Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue Screen Of Death On Reboot


  • This topic is locked This topic is locked
17 replies to this topic

#1 Newdow

Newdow

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 03 March 2008 - 11:25 PM

Hello, everyone. Thank you in advance to anyone offering assistance. I'll start with some background information.

I've just recently obtained a computer that was still running Windows XP Pro without any Service Packs installed. I originally had trouble installing the updates because I was receiving an error that said something along the lines of BITS 2.0 and WinHTTP 5.1 couldn't be installed. After quite a bit of searching online I fixed the problem by changing the permissions settings in the registry.

After that was fixed I was rather relieved because I figured I would finally be able to update the computer to SP2. After installing several Windows Updates I restarted the computer only to receive a blue screen of death. The exact error was:

*** STOP: 0x0000008E (0xC0000005, 0xF7C30C86, 0xA22D9CB0,0x00000000)

I then started searching what could be causing the STOP error. I looked online again and found malware was the cause of the error it seemed. So I followed the advice in the other thread and downloaded Look2Me-Destroyer, F-Secure BlackLight, KillBox, ATF Cleaner and AVG Anti-Spyware. I ran them all, and deleted two high risk trojans with AVG. Next, I scanned with BlackLight and was given the following message from the log:

02/28/08 01:57:15 [Info]: Hidden process: C:\WINDOWS\system32\koos.exe
02/28/08 01:57:52 [Info]: Hidden file: C:\WINDOWS\system32\koos.exe
02/28/08 01:57:52 [Info]: Hidden file: c:\WINDOWS\system32\kprof
02/28/08 01:57:53 [Info]: Hidden file: c:\WINDOWS\system32\poof

From the sound of it koos.exe is something I want to delete, so I restarted in Safe Mode and used KillBox to try and delete the file but it said it couldn't be found. I then cleaned everything out with ATF Cleaner as well. After restarting the computer and clicking on my Windows profile I got pretty much the same blue screen error. I then logged back into Windows using the load last good configuration option and tried again to get rid of any malware and restarted again; same blue screen of death appeared.

Eventually what I found out was that even if I restart normally without making any changes I will end up getting a blue screen of death. The only way for me to load Windows now is using the load last good configuration option. Everything else, except Safe Mode, will result in the same STOP error. I've tried searching online for an answer, but nobody seems to have the same exact problem.

I know for a fact the previous owner had never updated Windows because of permissions problem, so the computer had been victim to a virus on more than one occasion. Another thing worth noting is that the System Restore doesn't work and gives an error saying "System Restore is not able to create a restore point. Please restart the computer, and then run System Restore again." As you can expect, restarting the computer never fixed that problem.

Formatting the computer is somewhat of a last option. The computer was built from scratch and the previous owner doesn't know where any of the drivers are for the components. About the only thing I received was the Windows XP disc. To make things worse, the only CD-DVD drive isn't capable of writing, so I can't even gather the drivers myself.

Here's the HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:12 PM, on 3/3/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FWService - Unknown owner - C:\Program Files\eAcceleration\Firewall\FWService.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


I think that's about everything. I did all of the other scans and steps in the preparation guide as well.

Please let me know if there's anything I'm missing and a huge thanks in advance to anyone that made it all the way through this long post. I really appreciate any and all help.

BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:48 PM

Posted 06 March 2008 - 02:16 AM

Hi and welcome,

Sorry for delay.
If you still need help and not recieving help elsewhere, please post a fresh hijackthis log here.

Reason it is so difficult to remove some of those files is because they are using rootkit tactics to hide themselves and protect themselves from the system or tools from accessing them.

Don't try installing SP2 yet because malware + SP2 install don't work well together.

Safe mode works -- we'll work with that.

thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 Newdow

Newdow
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 06 March 2008 - 04:32 PM

Thanks for your quick reply!

I do have a small update. My computer no longers gives the Blue Screen of Death on reboot; I suppose some of the malware I removed since my first post fixed at least that much, but I haven't updated to SP2 yet. I did scan last night and according to that I'm still infected with koos.exe, but not sure what else is lingering.

Here's the fresh log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:00 PM, on 3/6/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FWService - Unknown owner - C:\Program Files\eAcceleration\Firewall\FWService.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:48 PM

Posted 07 March 2008 - 04:09 AM

Hi,

Thanks for the log and update.
Good to hear things are running somewhat better.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • ...
Please follow instructions on this page for using ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log it creates.

