
Language: English (EUA)
Legal trademarks: Ddecttonee (previously: Dectone)
Original file name: syscom.exe (previously: sysstr.exe / before that: iospc.exe)
Product name: AntiGBuster (previously: Dectone)
Internal name: syscom (previosuly: sysstr / before that: iospc)
File version: 3.03.0004 (previously: 1.00)
Product version: 3.03.0004 (previously: 1.00)

----------

So, as I was saying above, I wonder then what to do, in order to properly remove this trojan, without coming to the same result as with our home PC (the login/logoff loop)?... First fix the necessary registry entries, and get rid of the malicious files only afterwards; is that the correct way to go, then?... I'd very much appreciate your expert guidance, and thanks already, for all help. (My doubts at this point are: If I must first fix those two entries in HJT which refer to unsrvc.exe, the F2 and the 04 entries, then should I reboot afterwards, to only then remove the malicious files? What if rebooting without having the malicious files removed makes them recreate those registry entries? Of course one can try, and check whether the registry entries would come back after reboot, when the malicious files are still there... Should that be the way, then? Or must the registry fixes be made and the malicious files be removed, everything at once, and only then reboot? Remove the malicious files manually? In Safe Mode? Set them to be removed on reboot with HJT? With KillBox? Have a combination of online virus scanners remove them (those which they detect)? Back about that F2 entry in HJT, fix it in HJT? Manually edit the value for that key, in regedit? Apply a regfix such as that provided on this help page? My concern is if, by fixing this F2 entry in HJT, it makes HJT reset the value of the key to what it should be by default, "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,", or? Or does HJT only delete the malicious value, "Userinit"="C:\\WINDOWS\\system32\\unsrvc.exe -runservice", assuming that that must be there in addition to the default, and thus causing the value for Userinit to actually become "empty"? My fear comes from the fact that, currently, the value for Userinit is really only this: "C:\\WINDOWS\\system32\\unsrvc.exe -runservice", this isn't there in addition to the default value nor anything, there's really only "C:\\WINDOWS\\system32\\unsrvc.exe -runservice". If fixing this via HJT, will the default value "C:\\WINDOWS\\system32\\userinit.exe," be restored for sure, then, yes? Or?... Oh dear, I'm really sorry for all the, I suppose, silly questioning, but I just really am afraid of any step going wrong and that I may end up with also this laptop "stuck" in such login/logoff loop... :))

----------

And back to the start then, back to our home PC stuck in the login/logoff loop, (which is also my most main concern after all), what step must I take next, then, in order to solve this situation, I wonder?... When I was first faced with the situation, at once I panicked, as at once my thought was that this was certainly a "no return" situation, and so I thought that the only "solution" to such a case should innevitably be having to format C:\... Moreover, after some research for other cases of such trojan infection, the few pages found by the time also didn't sound too cheering (various other users had too come to the same login/logoff loop, and eventually ended up formatting; even a helper in a forum plainly replied to someone "if you can't start the system, then I see no other solution than to format")...

(At once, at this point, a doubt came up, and I wonder if it's ok to share it here?... Well, you see, this computer was bought second-hand and, while it has only one physical hard-drive, there were two "local disks" on My Computer, disk C:\ and disk F:\. I suppose then that those were two partitions in which the physical hard-drive must have been "divided" when it was prepared for installing the OS... correct?... I really am pretty much lay when it comes to the "computer's world", so I only hope I'm not actually saying nonsense words, sorry if I am... :wacko: So, my doubt here was: in such a case that one would have to format the partition in which the OS is installed in order to re-install the OS afterwards, and in this specific case that partition being C:\; in such a case, when formatting C:\, would that cause also the contents of, in this specific case, F:\ to be erased/lost as well, or?... I do really wonder... From what I've been reading, from what I can understand, I believe the answer to my question is "no"; no contents of any other partition are erased/lost, other than those of the partition which is formatted... correct?... Yet, as I just ain't 100% certain, so I thought I'd take the chance to share the doubt here, in hope for a straight-forward "yes or no" answer... Or, isn't this actually a straight-forward "yes or no" answer kind of matter?... :))

By the time I also considered to choose to "reset" the system to the "last known good configuration" (from the startup menu one gets when hitting F8 on boot). But then, as every other case I had read about of other users who had the same infection and had also tried this option, seemingly that didn't work for anyone, so I dropped the thought myself too... (Also, as I've never tried this before, and wasn't quite even sure of whether that might do good or eventually wrong to "my case", I didn't feel all too confident to try it anyway... Should I still?...)

Thankfully though, as time passed on and more similar topics popped up around, I could learn that there may be a chance that formatting C:\ may not be so innevitable after all... (Fingers crossed here!) I came across a few "fix alternatives", as follows:

1) http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

Suggested by the site admin on this other Internet Security dedicated forum is to use the boot CD available from the site above in order to be able to edit the registry and change the necessary value for Userinit. According to the instructions in that post, (also see the detailed walkthrough-guide on using this boot disk for instructions on each precedent step), upon loading the SOFTWARE part of the registry (which is the part including the Winlogon\Userinit key and thus the one nedeed to be loaded for editing) and "entering" the registry editor, one must write on the prompt >

cd Microsoft
cd Windows NT
cd CurrentVersion
cd Winlogon
ed Userinit

(I take it that these sequential "cd" commands is for changing from one key level to another in order to get us to the Winlogon key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, where there's Userinit which we want to edit, thus the "ed" for Userinit there, correct? My only doubt is regarding the "Windows NT" in there... cos of the space between "Windows" and "NT"... are spaces allowed in such command line prompts, or?...)

It is said that at this point the value for Userinit should be displayed, yet, since it's corrupted, nothing should appear. One should then just write:

userinit.exe

(Which I take it is for editing/changing the current value for Userinit, the malicious unsrvc.exe -runservice, for the necessary default userinit.exe, correct? I wonder, though, what should one do in the event that a value for Userinit is displayed initially, upon entering the command "ed Userinit" before?...)

And then follow the prompts, in order to save the changes, and reboot.

So I wonder, should this be a/the method to consider, or?... (It seems to be pretty much straight-forward... Anyone by chance "familiar" with this boot disk?...) Please advise.

---

2) http://thinkinginpixels.com/quick-fixes/fi...onlog-off-loop/

Instructions here are to apply the provided reg fix by using BartPE boot CD. Should this be a/the preferred method? (I'm not familiar with using BartPE boot CD either... Though I'm well aware that this is pretty much the "reference boot disk" for mostly everyone! Only "hesitation" for me here is that, for going for this, I would still have to create the XP CD slipstreamed with SP2, since the CD we have is of XP without SP2... Oh dear, I wonder only if I'm capable of doing this "procedure" successfully... :) Hmm, maybe it's just better to try to ask any friend who may have a XP CD including SP2 already, for lending it to us for this... Or, can't it be done with a borrowed CD?...)

---

3) http://www.winxptutor.com/wsaremove.htm

Down the page there's also reference to dealing with such a login/logoff loop. Instructions there do not refer specifically to the malicious file I'm dealing with myself, yet, assuming that those may be adapted to my case (don't know if they may at all, though?), would this also be a/the method to consider, or?... (Two doubts here. At once: seen that the computer runs XP SP2, can the XP CD be used for launching the Recovery Console? Or does it too have to be a XP CD with SP2?... And also: what about the Run key also referring to unsrvc.exe? What would happen then, if copying the file userinit.exe as unsrvc.exe, in this case that this Run key exists, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run > "unsrvc"="C:\\WINDOWS\\system32\\unsrvc.exe -runservice"? Would or might this cause any problem, or?...)

---

4) ERUNT

I do have ERUNT installed in our home PC. Don't actually have it set for making a backup on each boot, but, I do make backups regularly, so there should be a backup recent enough for restoring the registry to a state previous to the infection, in order to get those unsrvc.exe-related entries fixed and thus consequently the login/logoff loop as well (correct?). So, ERUNT being an option for me, should this be a/the preferred method after all? (Also never used ERUNT for restoring the registry before... :blink: But heck, any time has to be the first, right? My doubt here is: the "Recovery Console method" is no valid option for my case, seen that, according to the ERUNT instructions, "Note that you can use this method only if you saved the registry
backup inside the Windows folder, and that using this procedure only
the system registry is restored."
, and, while I do indeed have the registry backups saved inside the Windows folder as by default, the part of the registry which I need restored is the SOFTWARE part and not the SYSTEM one, and therefore the "Recovery Console method" just wouldn't do, in my case, correct? Thus the "BartPE method" is then the one I should go for, right? A doubt here too: seen that the SOFTWARE part of the registry is that we want fixed, would it then be ok/advisable to restory only that part of the registry, the SOFTWARE part? Or is it just best/advisable to simply restore the registry in full? One last general/basic doubt: if the registry is restored to a date previous to, for example, some legit program had been installed, then chances are that that program will afterwards be "broken"/not function, correct? I mean, hmm, I don't think that should be my case, as I don't think I have installed any program after the last registry backup, but still anyway... Thought of asking, just to know it, for reference for any future time...)

----------

So, to sum it up: Both computers, the home PC and the laptop, both are infected with the same banker trojan (unsrvc.exe).

-> After a preliminary cleaning, the home PC got "stuck" in login/logoff loop. What to do in order to "recover" it from such login/logoff loop (to then proceed with removing the remainder of the trojan infection)?

-> And what procedure to take, in order to clean the laptop from the same trojan infection, without causing it too to end up "stuck" in such login/logoff loop?

I do thank you in advance for all of your patience with my "case" (and with all of my questioning and doubts and sometimes perhaps even confusing explanation of things) as much as I truly appreciate all guidance/help you may please provide to hopefully solving it. :)

(And yet I do as well apologise for the rather long post, and all the many details included, some even perhaps useless, I don't know, but in any case I thought I'd detail it all the most I could, hoping that it may be of help, who knows, to any other users "googling" for helpful hints in any such similar case as mine... Thank you for your understanding, and again, patience, overall.)

P.S. Just to add that, just in case some of the forementioned malicious/suspicious files may be required for further analysis, I do have those concerning the laptop infection (unsrvc.exe, winsrvc.exe, sysstr.sys, filetemp.tmp, config.rar, exe1.rar, url.txt, and iospc.sys and drvsrvc.dll though as mentioned these two are currently 0 bytes files), as well as part of those concerning the home PC infections (unsrvc.exe and install_flash_player.exe, plus bpfvmo.exe and the zip file which originally included this malware), all backed up in password-protected archives, should you require the files.

P.P.S. And since the year is just starting, best wishes of a great 2008 to all at BC! :)

Edited by DeLuk, 12 January 2008 - 11:51 AM.


BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 12 January 2008 - 02:36 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.

I'd also like to see a new HijackThis log, please. Have you tried booting your other PC using the Last Known Good Configuration?
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:12:24 PM

Posted 12 January 2008 - 11:58 AM

Hi Charles, and thank you so much, for your prompt reply and assistance. :blink:

Regarding the laptop:

Did as you instructed and here are both logs as requested (note: please find the log of ComboFix in the post below):

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:30:22, on 12-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [PelSetupRun] E:\setup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [unsrvc] C:\WINDOWS\system32\unsrvc.exe -runservice
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 8746 bytes

----------

When running ComboFix, a baloon from GoogleToolbarNotifier popped up in System Tray, warning "search settings change detected". I did no action. It later disappeared.

After ComboFix finished, I rebooted, to get a fresh HJT log. Upon reboot, a message from XP's firewall came up, saying that it had blocked ActiveSync RAPI Manager and asking whether it should be kept blocked or be unblocked. As ActiveSync in this computer is related to my brother's GPS device, so I chose to unblock it (thought I'd better, as I don't want to "break" any of its functions or something, when later he is to use his GPS device)...

unsrvc.exe no longer shows as a running process in Task Manager (the Run key referring to it still exists, however). (Also, I notice that its icon has changed, from that "setup"-like kind of icon it had previously (that greyish one, showing a computer and a software box and CD), to that "generic application"-like kind of icon (that just showing a white window with the blue bar on top), and also no Version tab is no longer available from its Properties.)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon > "Userinit"="C:\\WINDOWS\\system32\\unsrvc.exe -runservice" is also now restored to its default HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon > "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

Then again, Avast just updated, and just detected the file C:\Documents and Settings\All Users\Documents\Instalar.exe (which, as previously mentioned, was a copy of the original file unsrvc.exe) to be a trojan, Win32:VB-GNY [Trj]. (For now I chose to take no action on it. Is it ok, though, to quarentine/remove it at once, or?)

