Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"win32:agent-vgv [wrm]" Has Been Found


  • This topic is locked This topic is locked
2 replies to this topic

#1 Arecibo

Arecibo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 19 May 2008 - 02:47 AM

I'm trying to recover my father's computer from a serious malware infection, but this last item is proving very hard to remove. Any assistance anyone can offer would be greatly appreciated.

The Avast log entires are:
19/05/2008 00:05:22 SYSTEM 1412 Sign of "Win32:Agent-VGV [Wrm]" has been found in "C:\WINDOWS\System32\drivers\hmP82.sys" file.
19/05/2008 00:05:49 SYSTEM 1412 Sign of "Win32:Agent-VGV [Wrm]" has been found in "C:\WINDOWS\System32\drivers\hmP82.sys" file.
19/05/2008 00:16:45 SYSTEM 1460 Sign of "Win32:Agent-VGV [Wrm]" has been found in "C:\WINDOWS\system32\drivers\hmP82.sys" file.
19/05/2008 00:42:20 SYSTEM 1396 Sign of "Win32:Agent-VGV [Wrm]" has been found in "C:\WINDOWS\System32\drivers\ubF71.sys" file.
19/05/2008 01:26:17 SYSTEM 1388 Sign of "Win32:Agent-VGV [Wrm]" has been found in "C:\WINDOWS\System32\drivers\wdG13.sys" file.
19/05/2008 01:26:46 SYSTEM 1388 Sign of "Win32:Agent-VGV [Wrm]" has been found in "C:\WINDOWS\System32\drivers\wdG13.sys" file.
19/05/2008 01:35:43 SYSTEM 1380 Sign of "Win32:Agent-VGV [Wrm]" has been found in "C:\WINDOWS\system32\drivers\wdG13.sys" file.
19/05/2008 08:20:51 SYSTEM 1392 Sign of "Win32:Agent-VGV [Wrm]" has been found in "C:\WINDOWS\System32\drivers\kpS71.sys" file.
... and so on.

Deckard's System Scanner v20071014.68
Run by Arecibo on 2008-05-19 08:22:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 77% (more than 75%).
Total Physical Memory: 240 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-19 08:23:55
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\WINDOWS\system32\khooker.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC2.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\George Goodall.GEORGENULLA.000\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {37672309-2E91-495D-AB85-3CC100563174} - (no file)
O2 - BHO: (no name) - {B96FC6C9-1D72-4850-9206-7D3A540816C1} - (no file)
O2 - BHO: (no name) - {F543E97C-A369-4A76-9287-C75AD7B826F3} - (no file)
O3 - Toolbar: (no name) - {C9A66198-D585-4160-A963-A889176926B0} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159453150753
O16 - DPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} (ScanFile.FileScan) - http://contentpurity.net/xp/ScanFile.CAB
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {F0E81265-6D75-4CA0-A6EC-2FFCE5279746} (Launcher Class) - http://62.81.142.158/geovirtual_web/download/GsLauncher.cab
O18 - Protocol: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - C:\WINDOWS\system32\wowctl2.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqRLEVl - C:\WINDOWS\system32\
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\system32\WinCtrl32.dll
O21 - SSODL: gnowmebk - {85409455-CAA0-4283-94E4-AB78A9254625} - C:\WINDOWS\gnowmebk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe


--
End of file - 5959 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S0 ciK14 - c:\windows\system32\drivers\cik14.sys (file missing)
S0 hmP82 - c:\windows\system32\drivers\hmp82.sys (file missing)
S0 iqU14 - c:\windows\system32\drivers\iqu14.sys (file missing)
S0 kpS71 - c:\windows\system32\drivers\kps71.sys (file missing)
S0 lrV46 - c:\windows\system32\drivers\lrv46.sys (file missing)
S0 sbD71 - c:\windows\system32\drivers\sbd71.sys (file missing)
S0 tbE71 - c:\windows\system32\drivers\tbe71.sys (file missing)
S0 wdG13 - c:\windows\system32\drivers\wdg13.sys (file missing)
S3 catchme - c:\docume~1\george~1.000\locals~1\temp\catchme.sys (file missing)
S3 iadusb (MT882) - c:\windows\system32\drivers\glauiad.sys <Not Verified; Conexant Systems Inc.; Conexant USB to Ethernet (LAN) Viking Modem>
S3 Ptserial (W2K Pctel Serial Device Driver) - c:\windows\system32\drivers\ptserial.sys <Not Verified; PCTEL, INC.; HSP Modem Serial Device>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-19 08:23:08 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-05-19 00:33:00 434 --a------ C:\WINDOWS\Tasks\ParetoLogic Update.job
2008-05-18 18:00:03 460 --a------ C:\WINDOWS\Tasks\ParetoLogic Registration.job
2008-05-18 12:50:40 324 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2008-05-16 09:15:01 418 --ah----- C:\WINDOWS\Tasks\{B31CFE08-931F-40E0-8ED3-BE9B4AD3E73F}_GEORGENULLA_George Goodall.job
2008-05-15 11:59:11 418 --ah----- C:\WINDOWS\Tasks\{E60760C1-6E19-4C6A-8B3A-2D3692F9B88F}_GEORGENULLA_George Goodall.job
2008-04-20 21:06:31 462 --a------ C:\WINDOWS\Tasks\EasyShare Registration Task.job