Notes:

--Do not mouseclick combofix's window while it's running. That may cause it to stall

--ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
--Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell me.
--Your internet connection will be terminated while ComboFix runs. Do Not attempt to re-enable it. Should ComboFix terminate prematurely, restart the computer to restore connectivity.

Let me know how system is running please.
There will likely be more work to do.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 Newdow

Newdow
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 07 March 2008 - 03:04 PM

I downloaded ComboFix and disabled all of the anti-malware programs (with the exception of the TeaTimer System Startup option, because it wasn't there). The only active programs were AVG Anti-spyware and Spybot S&D.

I then ran ComboFix three times and every time it seems the program stalls about 10 minutes in and I stop hearing activity coming from the computer. I've let it run significantly longer than that but it never gets beyond the initial "Scanning now..." stage. I also should mention that I read the ComboFix tutorial and there are no other programs running nor am I clicking anything; I actually walk away while it scans.

Any idea what the problem might be?

#6 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:48 PM

Posted 08 March 2008 - 04:05 AM

Hi,

Something seems to be stopping it. Not sure yet if malware or security program related.

Boot to safe mode and run combofix (CF) from there please.

To get to safe mode:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
Let me know if CF still freezes up.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#7 Newdow

Newdow
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 08 March 2008 - 04:20 AM

What a difference safe mode made. The CF scan finished quickly, then my machine was rebooted and it generated this log:



ComboFix 08-03-06.4 - Steven 2008-03-08 1:20:30.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.800 [GMT -8:00]
Running from: C:\Documents and Settings\Steven\Desktop\Clean up\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\Steven\Application Data\macromedia\Flash Player\#SharedObjects\F6DAMXDU\www.broadcaster.com
C:\Documents and Settings\Steven\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Steven\err.log
C:\Documents and Settings\Steven\Local Settings\Application Data\n.ini
C:\WINDOWS\system32\C2
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\k.dat
C:\WINDOWS\system32\kprof
C:\WINDOWS\system32\n.ini
C:\WINDOWS\system32\n2.ini
C:\WINDOWS\system32\poof
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\Z2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\nm


((((((((((((((((((((((((( Files Created from 2008-02-08 to 2008-03-08 )))))))))))))))))))))))))))))))
.