Please advise on whatever step is to take next, in order to get rid of the remainder of the infection (namely also with regards to the rest of the files referred before). Thank you.

----------

Regarding the PC:

Have you tried booting your other PC using the Last Known Good Configuration?


As I mentioned in my initiall post:

By the time I also considered to choose to "reset" the system to the "last known good configuration" (from the startup menu one gets when hitting F8 on boot). But then, as every other case I had read about of other users who had the same infection and had also tried this option, seemingly that didn't work for anyone, so I dropped the thought myself too... (Also, as I've never tried this before, and wasn't quite even sure of whether that might do good or eventually wrong to "my case", I didn't feel all too confident to try it anyway... Should I still?...)


Should I then anyway try this, before anything else?

Though, then again, from reading the respective Microsoft KB article...

When you start your computer by using the Last Known Good Configuration feature, Windows XP restores information in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet

Note Any changes that were made to other registry keys remain.

  • The Last Known Good Configuration feature uses information that is saved from the last time that you shut down your computer to restore registry settings and drivers. Therefore, you can use this feature only if you were able to start your computer successfully before you restore your computer by using the last known good configuration.


Just not sure now, whether trying this would actually have any result, after all, with regards to this particular case?... (I mean, if the registry key which does get restored is HKLM\System\CurrentControlSet, while it is stated that "any changes that were made to other registry keys remain", and whereas the key which must be causing trouble supposedly is HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon > "Userinit"="C:\\WINDOWS\\system32\\unsrvc.exe -runservice", hmm, I wonder then, should it be expected to work at all, trying the "last known good configuration" option, or?... Also, the PC has actually been shut down quite a few times already by now, as it was more than once that I did try to see if it would boot, be it to Normal or Safe Mode, thus, being stated that "the Last Known Good Configuration feature uses information that is saved from the last time that you shut down your computer to restore registry settings", hmm, I wonder again, perhaps it makes it useless then, to try this option at this point, or?... Perhaps these are in the end even the reasons why, so it seems, the "last known good configuration" didn't appear to work for anyone who had tried it after coming to the login/logoff loop when having the same trojan infection?...)

Should I still try it, nonetheless? Please do advise.

And thank you, once more, for all help. :thumbsup:

P.S. Ok I've just cut the ComboFix log from this post and will post it in an own post below, so this gets easier to read...

Edited by DeLuk, 13 January 2008 - 06:42 AM.


#4 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:12:24 PM

Posted 12 January 2008 - 12:02 PM

ComboFix log

ComboFix 08-01-11.3 - SONIA 2008-01-12 15:19:25.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1552 [GMT 0:00]
Running from: C:\Documents and Settings\SONIA\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drvsrvc.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))
.

2008-01-12 15:16 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 12:33 . 2008-01-10 12:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-10 12:33 . 2008-01-10 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-02 21:21 . 2008-01-02 21:21 <DIR> d-------- C:\Documents and Settings\SONIA\Application Data\OpenOffice.org2
2008-01-02 21:18 . 2008-01-02 21:18 <DIR> d-------- C:\Documents and Settings\SONIA\Application Data\FaxCtr
2008-01-02 21:12 . 2008-01-02 21:12 <DIR> d-------- C:\Program Files\Lexmark Fax Solutions
2008-01-02 21:12 . 2008-01-02 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FaxCtr
2008-01-02 21:11 . 2008-01-02 21:11 <DIR> d-------- C:\Program Files\Lexmark Toolbar
2008-01-02 21:11 . 2008-01-02 21:11 <DIR> d-------- C:\Program Files\Lexmark 2400 Series
2008-01-02 21:11 . 2008-01-02 21:11 <DIR> d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-01-02 21:10 . 2006-02-03 03:24 1,183,744 --a------ C:\WINDOWS\system32\lxcrserv.dll
2008-01-02 21:07 . 2008-01-02 21:07 <DIR> d-------- C:\Program Files\OpenOffice.org 2.3
2008-01-02 19:03 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-02 19:03 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-02 19:03 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-02 19:03 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-01-02 19:03 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-01-02 19:03 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-01-02 19:03 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-02 19:02 . 2008-01-02 19:03 <DIR> d-------- C:\Program Files\Sygate
2008-01-02 19:02 . 2008-01-02 19:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-29 19:19 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-29 19:18 . 2007-12-29 19:18 <DIR> d-------- C:\Program Files\Java
2007-12-29 19:18 . 2007-12-29 19:18 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-29 19:17 . 2007-12-29 19:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-22 20:52 . 2007-12-22 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gogii
2007-12-22 10:54 . 2007-12-22 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-22 10:01 . 2007-12-22 10:01 45,058 --a------ C:\WINDOWS\system32\winsrvc.exe
2007-12-22 10:00 . 323,584 C:\WINDOWS\system32\unsrvc.exe
2007-12-22 10:00 . 2007-12-22 10:00 108,338 --a------ C:\WINDOWS\system32\mswinsck.ocx
2007-12-22 10:00 . 2008-01-08 21:55 69,634 --a------ C:\WINDOWS\sysstr.sys
2007-12-22 10:00 . 2008-01-09 11:23 8,564 --a------ C:\WINDOWS\system32\filetemp.tmp
2007-12-22 10:00 . 2007-12-22 10:00 0 --a------ C:\WINDOWS\system32\iospc.sys
2007-12-16 12:22 . 2007-12-16 12:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Awem
2007-12-14 14:24 . 2007-12-14 14:24 <DIR> d-------- C:\Program Files\Svetlograd
2007-12-14 14:13 . 2007-12-14 14:13 <DIR> d-------- C:\Program Files\Mystery Case Files - Huntsville
2007-12-14 14:01 . 2007-12-14 14:01 <DIR> d-------- C:\Program Files\Forgotten Riddles - The Mayan Princess
2007-12-14 13:46 . 2007-12-14 13:46 <DIR> d-------- C:\Program Files\The Magicians Handbook - Cursed Valley
2007-12-14 13:26 . 2007-12-14 13:26 <DIR> d-------- C:\Program Files\Pirateville
2007-12-14 12:42 . 2007-12-14 12:42 <DIR> d-------- C:\Program Files\Holly - A Christmas Tale
2007-12-14 11:53 . 2007-12-14 11:53 <DIR> d-------- C:\Program Files\Mystery in London
2007-12-13 22:00 . 2007-12-13 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Christmasville
2007-12-12 20:14 . 2007-12-12 20:14 <DIR> d-------- C:\Documents and Settings\SONIA\Application Data\Magic Academy
2007-12-12 18:05 . 2007-12-12 18:05 <DIR> d--hs---- C:\WINDOWS\ftpcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-05 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-12-02 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecretsOfOlympus
2007-12-02 16:24 --------- d-----w C:\Program Files\Mystery of Shark Island
2007-12-02 16:22 --------- d-----w C:\Program Files\Private Eye - Greatest Unsolved Mysteries
2007-11-30 11:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-28 18:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Legacy Interactive
2007-11-27 21:38 --------- d-----w C:\Documents and Settings\SONIA\Application Data\Big Fish Games
2007-11-24 22:38 --------- d-----w C:\Documents and Settings\SONIA\Application Data\Jane s Hotel
2007-11-24 21:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-11-23 21:31 --------- d-----w C:\Documents and Settings\SONIA\Application Data\Flood Light Games
2007-11-23 21:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Flood Light Games
2007-11-15 15:46 --------- d-----w C:\Documents and Settings\SONIA\Application Data\iWin
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 09:55 3,065,856 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 17:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-16 02:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 15:06 68856]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 15:25 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-02-22 21:40 106496]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-21 08:51 7335936]
"nwiz"="nwiz.exe" [2005-11-21 08:51 1519616 C:\WINDOWS\system32\nwiz.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-06 05:39 14850560 C:\WINDOWS\RTHDCPL.EXE]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-20 23:26 761945]
"Wireless Console 2"="C:\Program Files\Wireless Console 2\wcourier.exe" [2005-10-17 17:09 987136]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 11:51 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 11:52 602182]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 11:56 569413]
"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 17:13 86016]
"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [2006-02-21 15:20 180224]
"ABLKSR"="C:\WINDOWS\ABLKSR\ABLKSR.exe" [2006-01-02 19:14 61440]
"SMSERIAL"="sm56hlpr.exe" [2005-05-26 16:12 544768 C:\WINDOWS\sm56hlpr.exe]
"PelSetupRun"="E:\setup.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-18 23:48 185896]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"unsrvc"="C:\WINDOWS\system32\unsrvc.exe" [ ]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [2006-01-22 17:45 286720]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 05:10 98304]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 08:11 290816]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 18:38 65536]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 17:47 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-16 02:00 15360]

C:\Documents and Settings\SONIA\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ASUS ChkMail.lnk - C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe [2006-11-14 20:27:37]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04]

R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2004-09-03 16:38]
S3 GTF32BUS;GT F32 BUS;C:\WINDOWS\system32\DRIVERS\gtf32bus.sys [2005-12-08 08:45]
S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2005-12-06 10:40]
S3 GTSCSER;GT SC SER;C:\WINDOWS\system32\DRIVERS\gtscser.sys [2005-12-06 10:40]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3133a370-9d94-11db-ad9d-0018de978965}]
\Shell\Auto\command - G:\RavMon.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 15:21:09
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
LXCFCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-12 15:21:29
ComboFix-quarantined-files.txt 2008-01-12 15:21:28
.
2008-01-10 10:21:00 --- E O F ---

----------

#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 12 January 2008 - 03:44 PM

Just not sure now, whether trying this would actually have any result, after all, with regards to this particular case?... (I mean, if the registry key which does get restored is HKLM\System\CurrentControlSet, while it is stated that "any changes that were made to other registry keys remain", and whereas the key which must be causing trouble supposedly is HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon > "Userinit"="C:\\WINDOWS\\system32\\unsrvc.exe -runservice", hmm, I wonder then, should it be expected to work at all, trying the "last known good configuration" option, or?... Also, the PC has actually been shut down quite a few times already by now, as it was more than once that I did try to see if it would boot, be it to Normal or Safe Mode, thus, being stated that "the Last Known Good Configuration feature uses information that is saved from the last time that you shut down your computer to restore registry settings", hmm, I wonder again, perhaps it makes it useless then, to try this option at this point, or?... Perhaps these are in the end even the reasons why, so it seems, the "last known good configuration" didn't appear to work for anyone who had tried it after coming to the login/logoff loop when having the same trojan infection?...)

I apologise, I misphrased my question; I meant to say "Can you try booting your other PC using the Last Known Good Configuration?" Whilst I agree with your point that it may not work, at this critical stage I think that it is definately worth a try - you never know, it might solve the problem.

Then again, Avast just updated, and just detected the file C:\Documents and Settings\All Users\Documents\Instalar.exe (which, as previously mentioned, was a copy of the original file unsrvc.exe) to be a trojan, Win32:VB-GNY [Trj]. (For now I chose to take no action on it. Is it ok, though, to quarentine/remove it at once, or?)

Next time you receive this warning I would like you to quarantine the file.

Start AVG Anti-Spyware:
Click the Update tab then select Start update; a progress bar will show the updates being installed.
Now press the Scanner icon, and click the Settings tab.
Click Recommended actions, then set it to Quarantine.
Close the programme now, we will scan with it later on.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\winsrvc.exe
C:\WINDOWS\system32\unsrvc.exe


Open 'file' in the killbox menu on top and choose Paste from clipboard
You must use the file menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to reboot now, click "yes".
Click OK at any Pending File Rename Operations prompts, let me know if there appear.
If you don't get that message, reboot manually.
Make sure you reboot your computer into Safe Mode.

Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

Launch AVG Anti-Spyware by double clicking the icon on your Desktop.
Press the Scanner icon.
Then click on the Complete System Scan button.
If any infections are found, you will be asked for an action; select Apply all actions.
Now press the Reports icon at the top.
Choose Save report as and save the text file to your Desktop.
Please post this log in your next reply.

Reboot into Normal Mode, and include the AVG log along with a new Combofix log and the WinPFind report in your reply.

Edited by rookie147, 12 January 2008 - 03:47 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#6 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:12:24 PM

Posted 13 January 2008 - 06:39 AM

Hi again, Charles, and again too thanks for the quick reply. :thumbsup:

Regarding the PC and the "last known good configuration" boot option: ok tried it now. Yet, no, so it didn't work after all. :blink:

I would thus very much appreciate your advicing on what should be the following step to try. (What way would you recommend be best to try to recover from this login/logoff loop situation?) Thanks, once more, for any help with regards to this case.

----------

Regarding the laptop:

Ok, file C:\Documents and Settings\All Users\Documents\Instalar.exe quarantined by Avast, now.

Unfortunatelly I could not proceed with the follow up instructions though, seen that I'm not able to download WinPFind (and as running WinPFind was a step in between the rest, so I chose not to do none of it without confirming with you first). Seemingly, the file isn't available from that location as you pointed:

404 ERROR: Page Not Found!

The requested page http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip could not be found on this server.


Hmm, is there by chance any other place where to download WinPFind from, or? (Or should I use any alternative release of WinPFind then, in order to generate the report you need for analysis, or?) Please advise.

Thank you for your understanding and patience.

Edited by DeLuk, 13 January 2008 - 07:00 AM.


#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 13 January 2008 - 07:21 AM

It looks like WinPFind has moved.

Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop. I can promise you that this time it will not print out all the Trusted Sites.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind35U.exe to start the program.
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.

If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#8 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:12:24 PM

Posted 13 January 2008 - 02:36 PM

Regarding the laptop, ok then, I've now completed your previous instructions (with the exception of course that I ran the scan with WinPFind35U instead of WinPFind, as instructed).

A couple notes, before posting the requested logs.

After answering "yes" on the KillBox prompt for reboot, no such "Pending File Rename Operations" prompts appeared. Also, the computer did reboot automatically, no manual reboot was necessary.

Upon rebooting to Safe Mode, so I ran WinPFind35U, as instructed before. Unfortunatelly, though, I was not able to proceed with this scan in Safe Mode, since I could not locate "File - Additional Folder Scans" under "Additional Scans". Due to the monitor's low resolution, I just could not get to that line below. (I did even try changing the monitor's resolution, but it accepted no higher resolution than 800x600 as it was; I suppose the graphic related drivers that get loaded in Safe Mode don't support any other resolution, not in this computer anyway, so it seems. And I did try scrolling down, but for some reason it just wouldn't go anywhere below the line "Reg - Software Policy Settings"; even though, moving down with the arrow key, I knew there were more lines below that one; yet I just wasn't able to see them.) Seen that I had booted to Safe Mode already anyway, so I continued with the AVG Anti-Spyware scan, and ran the scan with WinPFind35U later after rebooting back to Normal Mode. (I hope this was ok to do? If not, though, do let me know, and I'll try it again in Safe Mode. Though I sincerely have no idea how I could possibly manage to?...)

Another "set-back" yet, though, came with the AVG Anti-Spyware scan, which, for some reason did not generate a report for the scan made (at least I could not see/locate it)! :wacko: (Yes, AVG Anti-Spyware is of course set to generate reports "Automatically after each scan"!)

I did take note of the threats detected, though, so I'm hoping that to be of some (enough?) help... AVG Anti-Spyware did detect 2 threats, namely the file unsrvc.exe stored in KillBox's backup folder C:\!KillBox\, and another exe file in System Restore, both identified as Downloader.VB.bzh. As instructed, both files detected have so been quarantined.

Ok, and upon rebooting back to Normal Mode, so I ran WinPFind35U, following to which I so ran also ComboFix. (When running ComboFix, again I got the same message from Google Toolbar Notifier, saying that it had blocked an attempt by another program to change the search settings, and also, upon rebooting afterwards, again I got the same message from XP's firewall, regarding ActiveSync RAPI Manager.) Please find both logs, WinPFind35U's and ComboFix's, on own posts, following to this one.

Thank you, again, for all help. :)

P.S. Hmm, just wondering, only, with regards to WinPFind35U's log, why is it that the one saved from copying and pasting the report which popped up upon scan completion says to be of a different size than the WinPFind35.txt file which is on the WinPFinds35u folder in the Desktop?... The first is 53,7 KB while the later is 107 KB, though then again they do appear to have the same contents, hmm, should that be supposed to be odd, or?...

P.S.2 Ok, just ran another scan with AVG Anti-Spyware (now in Normal Mode), and curiously again it generated no report... :thumbsup: It detected a new trace of Downloader.VB.bzh in System Restore (yes, I know we'll rid of these "for good" when in the final we reset System Restore, yes), which again I chose to quarantine, yet, also again, there was no report of the scan just made. I wonder... (Could it be that's due to there being too many previous reports stored?... Though there's also only 5 reports stored in the Reports folder, and 4 reports stored in the Quarantine folder, these 4 by the way being the only ones listed in the Reports section of AVG Anti-Spyware... Could it be perhaps some bug resulting from some recent update or something, I wonder?... Hmm... Oh well, I'll choose to remove all reports then, and run yet another scan, to check whether that comes up to any different result, with regards to generating scan reports...)

...

Well, coincidence or not, after removing all old logs, AVG Anti-Spyware does seem to have now "returned to normal" and does again generate a new report for every new scan. Just ran a bunch of quick ones, and for each, a report was there. (Odd, was it not?... :blink: I do wonder, what was it, causing the lack of reports, before... Also, I do keep wondering, why are reports currently being saved in the Quarantine folder?... Shouldn't it be in the Reports one instead?... Or am I mistaken actually? Hmm... Anyway, whatever, think I'll maybe just set with re-installing AVG Anti-Spyware from scratch, later after we're done with all the cleaning/fixing here, just to see whether that changes or remains or... Odd, indeed...)

P.S.3 The latest update of Avast now also detects the file winsrvc.exe (which is backed up in KillBox's folder C:\!KillBox\). Detected as Win32:Trojan-gen {VB}. Is it also ok to quarantine this one too at once, or? (Or should I rather eliminate it simply by deleting all backups made by KillBox from within KillBox itself via File > Cleanup? Do please advise.)

Edited by DeLuk, 13 January 2008 - 08:41 PM.


#9 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:12:24 PM

Posted 13 January 2008 - 02:37 PM

WinPFind35U report

WinPFind35 logfile created on: 13-01-2008 17:04:06
WinPFind35U Version Beta22 Folder = C:\Documents and Settings\SONIA\Desktop\WinPFind35u
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)

2,00 Gb Total Physical Memory | 1,60 Gb Available Physical Memory | 79,85% Memory free
3,85 Gb Paging File | 3,51 Gb Available in Paging File | 91,30% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 53,56 Gb Total Space | 28,73 Gb Free Space | 53,64% Space Free | Partition Type: FAT32
Drive D: | 35,67 Gb Total Space | 35,67 Gb Free Space | 99,99% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: TOITA
Current User Name: SONIA
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user


[Processes - Non-Microsoft Only]
evteng.exe -> %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe -> Intel Corporation [Ver = 10, 1, 1, 1 | Size = 114753 bytes | Modified Date = 14-04-2006 11:43:02 | Attr = ]
s24evmon.exe -> %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe -> Intel Corporation [Ver = 10, 1, 1, 34 | Size = 540745 bytes | Modified Date = 14-04-2006 11:44:58 | Attr = ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 17272 bytes | Modified Date = 04-12-2007 14:36:34 | Attr = ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 140664 bytes | Modified Date = 04-12-2007 13:00:16 | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 22-12-2007 10:44:26 | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.8293 | Size = 143426 bytes | Modified Date = 21-11-2005 8:51:00 | Attr = ]
regsrvc.exe -> %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe -> Intel Corporation [Ver = 10, 1, 1, 1 | Size = 217164 bytes | Modified Date = 14-04-2006 11:42:26 | Attr = ]
hcontrol.exe -> %SystemRoot%\ATK0100\HControl.exe -> [Ver = 1043, 2, 15, 56 | Size = 106496 bytes | Modified Date = 22-02-2006 21:40:40 | Attr = ]
pdvdserv.exe -> %ProgramFiles%\ASUSTeK\ASUSDVD\PDVDServ.exe -> Cyberlink Corp. [Ver = 6.00.1027 | Size = 32768 bytes | Modified Date = 02-11-2004 20:24:46 | Attr = ]
rthdcpl.exe -> %SystemRoot%\RTHDCPL.EXE -> Realtek Semiconductor Corp. [Ver = 2.0.1.2 | Size = 14850560 bytes | Modified Date = 06-09-2005 5:39:08 | Attr = ]
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.2.0 21Oct05 | Size = 761945 bytes | Modified Date = 20-10-2005 23:26:48 | Attr = ]
wcourier.exe -> %ProgramFiles%\Wireless Console 2\wcourier.exe -> [Ver = 2, 0, 2, 0 | Size = 987136 bytes | Modified Date = 17-10-2005 17:09:34 | Attr = ]
zcfgsvc.exe -> %ProgramFiles%\Intel\Wireless\bin\ZCfgSvc.exe -> Intel Corporation [Ver = 10, 1, 1, 45 | Size = 667718 bytes | Modified Date = 14-04-2006 11:51:52 | Attr = ]
ifrmewrk.exe -> %ProgramFiles%\Intel\Wireless\Bin\ifrmewrk.exe -> Intel Corporation [Ver = 10, 1, 1, 19 | Size = 602182 bytes | Modified Date = 14-04-2006 11:52:18 | Attr = ]
eouwiz.exe -> %ProgramFiles%\Intel\Wireless\Bin\EOUWiz.exe -> Intel Corporation [Ver = 10, 1, 1, 17 | Size = 569413 bytes | Modified Date = 14-04-2006 11:56:12 | Attr = ]
sm56hlpr.exe -> %SystemRoot%\sm56hlpr.exe -> Motorola Inc. [Ver = 6.10.03-120 | Size = 544768 bytes | Modified Date = 26-05-2005 16:12:00 | Attr = ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3760 | Size = 185896 bytes | Modified Date = 18-12-2006 23:48:38 | Attr = ]
ashdisp.exe -> %SystemDrive%\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 79224 bytes | Modified Date = 04-12-2007 13:00:24 | Attr = ]
ezprint.exe -> %ProgramFiles%\Lexmark 2400 Series\ezprint.exe -> Lexmark International Inc. [Ver = 2.1.0.8 | Size = 98304 bytes | Modified Date = 07-02-2006 5:10:34 | Attr = ]
dot1xcfg.exe -> %SystemDrive%\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe -> Intel Corporation [Ver = 10, 1, 1, 84 | Size = 397381 bytes | Modified Date = 14-04-2006 11:49:28 | Attr = ]
atkosd.exe -> %SystemRoot%\ATK0100\ATKOSD.exe -> [Ver = 1043, 2, 15, 56 | Size = 2170880 bytes | Modified Date = 21-02-2006 0:25:58 | Attr = ]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 17-06-2007 15:06:10 | Attr = ]
chkmail.exe -> %ProgramFiles%\ASUS\Asus ChkMail\ChkMail.exe -> asus [Ver = 1043, 1, 15, 5 | Size = 32768 bytes | Modified Date = 12-09-2003 20:25:30 | Attr = ]
lxcrcoms.exe -> %System32%\lxcrcoms.exe -> [Ver = 99.99.99.99 | Size = 495616 bytes | Modified Date = 03-02-2006 3:11:22 | Attr = ]
winpfind35u.exe -> %UserDesktop%\WinPFind35u\WinPFind35U.exe -> OldTimer Tools [Ver = 1.0.0.0 | Size = 294400 bytes | Modified Date = 06-01-2008 13:17:10 | Attr = ]