-- Files created between 2008-04-19 and 2008-05-19 -----------------------------

2008-05-19 01:49:31 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-05-19 01:49:28 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-19 00:46:30 0 d-------- C:\VundoFix Backups
2008-05-19 00:38:52 0 dr-h----- C:\Documents and Settings\George Goodall.GEORGENULLA.000\Recent
2008-05-18 23:55:43 0 d-------- C:\WINDOWS\ERUNT
2008-05-18 10:50:38 159744 --a------ C:\WINDOWS\esta.exe
2008-05-18 10:50:35 253952 --a------ C:\WINDOWS\gnowmebk.dll
2008-05-18 10:34:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-05-18 10:31:42 14336 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-05-16 09:41:43 793766 --ahs---- C:\WINDOWS\system32\aGMUvyay.ini2
2008-05-16 09:32:17 135168 --a------ C:\WINDOWS\exnk.exe
2008-05-16 09:32:14 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-05-09 22:10:53 0 d-------- C:\WINDOWS\Zoomify
2008-05-07 15:39:36 0 d-------- C:\WINDOWS\Prefetch
2008-05-07 15:27:26 0 d-------- C:\WINDOWS\system32\scripting
2008-05-07 15:27:22 0 d-------- C:\WINDOWS\l2schemas
2008-05-07 15:27:20 0 d-------- C:\WINDOWS\system32\en
2008-04-28 11:39:00 0 d-------- C:\Program Files\CCleaner
2008-04-27 18:44:29 7602176 --a------ C:\Documents and Settings\George Goodall.GEORGENULLA.000\ntuser.dat
2008-04-27 14:48:49 0 d-------- C:\Program Files\Camtech
2008-04-27 10:55:45 0 d-------- C:\Documents and Settings\George Goodall.GEORGENULLA.000\Application Data\ParetoLogic
2008-04-27 10:55:14 0 d-------- C:\Program Files\ParetoLogic
2008-04-27 10:55:14 0 d-------- C:\Program Files\Common Files\ParetoLogic
2008-04-27 10:55:14 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\ParetoLogic
2008-04-27 10:54:19 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Downloaded Installations
2008-04-25 14:11:54 0 d-------- C:\Program Files\Windows Defender
2008-04-25 13:23:26 7728 --ahs--c- C:\WINDOWS\system32\kmUvCfhk.ini2
2008-04-25 10:48:20 6862 --ahs--c- C:\WINDOWS\system32\MpYaIRqr.ini2
2008-04-25 10:06:57 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\mtatwrmd