2008-03-03 20:03 . 2008-03-03 20:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-03 20:03 . 2008-03-03 20:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-03 18:12 . 2008-03-03 18:12 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-03 18:12 . 2008-03-03 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-02 15:15 . 2008-03-02 15:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-02 15:15 . 2008-03-02 15:15 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-02 14:53 . 2001-08-23 04:00 366,080 --a--c--- C:\WINDOWS\system32\dllcache\rstrui.exe
2008-03-02 14:53 . 2001-08-23 04:00 218,112 --a------ C:\WINDOWS\system32\srrstr.dll
2008-03-02 14:53 . 2001-08-23 04:00 218,112 --a--c--- C:\WINDOWS\system32\dllcache\srrstr.dll
2008-03-02 14:53 . 2001-08-23 04:00 155,136 --a------ C:\WINDOWS\system32\srsvc.dll
2008-03-02 14:53 . 2001-08-23 04:00 70,400 --a------ C:\WINDOWS\system32\drivers\sr.sys
2008-03-02 14:53 . 2001-08-23 04:00 70,400 --a--c--- C:\WINDOWS\system32\dllcache\sr.sys
2008-03-02 14:53 . 2001-08-23 04:00 61,952 --a------ C:\WINDOWS\system32\srclient.dll
2008-03-02 14:53 . 2001-08-23 04:00 61,952 --a--c--- C:\WINDOWS\system32\dllcache\srclient.dll
2008-03-02 14:53 . 2001-08-23 04:00 47,104 --a--c--- C:\WINDOWS\system32\dllcache\srdiag.exe
2008-03-02 14:53 . 2001-08-23 04:00 984 --a--c--- C:\WINDOWS\system32\dllcache\srframe.mmf
2008-02-28 01:32 . 2008-02-28 01:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-27 00:30 . 2008-02-27 00:30 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\vlc
2008-02-26 17:13 . 2008-02-26 17:13 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\Grisoft
2008-02-26 17:13 . 2008-02-26 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-26 17:13 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-26 16:42 . 2001-08-23 04:00 407,680 --a------ C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-02-26 16:42 . 2001-08-23 04:00 407,680 --a------ C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-02-26 14:46 . 2008-02-26 14:46 617,272 --a------ C:\WindowsXP-KB920872-x86-ENU.exe
2008-02-26 13:41 . 2008-02-26 13:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-02-26 13:21 . 2008-02-26 13:21 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-26 13:20 . 2001-08-23 04:00 68,096 --a------ C:\WINDOWS\system32\locator.exe
2008-02-26 13:20 . 2001-08-23 04:00 68,096 --a------ C:\WINDOWS\system32\dllcache\locator.exe
2008-02-26 12:34 . 2008-02-26 12:34 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-02-26 03:18 . 2004-07-01 14:08 361,984 --a------ C:\WINDOWS\system32\qmgr.dll
2008-02-26 03:10 . 2001-08-17 13:48 1,869,824 --a--c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-02-26 03:09 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-02-26 03:08 . 2001-08-17 22:24 1,897,984 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-02-19 16:19 . 2001-08-23 04:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-19 16:18 . 2001-08-23 04:00 716,853 --a--c--- C:\WINDOWS\system32\dllcache\imjpcus.dll
2008-02-15 22:06 . 2008-02-15 22:06 <DIR> d-------- C:\lame3.97
2008-02-15 21:52 . 2008-02-15 21:52 <DIR> d-------- C:\Program Files\Exact Audio Copy
2008-02-15 21:52 . 2008-02-15 21:52 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\AD ON Multimedia
2008-02-15 21:52 . 2008-02-15 23:43 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\AccurateRip
2008-02-15 21:06 . 2008-02-15 21:07 <DIR> d-------- C:\Program Files\Winamp
2008-02-15 21:06 . 2008-02-15 23:43 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\Winamp
2008-02-13 23:43 . 2008-02-13 23:43 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 22:48 --------- d-----w C:\Program Files\Azureus
2008-03-07 22:48 --------- d-----w C:\Documents and Settings\Steven\Application Data\Azureus
2008-03-04 02:12 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 07:46 --------- d-----w C:\Program Files\VideoLAN
2008-02-27 07:46 --------- d-----w C:\Documents and Settings\Steven\Application Data\dvdcss
2008-02-27 01:03 --------- d-----w C:\Program Files\Symantec
2008-02-27 01:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-20 09:28 --------- d-----w C:\Documents and Settings\Steven\Application Data\Ruckus Network
2008-02-12 12:26 --------- d-----w C:\Documents and Settings\Steven\Application Data\Apple Computer
2008-02-01 08:44 --------- d-----w C:\Program Files\MSN Messenger
2008-01-29 04:22 --------- d-----w C:\Documents and Settings\Steven\Application Data\acccore
2008-01-29 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-29 04:21 --------- d-----w C:\Program Files\Viewpoint
2008-01-29 04:21 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-29 04:21 --------- d-----w C:\Program Files\AIM6
2008-01-29 04:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-29 04:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-26 09:09 --------- d-----w C:\Program Files\World of Warcraft
2008-01-12 01:36 --------- d-----w C:\Program Files\Uniblue
2007-09-30 10:20 6,632 --sh--w C:\WINDOWS\system32\prqss.bak1
2007-09-30 14:10 14,835 --sh--w C:\WINDOWS\system32\prqss.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 04:00 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 06:14 1077277]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-04 12:38 185632]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 16:46 28160 C:\WINDOWS\KHALMNPR.Exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 14:54 37376]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2001-08-23 04:00 208949]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 04:00 44032]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2001-08-23 04:00 77824]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2001-08-23 04:00 737360]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2001-08-23 04:00 737360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 13:25 28672]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Java SATARaid.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Java SATARaid.lnk
backup=C:\WINDOWS\pss\Java SATARaid.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Steven^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Steven\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2004-08-25 13:25 28672 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-08-25 11:52 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
--a------ 2005-03-29 10:41 1245184 C:\Program Files\D-Link\AirPlus G\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eanth_critical_update_alert]
C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eanth_system_patcher]
C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IeServer]
C:\Documents and Settings\All Users\Favorites\system.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-09-16 07:43 274432 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2001-08-02 06:14 1077277 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
-ra------ 2003-08-12 20:25 73728 C:\WINDOWS\system32\sstray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnAccess]
C:\Program Files\eAcceleration\OnAccess\OnAccess.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-09-27 10:29 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoftwareStation]
C:\Program Files\eAcceleration\Station\station.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StopSignSsFwMon]
C:\Program Files\eAcceleration\Firewall\ssfwmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StopSignSsSsMon]
C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StopSignSsTsMon]
C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-06-03 21:05 32881 C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2005-08-18 10:49 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VGAUtil]
--a------ 2004-09-17 12:32 552960 C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webscan]
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winmplayer]
C:\WINDOWS\System32\KB_963491.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-06-20 15:02 4538368 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2003-12-09 13:02 57344 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"RioMSC"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"ANIWZCSdService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\System32\drivers\si3112r.sys [2004-05-11 14:01]
R0 SiWinAcc;SiWinAcc;C:\WINDOWS\System32\drivers\SiWinAcc.sys [2003-10-14 11:28]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
S0 fwcore;Fwcore Filter;C:\WINDOWS\System32\drivers\fwcore.sys []
S2 enampdat;SpeedStream DSL AMP Protocol Driver for Windows 2000;C:\WINDOWS\System32\DRIVERS\enampdat.sys []
S2 FWService;FWService;C:\Program Files\eAcceleration\Firewall\FWService.exe []
S3 EfntRFC1483;Efficient Networks RFC 1483 Intermediate Driver;C:\WINDOWS\System32\DRIVERS\efnt1483.sys []
S3 EfntRfc1483MP;Efficient Networks RFC 1483 Virtual Miniport;C:\WINDOWS\System32\DRIVERS\efnt1483.sys []
S3 GVTDrv;GVTDrv;C:\WINDOWS\System32\drivers\GVTDrv.sys [2005-05-05 14:53]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 01:22:19
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2008-03-08 1:25:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-08 09:25:36
.
2008-02-26 20:56:53 --- E O F ---