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 17272 bytes | Modified Date = 04-12-2007 14:36:34 | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 140664 bytes | Modified Date = 04-12-2007 13:00:16 | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 247160 bytes | Modified Date = 04-12-2007 12:59:54 | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 345464 bytes | Modified Date = 04-12-2007 12:59:02 | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 22-12-2007 10:44:26 | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 16-03-2006 2:00:00 | Attr = ]
(EvtEng) Intel® PROSet/Wireless Event Log [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe -> Intel Corporation [Ver = 10, 1, 1, 1 | Size = 114753 bytes | Modified Date = 14-04-2006 11:43:02 | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 22-02-2007 18:37:16 | Attr = ]
(iPod Service) iPod Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\iPod\bin\iPodService.exe -> File not found
(lxcf_device) lxcf_device [Win32_Own | On_Demand | Stopped] -> %System32%\lxcfcoms.exe -> [Ver = 1.154.19.0 | Size = 491520 bytes | Modified Date = 25-07-2005 19:25:18 | Attr = ]
(lxcr_device) lxcr_device [Win32_Own | On_Demand | Running] -> %System32%\lxcrcoms.exe -> [Ver = 99.99.99.99 | Size = 495616 bytes | Modified Date = 03-02-2006 3:11:22 | Attr = ]
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.8293 | Size = 143426 bytes | Modified Date = 21-11-2005 8:51:00 | Attr = ]
(RegSrvc) Intel® PROSet/Wireless Registry Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe -> Intel Corporation [Ver = 10, 1, 1, 1 | Size = 217164 bytes | Modified Date = 14-04-2006 11:42:26 | Attr = ]
(S24EventMonitor) Intel® PROSet/Wireless Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe -> Intel Corporation [Ver = 10, 1, 1, 34 | Size = 540745 bytes | Modified Date = 14-04-2006 11:44:58 | Attr = ]
(SmcService) Sygate Personal Firewall [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Sygate\SPF\smc.exe -> Sygate Technologies, Inc. [Ver = 5.6.00.2808 | Size = 2577632 bytes | Modified Date = 15-10-2004 19:40:56 | Attr = ]