-- Find3M Report ---------------------------------------------------------------

2008-05-18 18:27:02 2582 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-18 12:47:23 0 d-------- C:\Program Files\Alwil Software
2008-05-13 09:58:59 0 d-------- C:\Program Files\SpywareBlaster
2008-05-07 15:28:11 0 d-------- C:\Program Files\Messenger
2008-05-07 15:27:18 0 d-------- C:\Program Files\Movie Maker
2008-05-07 15:22:15 0 d-------- C:\Program Files\Windows NT
2008-04-27 18:56:15 0 d-------- C:\Program Files\PhotoDeluxe HE 3.1
2008-04-27 18:45:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-27 11:08:01 0 d-------- C:\Program Files\Online Services
2008-04-27 11:03:11 0 d-------- C:\Documents and Settings\George Goodall.GEORGENULLA.000\Application Data\LimeWire
2008-04-27 10:55:14 0 d-------- C:\Program Files\Common Files
2008-04-25 16:47:27 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-25 14:59:38 0 d-------- C:\Documents and Settings\George Goodall.GEORGENULLA.000\Application Data\SUPERAntiSpyware.com
2008-03-24 15:02:23 0 d-------- C:\Program Files\Java
2008-03-22 12:18:49 0 d-------- C:\Documents and Settings\George Goodall.GEORGENULLA.000\Application Data\Real
2008-03-10 17:56:35 2068 --a----c- C:\WINDOWS\system32\d3d9caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37672309-2E91-495D-AB85-3CC100563174}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B96FC6C9-1D72-4850-9206-7D3A540816C1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F543E97C-A369-4A76-9287-C75AD7B826F3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 19:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [15/02/2008 11:58]
"TalkTalk"="C:\Program Files\TalkTalk\bin\sprtcmd.exe" [16/08/2005 00:12]
"SiS KHooker"="C:\WINDOWS\System32\khooker.exe" [02/09/2001 03:17]
"EPSON Stylus C42 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [01/07/2002 04:05]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [16/05/2008 00:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 01:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"gnowmebk"= {85409455-CAA0-4283-94E4-AB78A9254625} - C:\WINDOWS\gnowmebk.dll [17/05/2008 22:14 253952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRLEVl]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 19/05/2008 01:34 14336 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\yayvUMGa

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ciK14.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hmP82.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hnR60.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\iqU14.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\kpS71.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lrV46.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\saC82.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sbD71.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tbE71.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ubF71.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vbF36.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wdG13.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xeH14.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^George Goodall.GEORGENULLA.000^Start Menu^Programs^Startup^MailWasherPro.lnk]
backup=C:\WINDOWS\pss\MailWasherPro.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ImInstaller_IncrediMail]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
C:\WINDOWS\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-05-19 08:29:56 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ Processor
Percentage of Memory in Use: 56%
Physical Memory (total/avail): 239.48 MiB / 103.8 MiB
Pagefile Memory (total/avail): 585.08 MiB / 272.7 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.44 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 67.92 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Removable (FAT32)

\\.\PHYSICALDRIVE0 - WDC WD800BB-00CAA1 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:

\\.\PHYSICALDRIVE1 - JetFlash TS4GJFV30 USB Device - 3.81 GiB - 1 partition
\PARTITION0 - Unknown - 3.81 GiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\George Goodall.GEORGENULLA.000\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GEORGENULLA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\George Goodall.GEORGENULLA.000
LOGONSERVER=\\GEORGENULLA
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Ulead Systems\DVD
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 6 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0602
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\GEORGE~1.000\LOCALS~1\Temp
TMP=C:\DOCUME~1\GEORGE~1.000\LOCALS~1\Temp
USERDOMAIN=GEORGENULLA
USERNAME=George Goodall
USERPROFILE=C:\Documents and Settings\George Goodall.GEORGENULLA.000
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

George Goodall.GEORGENULLA.000 (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /r
HSP56 MR Drivers --> ptuninst.exe
Intel® 537EP Modem --> rundll32 IntelCdi.dll,iSMUninstallation "Intel® 537EP Modem"
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office PowerPoint Viewer 2007 (English) --> MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MT882 --> C:\Program Files\MT882\Adsl\uninstall.exe
ParetoLogic Privacy Controls --> MsiExec.exe /I{742DFC87-1703-46D8-AC24-F87FDCD7C1AB}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
SiS 900 PCI Fast Ethernet Adapter Driver --> C:\WINDOWS\SiS\900\Uninst.exe
SiS Audio Driver --> C:\Program Files\SiS7018\Uninst\uninst2k.exe PCI\VEN_1039&DEV_7018
SiS630_730 V2.03 --> RUNDLL32 setuplib.dll,UnInstall ,630&ISUNINST -f"C:\PROGRA~1\SIS630~1.03\DeIsL1.isu"&P.U 4 sis630.inf&-1
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TalkTalk Assist & Go --> MsiExec.exe /X{D084B1A9-153B-409D-AEBF-C40FCEF925EA}
Ulead Photo Explorer 8.0 SE Basic --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D271DAE0-8D68-4C97-8356-A126D48A1D8C}\setup.exe" -l0x9
Ulead VideoStudio 7 SE Basic --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{757AD3D4-036B-42FA-B0A4-96BD6F4605A0}\setup.exe" -l0x9
Virtual Earth 3D (Beta) --> MsiExec.exe /I{D76D1828-BBA0-4BD9-8181-5ACC617DC5F2}
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type8610 / Warning
Event Submitted/Written: 05/19/2008 08:20:11 AM
Event ID/Source: 1015 / EvntAgnt
Event Description:
TraceLevel parameter not located in registry;
Default trace level used is 32.