#8 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:48 PM

Posted 08 March 2008 - 09:56 AM

Hi,

Looking better.

You used to have eAccelleration antivirus/firewall but uninstalled. correct?
Had Symantec and uninstalled it as well. Yes?
Uninstalled AIM as well?

I see you have AVG Antispyware but no antivirus --
Really need to have an antivirus.

Few free choices available to download and use. All work well.

Download ONE (only) of the following antivirus:

Avast:
http://www.avast.com/eng/avast_4_home.html
Tutorial:
http://www.bleepingcomputer.com/tutorials/how-to-use-avast-antivirus/

AVG:
http://free.grisoft.com/doc/1

AntiVir:
http://www.free-av.com/antivirus/allinonen.html

Install it> update it> run full scan and let it fix what it wants.
Reboot if cleaning was done.

Post fresh hijackthis log here please.
Let me know how system is running.

We'll have some cleanup to do for the leftovers of your old antivirus programs.

If the machine is stable -- next we add a firewall & get you patched up.
For now -- turn on XP firewall. It is better than nothing and will keep most unwanted traffic out.

Open "network connections" in your control panel.
Right click your network connection, then "properties"
Click the advanced tab.
Checkmark the "keep my computer protected ...... while on the internet"
OK your way out.
Let me know if problems/errors.

thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#9 Newdow

Newdow
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 08 March 2008 - 07:25 PM

Yeah, I'm sure the old anti-virus were from the previous owner but I never used them myself nor even saw them installed in the program list.

I downloaded AVG anti-virus, updated and did a complete scan. It seemed to come up with some files associated to koos.exe and a few other random ones. Here's the fresh log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:31:55 PM, on 3/8/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FWService - Unknown owner - C:\Program Files\eAcceleration\Firewall\FWService.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


Again, thank you so much for your help and quick replies.

#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:48 PM

Posted 09 March 2008 - 12:23 PM

Hi,

Looks good.
Those detections by AVG are most likely files ComboFix backed up. (c:\qoobox)
We'll clean up all that slush in a bit.

Let's clean up the remains of the other AV products.