[Driver Services - Non-Microsoft Only]
(Aavmker4) avast! Asynchronous Virus Monitor [Kernel | System | Running] -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 26624 bytes | Modified Date = 04-12-2007 14:49:02 | Attr = ]
(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] -> -> File not found
(abp480n5) abp480n5 [Kernel | Disabled | Stopped] -> -> File not found
(adpu160m) adpu160m [Kernel | Disabled | Stopped] -> -> File not found
(AegisP) AEGIS Protocol (IEEE 802.1x) v3.4.10.0 [Kernel | Auto | Running] -> %System32%\DRIVERS\AegisP.sys -> Meetinghouse Data Communications [Ver = 3.4.10.0 | Size = 21275 bytes | Modified Date = 14-11-2006 20:25:18 | Attr = ]
(Aha154x) Aha154x [Kernel | Disabled | Stopped] -> -> File not found
(aic78u2) aic78u2 [Kernel | Disabled | Stopped] -> -> File not found
(aic78xx) aic78xx [Kernel | Disabled | Stopped] -> -> File not found
(AliIde) AliIde [Kernel | Disabled | Stopped] -> -> File not found
(amsint) amsint [Kernel | Disabled | Stopped] -> -> File not found
(asc) asc [Kernel | Disabled | Stopped] -> -> File not found
(asc3350p) asc3350p [Kernel | Disabled | Stopped] -> -> File not found
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> -> File not found
(aswMon2) avast! Standard Shield Support [File_System | Auto | Running] -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 94544 bytes | Modified Date = 04-12-2007 14:55:46 | Attr = ]
(aswRdr) aswRdr [Kernel | On_Demand | Running] -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 23152 bytes | Modified Date = 04-12-2007 14:53:40 | Attr = ]
(aswTdi) avast! Network Shield Support [Kernel | System | Running] -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 42912 bytes | Modified Date = 04-12-2007 14:51:52 | Attr = ]
(Atdisk) Atdisk [Kernel | Disabled | Stopped] -> -> File not found
(AVG Anti-Spyware Driver) AVG Anti-Spyware Driver [Kernel | System | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.sys -> [Ver = | Size = 11000 bytes | Modified Date = 22-12-2007 10:44:24 | Attr = ]
(AvgAsCln) AVG Anti-Spyware Clean Driver [Kernel | System | Running] -> %System32%\DRIVERS\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Modified Date = 05-09-2006 17:03:16 | Attr = ]
(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] -> -> File not found
(Changer) Changer [Kernel | System | Stopped] -> -> File not found
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> -> File not found
(Cpqarray) Cpqarray [Kernel | Disabled | Stopped] -> -> File not found
(dac960nt) dac960nt [Kernel | Disabled | Stopped] -> -> File not found
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %System32%\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 799744 bytes | Modified Date = 16-03-2006 2:00:00 | Attr = ]
(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %System32%\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 153344 bytes | Modified Date = 16-03-2006 2:00:00 | Attr = ]
(dmload) dmload [Kernel | Boot | Running] -> %System32%\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 16-03-2006 2:00:00 | Attr = ]
(dpti2o) dpti2o [Kernel | Disabled | Stopped] -> -> File not found
(GTF32BUS) GT F32 BUS [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\gtf32bus.sys -> Option N.V. [Ver = 2.0.1.3 | Size = 32640 bytes | Modified Date = 08-12-2005 8:45:40 | Attr = ]
(GTPTSER) GT PT SER [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\gtptser.sys -> Option N.V. [Ver = 1.6.0.0 | Size = 8064 bytes | Modified Date = 06-12-2005 10:40:20 | Attr = ]
(GTSCSER) GT SC SER [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\gtscser.sys -> Option N.V. [Ver = 1.5.0.0 | Size = 19328 bytes | Modified Date = 06-12-2005 10:40:02 | Attr = ]
(HdAudAddService) Microsoft UAA Function Driver for High Definition Audio Service [Kernel | On_Demand | Stopped] -> %System32%\drivers\HdAudio.sys -> Windows ® Server 2003 DDK provider [Ver = 5.10.01.5013 built by: WinDDK | Size = 145920 bytes | Modified Date = 07-01-2005 17:07:16 | Attr = ]
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %System32%\DRIVERS\HDAudBus.sys -> Windows ® Server 2003 DDK provider [Ver = 5.10.01.5013 built by: WinDDK | Size = 138752 bytes | Modified Date = 07-01-2005 17:07:18 | Attr = ]
(hpn) hpn [Kernel | Disabled | Stopped] -> -> File not found
(HPZius12) USB to IEEE-1284.4 Translation Driver HPZius12 [Kernel | On_Demand | Stopped] -> %System32%\DRIVERS\HPZius12.sys -> HP [Ver = 10, 1, 0, 3 | Size = 21568 bytes | Modified Date = 21-10-2005 18:52:48 | Attr = ]
(i2omgmt) i2omgmt [Kernel | System | Stopped] -> -> File not found
(i2omp) i2omp [Kernel | Disabled | Stopped] -> -> File not found
(ini910u) ini910u [Kernel | Disabled | Stopped] -> -> File not found
(IntcAzAudAddService) Service for Realtek HD Audio (WDM) [Kernel | On_Demand | Running] -> %System32%\drivers\RtkHDAud.sys -> Realtek Semiconductor Corp. [Ver = 5.10.00.5165 built by: WinDDK | Size = 3959808 bytes | Modified Date = 07-09-2005 23:20:52 | Attr = ]
(IntelIde) IntelIde [Kernel | Disabled | Stopped] -> -> File not found
(lbrtfdc) lbrtfdc [Kernel | System | Stopped] -> -> File not found
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> -> File not found
(MTsensor) ATK0100 ACPI UTILITY [Kernel | On_Demand | Running] -> %System32%\DRIVERS\ATKACPI.sys -> [Ver = 1043, 2, 15, 46 | Size = 5632 bytes | Modified Date = 17-02-2005 8:07:48 | Attr = ]
(nv) nv [Kernel | On_Demand | Running] -> %System32%\DRIVERS\nv4_mini.sys -> NVIDIA Corporation [Ver = 6.14.10.8293 | Size = 3600512 bytes | Modified Date = 21-11-2005 8:51:00 | Attr = ]
(odysseyIM4) Odyssey Network Agent Miniport [Kernel | On_Demand | Running] -> %System32%\DRIVERS\odysseyIM4.sys -> Funk Software, Inc. [Ver = 2.74.0.1020 | Size = 173056 bytes | Modified Date = 03-09-2004 16:38:16 | Attr = ]
(PCIDump) PCIDump [Kernel | System | Stopped] -> -> File not found
(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] -> -> File not found
(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(PDRELI) PDRELI [Kernel | On_Demand | Stopped] -> -> File not found
(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(perc2) perc2 [Kernel | Disabled | Stopped] -> -> File not found
(perc2hib) perc2hib [Kernel | Disabled | Stopped] -> -> File not found
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %System32%\DRIVERS\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 16-03-2006 2:00:00 | Attr = ]
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %System32%\Drivers\PxHelp20.sys -> Sonic Solutions [Ver = 2.03.32a | Size = 20640 bytes | Modified Date = 12-12-2006 16:30:24 | Attr = ]
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> -> File not found
(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] -> -> File not found
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> -> File not found
(ql1240) ql1240 [Kernel | Disabled | Stopped] -> -> File not found
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> -> File not found
(rimsptsk) rimsptsk [Kernel | On_Demand | Running] -> %System32%\DRIVERS\rimsptsk.sys -> REDC [Ver = 1.00.01.12 | Size = 51328 bytes | Modified Date = 12-07-2005 19:00:30 | Attr = ]
(risdptsk) risdptsk [Kernel | Boot | Running] -> %System32%\DRIVERS\risdptsk.sys -> REDC [Ver = 1.0.3.6 | Size = 27904 bytes | Modified Date = 14-07-2005 12:14:34 | Attr = ]
(RTL8023xp) Realtek 10/100/1000 NIC Family all in one NDIS XP Driver [Kernel | On_Demand | Running] -> %System32%\DRIVERS\Rtenicxp.sys -> Realtek Semiconductor Corporation [Ver = 5.638.1116.2005 built by: WinDDK | Size = 78976 bytes | Modified Date = 16-11-2005 1:08:16 | Attr = ]
(s24trans) Transporte WLAN [Kernel | Auto | Running] -> %System32%\DRIVERS\s24trans.sys -> Intel Corporation [Ver = 10, 1, 1, 3 | Size = 13568 bytes | Modified Date = 14-04-2006 13:04:08 | Attr = ]
(Secdrv) Secdrv [Kernel | Auto | Running] -> %System32%\DRIVERS\secdrv.sys -> Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. [Ver = 4.03.086 | Size = 20480 bytes | Modified Date = 13-11-2007 10:25:54 | Attr = ]
(Simbad) Simbad [Kernel | Disabled | Stopped] -> -> File not found
(smserial) smserial [Kernel | On_Demand | Running] -> %System32%\DRIVERS\smserial.sys -> Motorola Inc. [Ver = SM56 Rel. 6.10 Build 03 Preview 120 | Size = 839724 bytes | Modified Date = 26-05-2005 16:19:00 | Attr = ]
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> -> File not found
(symc810) symc810 [Kernel | Disabled | Stopped] -> -> File not found
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> -> File not found
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> -> File not found
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> -> File not found
(SynTP) Synaptics TouchPad Driver [Kernel | On_Demand | Running] -> %System32%\DRIVERS\SynTP.sys -> Synaptics, Inc. [Ver = 8.2.0 21Oct05 | Size = 191936 bytes | Modified Date = 20-10-2005 23:13:08 | Attr = ]
(Teefer) Teefer for NT [Kernel | Boot | Running] -> %System32%\Drivers\Teefer.sys -> Sygate Technologies, Inc. [Ver = 1.60.1101 | Size = 60496 bytes | Modified Date = 15-10-2004 18:17:02 | Attr = ]
(TosIde) TosIde [Kernel | Disabled | Stopped] -> -> File not found
(ultra) ultra [Kernel | Disabled | Stopped] -> -> File not found
(ViaIde) ViaIde [Kernel | Disabled | Stopped] -> -> File not found
(vsdatant) vsdatant [Kernel | Disabled | Stopped] -> -> File not found
(w39n51) Intel® PRO/Wireless 3945ABG Adapter Driver [Kernel | On_Demand | Running] -> %System32%\DRIVERS\w39n51.sys -> Intel® Corporation [Ver = 10, 1, 1, 3 | Size = 1429632 bytes | Modified Date = 04-04-2006 3:17:24 | Attr = ]
(WDICA) WDICA [Kernel | On_Demand | Stopped] -> -> File not found
(wg3n) SyGate for NT, wg3n [Kernel | Auto | Running] -> %System32%\Drivers\wg3n.sys -> Sygate Technologies, Inc. [Ver = 1.01.1223 | Size = 14568 bytes | Modified Date = 15-10-2004 18:32:38 | Attr = ]
(wg4n) SyGate for NT, wg4n [Kernel | Auto | Running] -> %System32%\Drivers\wg4n.sys -> Sygate Technologies, Inc. [Ver = 1.01.1223 | Size = 14568 bytes | Modified Date = 15-10-2004 18:32:40 | Attr = ]
(wg5n) SyGate for NT, wg5n [Kernel | Auto | Running] -> %System32%\Drivers\wg5n.sys -> Sygate Technologies, Inc. [Ver = 1.01.1223 | Size = 14568 bytes | Modified Date = 15-10-2004 18:32:42 | Attr = ]
(wg6n) SyGate for NT, wg6n [Kernel | Auto | Running] -> %System32%\Drivers\wg6n.sys -> Sygate Technologies, Inc. [Ver = 1.01.1223 | Size = 14568 bytes | Modified Date = 15-10-2004 18:32:44 | Attr = ]
(wpsdrvnt) wpsdrvnt [Kernel | System | Running] -> %System32%\drivers\wpsdrvnt.sys -> Sygate Technologies, Inc. [Ver = 1, 0, 0, 17 | Size = 21075 bytes | Modified Date = 15-10-2004 18:18:46 | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
ABLKSR -> %SystemRoot%\ABLKSR\ABLKSR.exe -> ASYSTeK Computer INC. [Ver = 1, 1, 0, 0 | Size = 61440 bytes | Modified Date = 02-01-2006 19:14:36 | Attr = ]
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\Reader_sl.exe -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 39792 bytes | Modified Date = 10-10-2007 19:51:56 | Attr = ]
ASUS Live Update -> %ProgramFiles%\ASUS\ASUS Live Update\ALU.exe -> [Ver = 1, 0, 0, 1 | Size = 180224 bytes | Modified Date = 21-02-2006 15:20:54 | Attr = ]
avast! -> %SystemDrive%\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 79224 bytes | Modified Date = 04-12-2007 13:00:24 | Attr = ]
EOUApp -> %ProgramFiles%\Intel\Wireless\Bin\EOUWiz.exe -> Intel Corporation [Ver = 10, 1, 1, 17 | Size = 569413 bytes | Modified Date = 14-04-2006 11:56:12 | Attr = ]
EzPrint -> %ProgramFiles%\Lexmark 2400 Series\ezprint.exe -> Lexmark International Inc. [Ver = 2.1.0.8 | Size = 98304 bytes | Modified Date = 07-02-2006 5:10:34 | Attr = ]
FaxCenterServer -> %ProgramFiles%\Lexmark Fax Solutions\fm3032.exe -> [Ver = 0.1.35.8 | Size = 290816 bytes | Modified Date = 02-02-2006 8:11:28 | Attr = ]
HControl -> %SystemRoot%\ATK0100\HControl.exe -> [Ver = 1043, 2, 15, 56 | Size = 106496 bytes | Modified Date = 22-02-2006 21:40:40 | Attr = ]
High Definition Audio Property Page Shortcut -> %System32%\HDAShCut.exe -> Windows ® Server 2003 DDK provider [Ver = 5.10.01.5013 built by: WinDDK | Size = 61952 bytes | Modified Date = 07-01-2005 17:07:16 | Attr = ]
IntelWireless -> %ProgramFiles%\Intel\Wireless\Bin\ifrmewrk.exe -> Intel Corporation [Ver = 10, 1, 1, 19 | Size = 602182 bytes | Modified Date = 14-04-2006 11:52:18 | Attr = ]
IntelZeroConfig -> %ProgramFiles%\Intel\Wireless\bin\ZCfgSvc.exe -> Intel Corporation [Ver = 10, 1, 1, 45 | Size = 667718 bytes | Modified Date = 14-04-2006 11:51:52 | Attr = ]
LXCFCATS -> %System32%\spool\DRIVERS\W32X86\3\LXCFtime.DLL -> [Ver = 0.1.11.5 | Size = 73728 bytes | Modified Date = 20-07-2005 17:47:32 | Attr = ]
LXCRCATS -> %System32%\spool\DRIVERS\W32X86\3\LXCRtime.DLL -> [Ver = | Size = 65536 bytes | Modified Date = 01-12-2005 18:38:40 | Attr = ]
lxcrmon.exe -> %ProgramFiles%\Lexmark 2400 Series\lxcrmon.exe -> [Ver = 0.1.25.0 | Size = 286720 bytes | Modified Date = 22-01-2006 17:45:08 | Attr = ]
NeroFilterCheck -> %System32%\NeroCheck.exe -> Ahead Software Gmbh [Ver = 1, 0, 0, 2 | Size = 155648 bytes | Modified Date = 09-07-2001 11:50:42 | Attr = ]
NvCplDaemon -> %System32%\NvCpl.DLL -> NVIDIA Corporation [Ver = 6.14.10.8293 | Size = 7335936 bytes | Modified Date = 21-11-2005 8:51:00 | Attr = ]
nwiz -> %System32%\nwiz.exe -> [Ver = | Size = 1519616 bytes | Modified Date = 21-11-2005 8:51:00 | Attr = ]
PelSetupRun -> E:\setup.exe -> File not found
Power_Gear -> %ProgramFiles%\ASUS\Power4 Gear\BatteryLife.exe -> ASUSTeK Computer Inc. [Ver = 1043, 6, 15, 116 | Size = 86016 bytes | Modified Date = 06-03-2006 17:13:56 | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.5 | Size = 282624 bytes | Modified Date = 16-02-2007 10:54:04 | Attr = ]
RemoteControl -> %ProgramFiles%\ASUSTeK\ASUSDVD\PDVDServ.exe -> Cyberlink Corp. [Ver = 6.00.1027 | Size = 32768 bytes | Modified Date = 02-11-2004 20:24:46 | Attr = ]
RTHDCPL -> %SystemRoot%\RTHDCPL.EXE -> Realtek Semiconductor Corp. [Ver = 2.0.1.2 | Size = 14850560 bytes | Modified Date = 06-09-2005 5:39:08 | Attr = ]
SmcService -> %SystemDrive%\PROGRA~1\Sygate\SPF\smc.exe -> Sygate Technologies, Inc. [Ver = 5.6.00.2808 | Size = 2577632 bytes | Modified Date = 15-10-2004 19:40:56 | Attr = ]
SMSERIAL -> %SystemRoot%\sm56hlpr.exe -> Motorola Inc. [Ver = 6.10.03-120 | Size = 544768 bytes | Modified Date = 26-05-2005 16:12:00 | Attr = ]
SynTPEnh -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, Inc. [Ver = 8.2.0 21Oct05 | Size = 761945 bytes | Modified Date = 20-10-2005 23:26:48 | Attr = ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3760 | Size = 185896 bytes | Modified Date = 18-12-2006 23:48:38 | Attr = ]
unsrvc -> %System32%\unsrvc.exe -> File not found
Wireless Console 2 -> %ProgramFiles%\Wireless Console 2\wcourier.exe -> [Ver = 2, 0, 2, 0 | Size = 987136 bytes | Modified Date = 17-10-2005 17:09:34 | Attr = ]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL-> Installed = 1 ->
MAPI-> Installed = 1 ->
MSFS-> Installed = 1 ->
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 17-06-2007 15:06:10 | Attr = ]
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
-> %AllUsersStartup%\desktop.ini -> [Ver = | Size = 84 bytes | Modified Date = 14-11-2006 19:32:04 | Attr = HS]
%AllUsersStartup%\ASUS ChkMail.lnk -> %ProgramFiles%\ASUS\Asus ChkMail\ChkMail.exe -> asus [Ver = 1043, 1, 15, 5 | Size = 32768 bytes | Modified Date = 12-09-2003 20:25:30 | Attr = ]
< SONIA Startup Folder > -> C:\Documents and Settings\SONIA\Start Menu\Programs\Startup ->
-> %UserStartup%\desktop.ini -> [Ver = | Size = 84 bytes | Modified Date = 14-11-2006 19:32:04 | Attr = HS]
%UserStartup%\SpywareGuard.lnk -> %ProgramFiles%\SpywareGuard\sgmain.exe -> [Ver = 2.02.0001 | Size = 360448 bytes | Modified Date = 29-08-2003 19:05:36 | Attr = ]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 22-12-2007 10:44:20 | Attr = ]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
*MultiFile Done* -> ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*MultiFile Done* -> ->
*MultiFile Done* -> ->
*MultiFile Done* -> ->
*MultiFile Done* -> ->
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< HOSTS File > (648085 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.asus.com ->
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.google.com/ie ->
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ->
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home ->
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://www.google.com/ie ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\Search Bar -> http://www.google.com/ie ->
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.google.com ->
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.google.pt/ ->
HKEY_CURRENT_USER\: Search\\SearchAssistant -> http://www.google.com/ie ->
HKEY_CURRENT_USER\: SearchURL\\ -> http://www.google.com/search?q=%s[gogl] ->
HKEY_CURRENT_USER\: ProxyEnable -> 0 ->
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. ->
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 6193 domain(s) found. ->
40 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 22-10-2006 23:08:42 | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\PROGRA~1\SPYBOT~1\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 31-05-2005 1:04:00 | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 25-09-2007 1:11:34 | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\google\googletoolbar3.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 19-01-2007 23:55:32 | Attr = R ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 2, 0, 301, 7164 | Size = 325048 bytes | Modified Date = 17-06-2007 15:06:10 | Attr = ]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 19-01-2007 23:55:32 | Attr = R ]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 19-01-2007 23:55:32 | Attr = R ]
ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 19-01-2007 23:55:32 | Attr = R ]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 25-09-2007 1:11:34 | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} [HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 25-09-2007 1:11:34 | Attr = ]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 25-09-2007 1:11:34 | Attr = ]
CmdMapping\\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xportar para o Microsoft Excel -> -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find...=%s&mime=%s ->
< User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ->
SV1 -> ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{1717AA3C-F331-4D05-8E12-F332CEF648C5} -> (Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC) ->
{4131EA65-3C8F-4272-8840-24F656972202} -> (1394 Net Adapter) ->
{554F0062-7F38-49AB-ACF4-4214B3F62DAD} -> (Intel® PRO/Wireless 3945ABG Network Connection) ->
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[] -> File not found
msdaipp: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened.[] -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}[HKEY_LOCAL_MACHINE] -> http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab[CKAVWebScan Object] ->
{233C1507-6A77-46A4-9443-F871F945D258}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/pub/shock...director/sw.cab[Shockwave ActiveX Control] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab[Java Plug-in 1.6.0_03] ->
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab[Reg Error: Key does not exist or could not be opened.] ->
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab[Java Plug-in 1.6.0_03] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab[Java Plug-in 1.6.0_03] ->