Event Record #/Type8609 / Warning
Event Submitted/Written: 05/19/2008 08:20:11 AM
Event ID/Source: 1003 / EvntAgnt
Event Description:
TraceFileName parameter not located in registry;
Default trace file used is .

Event Record #/Type8607 / Warning
Event Submitted/Written: 05/19/2008 08:17:52 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type8604 / Warning
Event Submitted/Written: 05/19/2008 01:35:08 AM
Event ID/Source: 1015 / EvntAgnt
Event Description:
TraceLevel parameter not located in registry;
Default trace level used is 32.

Event Record #/Type8603 / Warning
Event Submitted/Written: 05/19/2008 01:35:08 AM
Event ID/Source: 1003 / EvntAgnt
Event Description:
TraceFileName parameter not located in registry;
Default trace file used is .



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type57997 / Warning
Event Submitted/Written: 05/19/2008 08:24:29 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%GEORGENULLA27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %GEORGENULLA27 can't undo changes that you allow.

For more information please see the following:
%GEORGENULLA275

Scan ID: {F16E35DF-083E-4DFC-9619-7CBCCAA0178B}

User: GEORGENULLA\George Goodall

Name: %GEORGENULLA271

ID: %GEORGENULLA272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %GEORGENULLA276

Alert Type: %GEORGENULLA278

Detection Type: 1.1.1593.02

Event Record #/Type57996 / Warning
Event Submitted/Written: 05/19/2008 08:24:29 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%GEORGENULLA27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %GEORGENULLA27 can't undo changes that you allow.

For more information please see the following:
%GEORGENULLA275

Scan ID: {1799B9A6-BB6A-475F-A8E4-7B9C8F8A85C4}

User: GEORGENULLA\George Goodall

Name: %GEORGENULLA271

ID: %GEORGENULLA272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %GEORGENULLA276

Alert Type: %GEORGENULLA278

Detection Type: 1.1.1593.02

Event Record #/Type57995 / Warning
Event Submitted/Written: 05/19/2008 08:24:29 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%GEORGENULLA27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %GEORGENULLA27 can't undo changes that you allow.

For more information please see the following:
%GEORGENULLA275

Scan ID: {D856AEA1-03D4-47B3-9201-B5F7D182E0CC}

User: GEORGENULLA\George Goodall

Name: %GEORGENULLA271

ID: %GEORGENULLA272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %GEORGENULLA276

Alert Type: %GEORGENULLA278

Detection Type: 1.1.1593.02

Event Record #/Type57994 / Warning
Event Submitted/Written: 05/19/2008 08:24:29 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%GEORGENULLA27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %GEORGENULLA27 can't undo changes that you allow.

For more information please see the following:
%GEORGENULLA275

Scan ID: {578202A4-3508-4058-8F40-F6350BC9C0E4}

User: GEORGENULLA\George Goodall

Name: %GEORGENULLA271

ID: %GEORGENULLA272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %GEORGENULLA276

Alert Type: %GEORGENULLA278

Detection Type: 1.1.1593.02

Event Record #/Type57993 / Warning
Event Submitted/Written: 05/19/2008 08:24:29 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%GEORGENULLA27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %GEORGENULLA27 can't undo changes that you allow.

For more information please see the following:
%GEORGENULLA275

Scan ID: {46E70F34-EF18-4340-8B21-D9F49351FB9B}

User: GEORGENULLA\George Goodall

Name: %GEORGENULLA271

ID: %GEORGENULLA272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %GEORGENULLA276

Alert Type: %GEORGENULLA278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-05-19 08:29:56 ------------

BC AdBot (Login to Remove)

 


m

#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:55 AM

Posted 21 May 2008 - 04:51 AM

Hello Arecibo and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:55 AM

Posted 17 June 2008 - 07:04 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users