Open notepad and copy/paste the text in the code box below into it:

file::
C:\WINDOWS\system32\prqss.bak1
C:\WINDOWS\system32\prqss.ini2
folder::
C:\Program Files\Common Files\Symantec Shared
registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eanth_critical_update_alert]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eanth_system_patcher]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IeServer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnAccess]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoftwareStation]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StopSignSsFwMon]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StopSignSsSsMon]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StopSignSsTsMon]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webscan]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winmplayer]
driver::
fwcore
FWService
SNDSrvc

The above script is for this computer only! Using this on another system may cause problems!

Save this as CFScript.txt
Disconnect from Internet and disable AVG.

Drag CFScript.txt on top of ComboFix.exe

like this:

Posted Image

Post the new ComboFix.txt please.
Don't forget to turn AVG back on.

thanks :thumbsup:

See if you can get SP2 installed.

Edited by Blender, 09 March 2008 - 12:26 PM.

I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 Newdow

Newdow
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 09 March 2008 - 02:54 PM

I followed the steps above, but for some reason ComboFix always stalled after "Completed Stage_8" and I would never see 9. I did this a couple of times and resorted to running it Safe Mode. So here is the log from the Safe Mode scan:



ComboFix 08-03-06.4 - Steven 2008-03-09 11:51:37.4 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.805 [GMT -8:00]
Running from: C:\Documents and Settings\Steven\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-08 13:42 . 2008-03-09 08:00 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\AVG7
2008-03-08 13:42 . 2008-03-08 13:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-08 13:42 . 2008-03-08 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-03 20:03 . 2008-03-03 20:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-03 20:03 . 2008-03-03 20:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-03 18:12 . 2008-03-03 18:12 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-03 18:12 . 2008-03-03 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-02 15:15 . 2008-03-02 15:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-02 15:15 . 2008-03-02 15:15 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-02 14:53 . 2001-08-23 04:00 366,080 --a--c--- C:\WINDOWS\system32\dllcache\rstrui.exe
2008-03-02 14:53 . 2001-08-23 04:00 218,112 --a------ C:\WINDOWS\system32\srrstr.dll
2008-03-02 14:53 . 2001-08-23 04:00 218,112 --a--c--- C:\WINDOWS\system32\dllcache\srrstr.dll
2008-03-02 14:53 . 2001-08-23 04:00 155,136 --a------ C:\WINDOWS\system32\srsvc.dll
2008-03-02 14:53 . 2001-08-23 04:00 70,400 --a------ C:\WINDOWS\system32\drivers\sr.sys
2008-03-02 14:53 . 2001-08-23 04:00 70,400 --a--c--- C:\WINDOWS\system32\dllcache\sr.sys
2008-03-02 14:53 . 2001-08-23 04:00 61,952 --a------ C:\WINDOWS\system32\srclient.dll
2008-03-02 14:53 . 2001-08-23 04:00 61,952 --a--c--- C:\WINDOWS\system32\dllcache\srclient.dll
2008-03-02 14:53 . 2001-08-23 04:00 47,104 --a--c--- C:\WINDOWS\system32\dllcache\srdiag.exe
2008-03-02 14:53 . 2001-08-23 04:00 984 --a--c--- C:\WINDOWS\system32\dllcache\srframe.mmf
2008-02-28 01:32 . 2008-02-28 01:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-27 00:30 . 2008-02-27 00:30 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\vlc
2008-02-26 17:13 . 2008-02-26 17:13 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\Grisoft
2008-02-26 17:13 . 2008-03-08 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-26 17:13 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-26 16:42 . 2001-08-23 04:00 407,680 --a------ C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-02-26 16:42 . 2001-08-23 04:00 407,680 --a------ C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-02-26 14:46 . 2008-02-26 14:46 617,272 --a------ C:\WindowsXP-KB920872-x86-ENU.exe
2008-02-26 13:41 . 2008-02-26 13:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-02-26 13:21 . 2008-02-26 13:21 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-26 13:20 . 2001-08-23 04:00 68,096 --a------ C:\WINDOWS\system32\locator.exe
2008-02-26 13:20 . 2001-08-23 04:00 68,096 --a------ C:\WINDOWS\system32\dllcache\locator.exe
2008-02-26 12:34 . 2008-02-26 12:34 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-02-26 03:18 . 2004-07-01 14:08 361,984 --a------ C:\WINDOWS\system32\qmgr.dll
2008-02-26 03:10 . 2001-08-17 13:48 1,869,824 --a--c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-02-26 03:09 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-02-26 03:08 . 2001-08-17 22:24 1,897,984 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-02-19 16:19 . 2001-08-23 04:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-19 16:18 . 2001-08-23 04:00 716,853 --a--c--- C:\WINDOWS\system32\dllcache\imjpcus.dll
2008-02-15 22:06 . 2008-02-15 22:06 <DIR> d-------- C:\lame3.97
2008-02-15 21:52 . 2008-02-15 21:52 <DIR> d-------- C:\Program Files\Exact Audio Copy
2008-02-15 21:52 . 2008-02-15 21:52 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\AD ON Multimedia
2008-02-15 21:52 . 2008-02-15 23:43 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\AccurateRip
2008-02-15 21:06 . 2008-02-15 21:07 <DIR> d-------- C:\Program Files\Winamp
2008-02-15 21:06 . 2008-02-15 23:43 <DIR> d-------- C:\Documents and Settings\Steven\Application Data\Winamp
2008-02-13 23:43 . 2008-02-13 23:43 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 22:48 --------- d-----w C:\Program Files\Azureus
2008-03-07 22:48 --------- d-----w C:\Documents and Settings\Steven\Application Data\Azureus
2008-03-04 02:12 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 07:46 --------- d-----w C:\Program Files\VideoLAN
2008-02-27 07:46 --------- d-----w C:\Documents and Settings\Steven\Application Data\dvdcss
2008-02-27 01:03 --------- d-----w C:\Program Files\Symantec
2008-02-20 09:28 --------- d-----w C:\Documents and Settings\Steven\Application Data\Ruckus Network