[Files/Folders - Created Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 2146881536 bytes | Created Date = 13-01-2008 16:42:59 | Attr = HS]
!KillBox -> %SystemDrive%\!KillBox -> [Folder | Created Date = 13-01-2008 15:02:41 | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Created Date = 12-01-2008 15:16:48 | Attr = ]
wpsdrvnt.sys -> %System32%\drivers\wpsdrvnt.sys -> Sygate Technologies, Inc. [Ver = 1, 0, 0, 17 | Size = 21075 bytes | Created Date = 02-01-2008 19:03:05 | Attr = ]
wg3n.sys -> %System32%\drivers\wg3n.sys -> Sygate Technologies, Inc. [Ver = 1.01.1223 | Size = 14568 bytes | Created Date = 02-01-2008 19:03:06 | Attr = ]
Teefer.sys -> %System32%\drivers\Teefer.sys -> Sygate Technologies, Inc. [Ver = 1.60.1101 | Size = 60496 bytes | Created Date = 02-01-2008 19:03:06 | Attr = ]
wg6n.sys -> %System32%\drivers\wg6n.sys -> Sygate Technologies, Inc. [Ver = 1.01.1223 | Size = 14568 bytes | Created Date = 02-01-2008 19:03:07 | Attr = ]
wg4n.sys -> %System32%\drivers\wg4n.sys -> Sygate Technologies, Inc. [Ver = 1.01.1223 | Size = 14568 bytes | Created Date = 02-01-2008 19:03:07 | Attr = ]
wg5n.sys -> %System32%\drivers\wg5n.sys -> Sygate Technologies, Inc. [Ver = 1.01.1223 | Size = 14568 bytes | Created Date = 02-01-2008 19:03:07 | Attr = ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 29-12-2007 19:19:20 | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 29-12-2007 19:19:20 | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Created Date = 29-12-2007 19:19:20 | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 12-01-2008 15:16:46 | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Created Date = 29-12-2007 19:19:20 | Attr = ]
lxcr.loc -> %System32%\lxcr.loc -> [Ver = | Size = 1688 bytes | Created Date = 02-01-2008 21:10:49 | Attr = ]
iospc.sys -> %System32%\iospc.sys -> [Ver = | Size = 0 bytes | Created Date = 22-12-2007 10:00:27 | Attr = ]
lxcrcomc.dll -> %System32%\lxcrcomc.dll -> [Ver = 99.99.99.99 | Size = 610304 bytes | Created Date = 02-01-2008 21:10:49 | Attr = ]
filetemp.tmp -> %System32%\filetemp.tmp -> [Ver = | Size = 8564 bytes | Created Date = 22-12-2007 10:00:30 | Attr = ]
lxcrcomm.dll -> %System32%\lxcrcomm.dll -> [Ver = 99.99.99.99 | Size = 421888 bytes | Created Date = 02-01-2008 21:10:50 | Attr = ]
lxcrcoms.exe -> %System32%\lxcrcoms.exe -> [Ver = 99.99.99.99 | Size = 495616 bytes | Created Date = 02-01-2008 21:10:50 | Attr = ]
lxcrcu.dll -> %System32%\lxcrcu.dll -> Lexmark International, Inc. [Ver = 2.153.126.0 | Size = 73728 bytes | Created Date = 02-01-2008 21:10:50 | Attr = ]
lxcrcur.dll -> %System32%\lxcrcur.dll -> Lexmark International, Inc. [Ver = 2.145.77.0 | Size = 36864 bytes | Created Date = 02-01-2008 21:10:50 | Attr = ]
lxcrcub.dll -> %System32%\lxcrcub.dll -> Lexmark International, Inc. [Ver = 2.153.126.0 | Size = 86016 bytes | Created Date = 02-01-2008 21:10:50 | Attr = ]
lxcrhelp.chm -> %System32%\lxcrhelp.chm -> [Ver = | Size = 576545 bytes | Created Date = 02-01-2008 21:10:51 | Attr = ]
SSSensor.dll -> %System32%\SSSensor.dll -> Sygate Technologies, Inc. [Ver = 5. 5. 0. 5 | Size = 83096 bytes | Created Date = 02-01-2008 19:03:04 | Attr = ]
LXCRcfg.dll -> %System32%\LXCRcfg.dll -> Lexmark International [Ver = 1, 0, 0, 1 | Size = 73728 bytes | Created Date = 02-01-2008 21:10:49 | Attr = ]
lxcrih.exe -> %System32%\lxcrih.exe -> [Ver = 99.99.99.99 | Size = 380928 bytes | Created Date = 02-01-2008 21:10:52 | Attr = ]
lxcrins.dll -> %System32%\lxcrins.dll -> Lexmark International, Inc. [Ver = 2.153.126.0 | Size = 155648 bytes | Created Date = 02-01-2008 21:10:52 | Attr = ]
lxcrinsr.dll -> %System32%\lxcrinsr.dll -> Lexmark International, Inc. [Ver = 2.145.77.0 | Size = 110592 bytes | Created Date = 02-01-2008 21:10:52 | Attr = ]
lxcrinsb.dll -> %System32%\lxcrinsb.dll -> Lexmark International, Inc. [Ver = 2.153.126.0 | Size = 200704 bytes | Created Date = 02-01-2008 21:10:52 | Attr = ]
lxcrjswr.dll -> %System32%\lxcrjswr.dll -> Lexmark International, Inc. [Ver = 2.145.77.0 | Size = 143360 bytes | Created Date = 02-01-2008 21:10:52 | Attr = ]
lxcrlmpm.dll -> %System32%\lxcrlmpm.dll -> [Ver = 99.99.99.99 | Size = 536576 bytes | Created Date = 02-01-2008 21:10:53 | Attr = ]
lxcrpmui.dll -> %System32%\lxcrpmui.dll -> Lexmark International, Inc. [Ver = 99.99.99.99 | Size = 667648 bytes | Created Date = 02-01-2008 21:10:53 | Attr = ]
lxcrpplc.dll -> %System32%\lxcrpplc.dll -> [Ver = 99.99.99.99 | Size = 114688 bytes | Created Date = 02-01-2008 21:10:53 | Attr = ]
lxcrprox.dll -> %System32%\lxcrprox.dll -> [Ver = 99.99.99.99 | Size = 163840 bytes | Created Date = 02-01-2008 21:10:54 | Attr = ]
lxcrserv.dll -> %System32%\lxcrserv.dll -> [Ver = 99.99.99.99 | Size = 1183744 bytes | Created Date = 02-01-2008 21:10:54 | Attr = ]
lxcrusb1.dll -> %System32%\lxcrusb1.dll -> [Ver = 99.99.99.99 | Size = 995328 bytes | Created Date = 02-01-2008 21:10:55 | Attr = ]
lxcrutil.dll -> %System32%\lxcrutil.dll -> Lexmark International, Inc. [Ver = 2.153.126.0 | Size = 446464 bytes | Created Date = 02-01-2008 21:10:55 | Attr = ]
IMGMAN32.DLL -> %System32%\IMGMAN32.DLL -> Data Techniques, Inc. [Ver = 7.20 | Size = 339968 bytes | Created Date = 02-01-2008 21:13:02 | Attr = ]
LXCRinst.dll -> %System32%\LXCRinst.dll -> [Ver = | Size = 233472 bytes | Created Date = 02-01-2008 21:10:56 | Attr = ]
IMHOST32.DLL -> %System32%\IMHOST32.DLL -> Data Techniques, Inc. [Ver = 7.20 | Size = 98345 bytes | Created Date = 02-01-2008 21:13:02 | Attr = ]
IM31XPNG.DEL -> %System32%\IM31XPNG.DEL -> Data Techniques, Inc. [Ver = 7.20 | Size = 98304 bytes | Created Date = 02-01-2008 21:13:02 | Attr = ]
IM31XTIF.DEL -> %System32%\IM31XTIF.DEL -> Data Techniques, Inc. [Ver = 7.20 | Size = 69632 bytes | Created Date = 02-01-2008 21:13:02 | Attr = ]
IM31IMG.DIL -> %System32%\IM31IMG.DIL -> Data Techniques, Inc. [Ver = 7.20 | Size = 49152 bytes | Created Date = 02-01-2008 21:13:02 | Attr = ]
LXPMONRC.DLL -> %System32%\LXPMONRC.DLL -> Lexmark International, Inc. [Ver = 0.1.35.8 | Size = 12288 bytes | Created Date = 02-01-2008 21:13:02 | Attr = ]
LXPRMON.DLL -> %System32%\LXPRMON.DLL -> [Ver = 0.1.35.8 | Size = 40960 bytes | Created Date = 02-01-2008 21:13:02 | Attr = ]
LXPMONUI.DLL -> %System32%\LXPMONUI.DLL -> [Ver = 0.1.35.8 | Size = 32768 bytes | Created Date = 02-01-2008 21:13:02 | Attr = ]
lxcrcnv4.dll -> %System32%\lxcrcnv4.dll -> [Ver = | Size = 61440 bytes | Created Date = 02-01-2008 21:13:19 | Attr = ]
lxcrdrs.dll -> %System32%\lxcrdrs.dll -> [Ver = 0.1.25.0 | Size = 684032 bytes | Created Date = 02-01-2008 21:13:19 | Attr = ]
lxcrcaps.dll -> %System32%\lxcrcaps.dll -> [Ver = 0.1.25.0 | Size = 65536 bytes | Created Date = 02-01-2008 21:13:19 | Attr = ]
lxcrcoin.dll -> %System32%\lxcrcoin.dll -> [Ver = | Size = 303104 bytes | Created Date = 02-01-2008 21:13:46 | Attr = ]
lxcriesc.dll -> %System32%\lxcriesc.dll -> [Ver = 99.99.99.99 | Size = 393216 bytes | Created Date = 02-01-2008 21:13:47 | Attr = ]
lxcrinpa.dll -> %System32%\lxcrinpa.dll -> [Ver = 99.99.99.99 | Size = 409600 bytes | Created Date = 02-01-2008 21:13:48 | Attr = ]
lxcrvs.dll -> %System32%\lxcrvs.dll -> [Ver = | Size = 40960 bytes | Created Date = 02-01-2008 21:13:49 | Attr = ]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Created Date = 10-01-2008 12:33:13 | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Created Date = 12-01-2008 15:16:46 | Attr = ]
VFind.exe -> %System32%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 12-01-2008 15:16:46 | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.11 | Size = 156160 bytes | Created Date = 12-01-2008 15:16:46 | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 12-01-2008 15:19:10 | Attr = ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 12-01-2008 15:16:46 | Attr = ]
sysstr.sys -> %SystemRoot%\sysstr.sys -> DDecctonne SSollutiionnss [Ver = 3.03.0004 | Size = 69634 bytes | Created Date = 22-12-2007 10:00:35 | Attr = ]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
Awem -> %AllUsersAppData%\Awem -> [Folder | Created Date = 16-12-2007 12:22:22 | Attr = ]
Grisoft -> %AllUsersAppData%\Grisoft -> [Folder | Created Date = 22-12-2007 10:54:13 | Attr = ]
Gogii -> %AllUsersAppData%\Gogii -> [Folder | Created Date = 22-12-2007 20:52:44 | Attr = ]
FaxCtr -> %AllUsersAppData%\FaxCtr -> [Folder | Created Date = 02-01-2008 21:12:52 | Attr = ]
Kaspersky Lab -> %AllUsersAppData%\Kaspersky Lab -> [Folder | Created Date = 10-01-2008 12:33:14 | Attr = ]
FaxCtr -> %UserAppData%\FaxCtr -> [Folder | Created Date = 02-01-2008 21:18:27 | Attr = ]
OpenOffice.org2 -> %UserAppData%\OpenOffice.org2 -> [Folder | Created Date = 02-01-2008 21:21:11 | Attr = ]
Apple Computer -> %LocalAppData%\Apple Computer -> [Folder | Created Date = 02-01-2008 19:50:18 | Attr = ]
Infecção -> %UserDocuments%\Infecção -> [Folder | Created Date = 29-12-2007 21:05:33 | Attr = ]
ComboFix.exe -> %UserDesktop%\ComboFix.exe -> [Ver = | Size = 1526040 bytes | Created Date = 12-01-2008 15:11:50 | Attr = ]
KillBox.exe -> %UserDesktop%\KillBox.exe -> Option^Explicit Software vbtechcd@gmail.com [Ver = 2.00.0881 | Size = 92672 bytes | Created Date = 13-01-2008 10:47:27 | Attr = ]
WinPFind35u.exe -> %UserDesktop%\WinPFind35u.exe -> [Ver = | Size = 464339 bytes | Created Date = 13-01-2008 14:47:25 | Attr = ]
WinPFind35u -> %UserDesktop%\WinPFind35u -> [Folder | Created Date = 13-01-2008 14:49:46 | Attr = ]
Java -> %CommonProgramFiles%\Java -> [Folder | Created Date = 29-12-2007 19:18:54 | Attr = ]
Wise Installation Wizard -> %CommonProgramFiles%\Wise Installation Wizard -> [Folder | Created Date = 02-01-2008 19:02:28 | Attr = ]