2008-02-12 12:26 --------- d-----w C:\Documents and Settings\Steven\Application Data\Apple Computer
2008-02-01 08:44 --------- d-----w C:\Program Files\MSN Messenger
2008-01-29 04:22 --------- d-----w C:\Documents and Settings\Steven\Application Data\acccore
2008-01-29 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-29 04:21 --------- d-----w C:\Program Files\Viewpoint
2008-01-29 04:21 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-29 04:21 --------- d-----w C:\Program Files\AIM6
2008-01-29 04:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-29 04:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-26 09:09 --------- d-----w C:\Program Files\World of Warcraft
2008-01-12 01:36 --------- d-----w C:\Program Files\Uniblue
2007-12-14 19:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-08_ 1.25.27.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-07 19:51:23 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-08 22:54:33 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-07 19:51:23 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-08 22:54:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-07 19:51:23 147,456 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-08 22:54:33 147,456 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-08 21:42:28 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2008-03-08 21:42:32 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2008-03-08 21:42:32 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2008-03-08 21:43:12 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-03-08 21:43:12 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
- 2008-02-14 06:59:49 51,376 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-08 21:42:34 51,376 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-02-14 06:59:49 376,968 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-08 21:42:34 376,968 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2001-08-23 04:00 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 06:14 1077277]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-04 12:38 185632]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 16:46 28160 C:\WINDOWS\KHALMNPR.Exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 14:54 37376]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2001-08-23 04:00 208949]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 04:00 44032]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2001-08-23 04:00 77824]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2001-08-23 04:00 737360]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2001-08-23 04:00 737360]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-08 13:43 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 13:25 28672]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-08 13:42 219136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Java SATARaid.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Java SATARaid.lnk
backup=C:\WINDOWS\pss\Java SATARaid.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Steven^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Steven\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2004-08-25 13:25 28672 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-08-25 11:52 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
--a------ 2005-03-29 10:41 1245184 C:\Program Files\D-Link\AirPlus G\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eanth_critical_update_alert]
C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eanth_system_patcher]
C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IeServer]
C:\Documents and Settings\All Users\Favorites\system.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-09-16 07:43 274432 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2001-08-02 06:14 1077277 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
-ra------ 2003-08-12 20:25 73728 C:\WINDOWS\system32\sstray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnAccess]
C:\Program Files\eAcceleration\OnAccess\OnAccess.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-09-27 10:29 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoftwareStation]
C:\Program Files\eAcceleration\Station\station.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StopSignSsFwMon]
C:\Program Files\eAcceleration\Firewall\ssfwmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StopSignSsSsMon]
C:\Program Files\Acceleration Software\Anti-Virus\ssssmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StopSignSsTsMon]
C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-06-03 21:05 32881 C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2005-08-18 10:49 307200 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VGAUtil]
--a------ 2004-09-17 12:32 552960 C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webscan]
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winmplayer]
C:\WINDOWS\System32\KB_963491.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-06-20 15:02 4538368 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2003-12-09 13:02 57344 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"RioMSC"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"ANIWZCSdService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\System32\drivers\si3112r.sys [2004-05-11 14:01]
R0 SiWinAcc;SiWinAcc;C:\WINDOWS\System32\drivers\SiWinAcc.sys [2003-10-14 11:28]
S0 fwcore;Fwcore Filter;C:\WINDOWS\System32\drivers\fwcore.sys []
S2 enampdat;SpeedStream DSL AMP Protocol Driver for Windows 2000;C:\WINDOWS\System32\DRIVERS\enampdat.sys []
S2 FWService;FWService;C:\Program Files\eAcceleration\Firewall\FWService.exe []
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
S3 EfntRFC1483;Efficient Networks RFC 1483 Intermediate Driver;C:\WINDOWS\System32\DRIVERS\efnt1483.sys []
S3 EfntRfc1483MP;Efficient Networks RFC 1483 Virtual Miniport;C:\WINDOWS\System32\DRIVERS\efnt1483.sys []
S3 GVTDrv;GVTDrv;C:\WINDOWS\System32\drivers\GVTDrv.sys [2005-05-05 14:53]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 11:52:54
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-09 11:53:19
ComboFix-quarantined-files.txt 2008-03-09 19:53:11
ComboFix2.txt 2008-03-08 09:25:40
.
2008-02-26 20:56:53 --- E O F ---