[Files/Folders - Modified Within 30 days]
ioSpecial.ini -> %SystemDrive%\ioSpecial.ini -> [Ver = | Size = 125 bytes | Modified Date = 22-12-2007 22:00:16 | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 2146881536 bytes | Modified Date = 13-01-2008 16:50:54 | Attr = HS]
!KillBox -> %SystemDrive%\!KillBox -> [Folder | Modified Date = 13-01-2008 15:02:42 | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Modified Date = 12-01-2008 15:16:50 | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 1158 bytes | Modified Date = 13-01-2008 16:51:32 | Attr = ]
LexFiles.ulf -> %System32%\LexFiles.ulf -> [Ver = | Size = 39163 bytes | Modified Date = 02-01-2008 21:14:10 | Attr = ]
iospc.sys -> %System32%\iospc.sys -> [Ver = | Size = 0 bytes | Modified Date = 22-12-2007 10:00:28 | Attr = ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 141240 bytes | Modified Date = 02-01-2008 21:17:52 | Attr = ]
nvapps.xml -> %System32%\nvapps.xml -> [Ver = | Size = 41156 bytes | Modified Date = 13-01-2008 16:51:08 | Attr = ]
filetemp.tmp -> %System32%\filetemp.tmp -> [Ver = | Size = 8564 bytes | Modified Date = 09-01-2008 11:23:10 | Attr = ]
CONFIG.NT -> %System32%\CONFIG.NT -> [Ver = | Size = 2626 bytes | Modified Date = 02-01-2008 19:40:04 | Attr = ]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Modified Date = 10-01-2008 12:33:14 | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 12-01-2008 15:21:10 | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 12-01-2008 15:19:12 | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 02-01-2008 19:50:14 | Attr = H ]
sysstr.sys -> %SystemRoot%\sysstr.sys -> DDecctonne SSollutiionnss [Ver = 3.03.0004 | Size = 69634 bytes | Modified Date = 08-01-2008 21:55:28 | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 13-01-2008 16:50:56 | Attr = S]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 13-01-2008 16:51:00 | Attr = H ]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
Awem -> %AllUsersAppData%\Awem -> [Folder | Modified Date = 16-12-2007 12:22:24 | Attr = ]
Grisoft -> %AllUsersAppData%\Grisoft -> [Folder | Modified Date = 22-12-2007 10:54:14 | Attr = ]
Gogii -> %AllUsersAppData%\Gogii -> [Folder | Modified Date = 22-12-2007 20:52:46 | Attr = ]
FaxCtr -> %AllUsersAppData%\FaxCtr -> [Folder | Modified Date = 02-01-2008 21:12:54 | Attr = ]
Kaspersky Lab -> %AllUsersAppData%\Kaspersky Lab -> [Folder | Modified Date = 10-01-2008 12:33:16 | Attr = ]
FaxCtr -> %UserAppData%\FaxCtr -> [Folder | Modified Date = 02-01-2008 21:18:28 | Attr = ]
OpenOffice.org2 -> %UserAppData%\OpenOffice.org2 -> [Folder | Modified Date = 02-01-2008 21:21:12 | Attr = ]
GDIPFONTCACHEV1.DAT -> %LocalAppData%\GDIPFONTCACHEV1.DAT -> [Ver = | Size = 25792 bytes | Modified Date = 06-01-2008 18:49:06 | Attr = ]
IconCache.db -> %LocalAppData%\IconCache.db -> [Ver = | Size = 2114200 bytes | Modified Date = 16-12-2007 13:37:28 | Attr = H ]
Apple Computer -> %LocalAppData%\Apple Computer -> [Folder | Modified Date = 02-01-2008 19:50:20 | Attr = ]
Infecção -> %UserDocuments%\Infecção -> [Folder | Modified Date = 29-12-2007 21:05:34 | Attr = ]
More Great Games.lnk -> %AllUsersDesktop%\More Great Games.lnk -> [Ver = | Size = 1166 bytes | Modified Date = 16-12-2007 13:36:36 | Attr = ]
Windows Live Messenger.lnk -> %AllUsersDesktop%\Windows Live Messenger.lnk -> [Ver = | Size = 1638 bytes | Modified Date = 22-12-2007 10:00:56 | Attr = ]
ComboFix.exe -> %UserDesktop%\ComboFix.exe -> [Ver = | Size = 1526040 bytes | Modified Date = 12-01-2008 15:12:00 | Attr = ]
KillBox.exe -> %UserDesktop%\KillBox.exe -> Option^Explicit Software vbtechcd@gmail.com [Ver = 2.00.0881 | Size = 92672 bytes | Modified Date = 13-01-2008 10:47:30 | Attr = ]
WinPFind35u.exe -> %UserDesktop%\WinPFind35u.exe -> [Ver = | Size = 464339 bytes | Modified Date = 13-01-2008 14:47:30 | Attr = ]
WinPFind35u -> %UserDesktop%\WinPFind35u -> [Folder | Modified Date = 13-01-2008 14:49:48 | Attr = ]
Microsoft Excel.lnk -> %UserDesktop%\Microsoft Excel.lnk -> [Ver = | Size = 2497 bytes | Modified Date = 03-01-2008 18:37:08 | Attr = ]
Microsoft Word.lnk -> %UserDesktop%\Microsoft Word.lnk -> [Ver = | Size = 2529 bytes | Modified Date = 13-01-2008 14:42:54 | Attr = ]
Java -> %CommonProgramFiles%\Java -> [Folder | Modified Date = 29-12-2007 19:18:56 | Attr = ]
Wise Installation Wizard -> %CommonProgramFiles%\Wise Installation Wizard -> [Folder | Modified Date = 02-01-2008 19:02:30 | Attr = ]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [Ver = | Size = 4232 bytes | Modified Date = 09-01-2008 10:52:22 | Attr = ]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [Ver = | Size = 4617 bytes | Modified Date = 09-01-2008 10:52:22 | Attr = ]
data.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Office\Data\data.dat -> [Ver = | Size = 1372 bytes | Modified Date = 18-12-2006 22:56:00 | Attr = ]

< End of report >

----------

Edited by DeLuk, 13 January 2008 - 02:41 PM.


#10 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:12:24 PM

Posted 13 January 2008 - 02:38 PM

ComboFix log

ComboFix 08-01-11.3 - SONIA 2008-01-13 17:10:06.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1569 [GMT 0:00]
Running from: C:\Documents and Settings\SONIA\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 15:02 . 2008-01-13 15:02 <DIR> d-------- C:\!KillBox
2008-01-12 15:16 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-10 12:33 . 2008-01-10 12:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-10 12:33 . 2008-01-10 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-02 21:21 . 2008-01-02 21:21 <DIR> d-------- C:\Documents and Settings\SONIA\Application Data\OpenOffice.org2
2008-01-02 21:18 . 2008-01-02 21:18 <DIR> d-------- C:\Documents and Settings\SONIA\Application Data\FaxCtr
2008-01-02 21:12 . 2008-01-02 21:12 <DIR> d-------- C:\Program Files\Lexmark Fax Solutions
2008-01-02 21:12 . 2008-01-02 21:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FaxCtr
2008-01-02 21:11 . 2008-01-02 21:11 <DIR> d-------- C:\Program Files\Lexmark Toolbar
2008-01-02 21:11 . 2008-01-02 21:11 <DIR> d-------- C:\Program Files\Lexmark 2400 Series
2008-01-02 21:11 . 2008-01-02 21:11 <DIR> d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-01-02 21:10 . 2006-02-03 03:24 1,183,744 --a------ C:\WINDOWS\system32\lxcrserv.dll
2008-01-02 21:07 . 2008-01-02 21:07 <DIR> d-------- C:\Program Files\OpenOffice.org 2.3
2008-01-02 19:03 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-02 19:03 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-02 19:03 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-02 19:03 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-01-02 19:03 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-01-02 19:03 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-01-02 19:03 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-02 19:02 . 2008-01-02 19:03 <DIR> d-------- C:\Program Files\Sygate
2008-01-02 19:02 . 2008-01-02 19:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-29 19:19 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-29 19:18 . 2007-12-29 19:18 <DIR> d-------- C:\Program Files\Java
2007-12-29 19:18 . 2007-12-29 19:18 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-29 19:17 . 2007-12-29 19:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-22 20:52 . 2007-12-22 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gogii
2007-12-22 10:54 . 2007-12-22 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-22 10:00 . 2007-12-22 10:00 108,338 --a------ C:\WINDOWS\system32\mswinsck.ocx
2007-12-22 10:00 . 2008-01-08 21:55 69,634 --a------ C:\WINDOWS\sysstr.sys
2007-12-22 10:00 . 2008-01-09 11:23 8,564 --a------ C:\WINDOWS\system32\filetemp.tmp
2007-12-22 10:00 . 2007-12-22 10:00 0 --a------ C:\WINDOWS\system32\iospc.sys
2007-12-16 12:22 . 2007-12-16 12:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Awem
2007-12-14 14:24 . 2007-12-14 14:24 <DIR> d-------- C:\Program Files\Svetlograd
2007-12-14 14:13 . 2007-12-14 14:13 <DIR> d-------- C:\Program Files\Mystery Case Files - Huntsville
2007-12-14 14:01 . 2007-12-14 14:01 <DIR> d-------- C:\Program Files\Forgotten Riddles - The Mayan Princess
2007-12-14 13:46 . 2007-12-14 13:46 <DIR> d-------- C:\Program Files\The Magicians Handbook - Cursed Valley
2007-12-14 13:26 . 2007-12-14 13:26 <DIR> d-------- C:\Program Files\Pirateville
2007-12-14 12:42 . 2007-12-14 12:42 <DIR> d-------- C:\Program Files\Holly - A Christmas Tale
2007-12-14 11:53 . 2007-12-14 11:53 <DIR> d-------- C:\Program Files\Mystery in London
2007-12-13 22:00 . 2007-12-13 22:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Christmasville

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 20:14 --------- d-----w C:\Documents and Settings\SONIA\Application Data\Magic Academy
2007-12-05 21:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-12-02 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecretsOfOlympus
2007-12-02 16:24 --------- d-----w C:\Program Files\Mystery of Shark Island
2007-12-02 16:22 --------- d-----w C:\Program Files\Private Eye - Greatest Unsolved Mysteries
2007-11-30 11:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-28 18:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Legacy Interactive
2007-11-27 21:38 --------- d-----w C:\Documents and Settings\SONIA\Application Data\Big Fish Games
2007-11-24 22:38 --------- d-----w C:\Documents and Settings\SONIA\Application Data\Jane s Hotel
2007-11-24 21:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-11-23 21:31 --------- d-----w C:\Documents and Settings\SONIA\Application Data\Flood Light Games
2007-11-23 21:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Flood Light Games
2007-11-15 15:46 --------- d-----w C:\Documents and Settings\SONIA\Application Data\iWin
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 09:55 3,065,856 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 17:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-12_15.21.15,28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 08:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2008-01-13 17:08:20 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_2c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-16 02:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 15:06 68856]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 15:25 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-02-22 21:40 106496]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-21 08:51 7335936]
"nwiz"="nwiz.exe" [2005-11-21 08:51 1519616 C:\WINDOWS\system32\nwiz.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-06 05:39 14850560 C:\WINDOWS\RTHDCPL.EXE]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-20 23:26 761945]
"Wireless Console 2"="C:\Program Files\Wireless Console 2\wcourier.exe" [2005-10-17 17:09 987136]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 11:51 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 11:52 602182]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 11:56 569413]
"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 17:13 86016]
"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [2006-02-21 15:20 180224]
"ABLKSR"="C:\WINDOWS\ABLKSR\ABLKSR.exe" [2006-01-02 19:14 61440]
"SMSERIAL"="sm56hlpr.exe" [2005-05-26 16:12 544768 C:\WINDOWS\sm56hlpr.exe]
"PelSetupRun"="E:\setup.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-18 23:48 185896]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"unsrvc"="C:\WINDOWS\system32\unsrvc.exe" [ ]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [2006-01-22 17:45 286720]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 05:10 98304]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 08:11 290816]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 18:38 65536]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 17:47 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-16 02:00 15360]

C:\Documents and Settings\SONIA\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ASUS ChkMail.lnk - C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe [2006-11-14 20:27:37]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04]

R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2004-09-03 16:38]
S3 GTF32BUS;GT F32 BUS;C:\WINDOWS\system32\DRIVERS\gtf32bus.sys [2005-12-08 08:45]
S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2005-12-06 10:40]
S3 GTSCSER;GT SC SER;C:\WINDOWS\system32\DRIVERS\gtscser.sys [2005-12-06 10:40]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3133a370-9d94-11db-ad9d-0018de978965}]
\Shell\Auto\command - G:\RavMon.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 17:11:48
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
LXCFCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 17:12:10
ComboFix-quarantined-files.txt 2008-01-13 17:12:08
ComboFix2.txt 2008-01-12 15:21:32
.
2008-01-10 10:21:00 --- E O F ---

----------

#11 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:12:24 PM

Posted 15 January 2008 - 01:26 PM

Regarding the laptop:

Well, I've now let Avast quarantine the file winsrvc.exe which was backed up in KillBox's folder C:\!KillBox\. (Taken that the file unsrvc.exe which was also backed up in KillBox's folder had already been quarantined by AVG Anti-Spyware, so I'm hoping it's been also ok to let Avast now quarantine that other backed up file as well, winsrvc.exe, yes?...)

Also, I've just run a new scan at virustotal.com on both files sysstr.sys and filetemp.tmp, for updated reports, yet, results came back as on last scan: still only Panda detects sysstr.sys (detected as "Suspicious file"), and filetemp.tmp is still not detected by no scanner at all.

Standing-by for any further instructions (namely with regards to both these files, as well as to that other infection-related 0 bytes file, iospc.sys). (Manual deletion?)

Thanks, again, for all your time and help. :thumbsup:

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 15 January 2008 - 04:37 PM

Sorry about the delay in getting back to you, real life has een getting in the way for me alot lately. With regards to your question about those files, you can delete them, booting into Safe Mode beforehand if necessary. Before we get on with the fix, I'd like one more scanner to be run, please.

Download Silent Runners and extract it to a new folder on your Desktop.
Run the Silent Runners.vbs file.
You will receive a prompt: "Do you want to skip supplementary searches?" - click "NO."
If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run.
This script is not malicious so please allow it.
A text file will appear in the folder - it's not done, let it run. (It won't appear to be doing anything!)
Once the "All Done!" prompt flashes up, open the text file, and copy & paste it in your next reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:12:24 PM

Posted 16 January 2008 - 09:38 AM

Hi Charles, thanks again for your reply. :blink: And please, no need for no apologies for no delay whatsoever, for goodness sake, please, no! As I was just saying, I am the one most grateful, for your most generous help, and your time and patience; thank you indeed. :thumbsup:

Concerning the laptop, ok, sysstr.sys + filetemp.tmp + iospc.sys, all have been deleted now (in Safe Mode, yes, just in case).

(With regards to files, so I'm lastly only wondering about the file C:\WINDOWS\system32\mswinsck.ocx which supposedly is indeed a safe legit file (right?) though however having as well been created on the same date and time as the infection... Should this file be kept anyways, then, or?...)

Have now also run Sillent Runners as instructed. Here's the log for your review:

Silent Runners log

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."]
"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HControl" = "C:\WINDOWS\ATK0100\HControl.exe" [empty string]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
"RemoteControl" = ""C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"High Definition Audio Property Page Shortcut" = "HDAShCut.exe" ["Windows ® Server 2003 DDK provider"]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"Wireless Console 2" = "C:\Program Files\Wireless Console 2\wcourier.exe" [null data]
"IntelZeroConfig" = ""C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"" ["Intel Corporation"]
"IntelWireless" = ""C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless" ["Intel Corporation"]
"EOUApp" = ""C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"" ["Intel Corporation"]
"Power_Gear" = "C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1" ["ASUSTeK Computer Inc."]
"ASUS Live Update" = "C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [empty string]
"ABLKSR" = "C:\WINDOWS\ABLKSR\ABLKSR.exe" ["ASYSTeK Computer INC."]
"SMSERIAL" = "sm56hlpr.exe" ["Motorola Inc."]
"PelSetupRun" = "E:\setup.exe" [file not found]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"unsrvc" = "C:\WINDOWS\system32\unsrvc.exe -runservice" [file not found]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"lxcrmon.exe" = ""C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"" [null data]
"EzPrint" = ""C:\Program Files\Lexmark 2400 Series\ezprint.exe"" ["Lexmark International Inc."]
"FaxCenterServer" = ""C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s" [empty string]
"LXCRCATS" = "rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16" [MS]
"LXCFCATS" = "rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete"
-> {HKLM...CLSID} = "IE Microsoft AutoComplete"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Extensão de ícones de ficheiros do Outlook"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "As Minhas Pastas Partilhadas"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
-> {HKLM...CLSID} = "Dispositivo Móvel"
\InProcServer32\(Default) = "C:\PROGRA~1\MI3AA1~1\Wcesview.dll" [MS]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]
<<!>> "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\SONIA\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "SONIA" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\SONIA\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"ASUS ChkMail" -> shortcut to: "C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe" ["asus"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.asus.com

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]
Intel® PROSet/Wireless Event Log, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
Intel® PROSet/Wireless Registry Service, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Intel® PROSet/Wireless Service, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
lxcr_device, lxcr_device, "C:\WINDOWS\system32\lxcrcoms.exe -service" [" "]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Serviço de programação do Media Center, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
Serviço receptor do Media Center, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
2400 Series Port\Driver = "lxcrlmpm.DLL" [" "]
730 Series Port\Driver = "lxcflmpm.DLL" [" "]
Lexmark Print-2-Fax Port\Driver = "LXPRMON.DLL" [empty string]


---------- (launch time: 2008-01-16 12:23:45)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 48 seconds.
---------- (total run time: 117 seconds)

----------

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 17 January 2008 - 04:42 PM

Hello again,
With regards to that file you mentioned, (mswinsck.ocx) it's legitimate and can be left alone. The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Backup the Registry:
Navigate to Start | Run and paste the following:
regedit /e c:\registrybackup.reg
Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"unsrvc"=-

Save this as fix.reg Choose to save as *all files and place it on your Desktop.
It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

Reboot: important

Please run a scan with Kaspersky Online Scanner.
You will be promted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded click on Next.
Select a target to scan; click on My Computer.
The scan will take a while so be patient and let it run.
Once the scan is complete choose the option to Save as Text; they will be needed later.

I'd also like to know if you're still experiencing problems with this computer.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:12:24 PM

Posted 18 January 2008 - 09:06 AM

Regarding the laptop: Ok registry fix applied now and registry entry "unsrvc"="C:\\WINDOWS\\system32\\unsrvc.exe -runservice" respectively now gone from the Run key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Here's also the report from Kaspersky's new scan, as requested:

Kaspersky Online Virus Scan report
(Again I'm including only the entries referring to infected files, to make it shorter. If those referring to all of the locked objects are needed too, though, please let me know, and I'll post the full report promptly.)

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, January 18, 2008 1:07:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/01/2008
Kaspersky Anti-Virus database records: 519236
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 69184
Number of viruses found: 1
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 00:40:31

Infected Object Name / Virus Name / Last Action

C:\System Volume Information\_restore{CC2C7A74-EDAE-4F7B-85A2-D4751CC14365}\RP60\A0012364.exe Infected: Trojan-Downloader.Win32.VB.bzh skipped
C:\System Volume Information\_restore{CC2C7A74-EDAE-4F7B-85A2-D4751CC14365}\RP60\A0012461.exe Infected: Trojan-Downloader.Win32.VB.bzh skipped
C:\System Volume Information\_restore{CC2C7A74-EDAE-4F7B-85A2-D4751CC14365}\RP61\A0012503.exe Infected: Trojan-Downloader.Win32.VB.bzh skipped
C:\System Volume Information\_restore{CC2C7A74-EDAE-4F7B-85A2-D4751CC14365}\RP61\A0012555.exe Infected: Trojan-Downloader.Win32.VB.bzh skipped
C:\System Volume Information\_restore{CC2C7A74-EDAE-4F7B-85A2-D4751CC14365}\RP61\A0012590.exe Infected: Trojan-Downloader.Win32.VB.bzh skipped
C:\System Volume Information\_restore{CC2C7A74-EDAE-4F7B-85A2-D4751CC14365}\RP64\A0012957.exe Infected: Trojan-Downloader.Win32.VB.bzh skipped
C:\System Volume Information\_restore{CC2C7A74-EDAE-4F7B-85A2-D4751CC14365}\RP64\A0013050.exe Infected: Trojan-Downloader.Win32.VB.bzh skipped
C:\System Volume Information\_restore{CC2C7A74-EDAE-4F7B-85A2-D4751CC14365}\RP66\A0013219.exe Infected: Trojan-Downloader.Win32.VB.bzh skipped

Scan process completed.

----------

Infected files are by now only found in System Restore. Time already to reset (disable/re-enable) System Restore at this point, or? Please let me know when. :blink:

Then again, thought I'd also include an updated HJT log, for your review:

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:12:55, on 18-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [PelSetupRun] E:\setup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 8675 bytes

----------

Same as the latest, with the exception, of course, that the line O4 - HKLM\..\Run: [unsrvc] C:\WINDOWS\system32\unsrvc.exe -runservice is no longer present.

(Out of the infection "realm", only wondering, still, about the line O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing). Seen that no iPod program is currently no longer installed on the computer, could/should this line be set to be fixed then? Also, the line O4 - HKLM\..\Run: [PelSetupRun] E:\setup.exe, I had actually been told already on a previous occasion that this entry might be fixed as well. I only just hadn't done so by then cos by then I didn't have the laptop back with me anytime again. Seen, though, that I have the chance to do it now, I'd only ask you to please confirm, whether also this line may be set to be fixed now? Note that E:\ is the DVD drive.)

As for if I'm still experiencing problems with this computer, no, that I notice, there's no sign of any remaining problem, everything appears to be running normal by now. :thumbsup:

Assuming, thus, that we should be nearing to be finished with the laptop, I'd ask you only to please also let me know if/when I can delete too the ComboFix and KillBox applications along with related folders, respectively C:\QooBox\ and C:\!KillBox\, as well as the WinPFind35U and Silent Runners folders on the desktop. Thanks.

Edited by DeLuk, 18 January 2008 - 07:56 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users