Also, I'm hoping the stall with ComboFix is related to something other than malware because all the scans seem to come up clean. Should I go ahead with the SP2 install anyway?

Thanks again :thumbsup:

#12 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:48 PM

Posted 09 March 2008 - 04:07 PM

Hi,

Likely the combofix stall is a result of AVG (which is why it ran OK in safe mode)

I don't think we need Combofix anymore.
Let's uninstall it.

click start> run> type combofix /u and hit enter.
Follow its prompts.
It may ask you to reboot. Please do if asked.
This will delete combofix, its files/folders along with the junk it quarentined.
It also resets system restore to remove old points.
If it does not ask for reboot ---- reboot now please so new restore point is in place.

Next:

Locate and delete this folder:

C:\Program Files\Symantec

Click start> run> type cmd and hit enter.
A "dos" box pops up.
the following commands and hit enter after each one:

sc delete fwcore
sc delete FWService


Both should give Success messages. Yes?
That deleted the services related to eAccelleration.
Click the red X to exit the CMD window.

Copy the following text to a new notepad file.
Save as file name fix.reg
As file types: All files
Save it to the desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eanth_critical_update_alert]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eanth_system_patcher]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IeServer]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OnAccess]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoftwareStation]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StopSignSsFwMon]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StopSignSsSsMon]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StopSignSsTsMon]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webscan]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winmplayer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate"=-
"Automatic LiveUpdate Scheduler"=-

Once saved, right click it and choose merge
OK the prompt.
Should get success message. yes?
That cleaned up leftover entries in MSConfig related to couple trojans, eAccelleration & Symantec.

Reboot -- then try for SP2 install please.
Most likely need a few small updates before you hit SP2.
Install those> grab SP2 and all the critical updates after this.
It will take a few visits. And yes it will take some time.

Post fresh hijackthis log please.
Let me know how it went.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#13 Newdow

Newdow
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 09 March 2008 - 07:02 PM

Everything seems to have went smoothly and I now I have SP2 installed! :thumbsup:

Here's the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:49 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#14 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:48 PM

Posted 10 March 2008 - 03:25 AM

Hi,

Looking good. Nice to see SP2 :blink:

I forgot one service.

Click start> run> type cmd and hit enter.
Type this line and hit enter:

sc delete SNDSrvc

Should see success message. Yes?

Post one more hijackthis log please.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#15 Newdow

Newdow
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 10 March 2008 - 04:09 AM

Okay, here's the HiJackThis log after getting rid of that last service:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:33 AM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



I also forgot to mention I installed the ZoneAlarm firewall after upgrading to SP2, but I'm sure you already knew that from the log. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users