Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Malware Hidden In System Start-up

  • This topic is locked This topic is locked
2 replies to this topic

#1 csw2002


  • Members
  • 4 posts
  • Local time:09:18 PM

Posted 26 June 2008 - 06:46 AM

I have been hit with a browser hijack and infected with a number of bugs. Despite numerous attempt to clean them out with AVG7.5 (which alerted me to the problem in the first place), AVG8, Trend Micro 8 Internet Security, Trend Micro House Call, Kesperry and finally ComboFix, I am still infected. Everytime I restart my computer, I get message that "Error loading C:\WINDOWS\system32\mpckxw29vj.dll The specified module could not be found". I have already removed mpckxw29vj.dll and hence it wasn't able to be loaded. The problem is that I have removed the registry entry (in RunOnce - see the log entry below) that loads the DLL via RunDLL. However, everytime I restart, the registry entry re-appears and hence the error message re-appears. It looks like I still have something lurking that is loaded on start-up and putting in the registry entry. I have been redirected from my original thread (http://www.bleepingcomputer.com/forums/topic153609.html) and told to post my Hijackthis log in this HijackThis log forum. The log is included below. Really appreciate all help on this. Thanks in advance

Deckard's System Scanner v20071014.68
Run by csw2002 on 2008-06-26 17:23:31
Computer is in Normal Mode.

-- HijackThis (run as csw2002.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:49 PM, on 26/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\OpenSSH\bin\cygrunsrv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\OpenSSH\usr\sbin\sshd.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Elantech\ktp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Citrix\GoToMeeting\198\g2mstart.exe
C:\Program Files\Citrix\GoToAssist Express Expert\86\g2ax_start.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Citrix\GoToMeeting\198\g2mcomm.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Citrix\GoToAssist Express Expert\86\g2ax_comm.exe
C:\Program Files\Citrix\GoToAssist Express Expert\86\g2ax_launcherexpert.exe
C:\Program Files\Citrix\GoToAssist Express Expert\86\g2ax_uiexpert.exe
C:\Documents and Settings\csw2002\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.twinhead.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\RunOnce: [mpckxw29vj] %systemroot%\system32\Rundll32.exe %systemroot%\system32\mpckxw29vj.dll,DllUnregisterServer
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\198\g2mstart.exe "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [GoToAssist Express Expert] "C:\Program Files\Citrix\GoToAssist Express Expert\86\g2ax_start.exe" "/Trigger RunAtLogon"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://firepass.firewalls.com.au/vdesk/cac...,2007,1001,2137
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://firepass.firewalls.com.au/vdesk/ter...,2007,1001,2147
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - C:\DOCUME~1\csw2002\LOCALS~1\Temp\IXP000.TMP\InstallerControl.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsoft.com/resources/virtual...iveXClient1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://firepass.firewalls.com.au/vdesk/ter...,2007,1001,2136
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www.gotomeeting.com/default/applets/g2mdlax.cab
O16 - DPF: {C728DAB8-FDF5-4CD7-89DD-879D25794C77} (KooPlayer Control) - http://news.cctv.com/library/column/C20924...TVKooPlayer.ocx
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://firepass.firewalls.com.au/vdesk/ter...,2007,1001,2141
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://firepass.firewalls.com.au/vdesk/ter...,2007,1001,2140
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Commander Service - Seagull Scientific, Inc - C:\Program Files\Seagull\BarTender\7.74\CmdrSrv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Jiwa Scheduled Scripts - Jiwa Financials - C:\Program Files\Jiwa Financials\Jiwa6.5.9\Scheduled Scripts Service\JiwaScheduledScriptsService.exe
O23 - Service: Jiwa Export Pending Processing (JiwaExportPendingProcessing) - Jiwa Financials - C:\Program Files\Jiwa Financials\Jiwa6.5.9\Export Pending Processing Service\JiwaExportPendingProcessingService.exe
O23 - Service: Jiwa Export Queue Processing Service (JiwaExportQueueProcessingService) - Jiwa Financials - C:\Program Files\Jiwa Financials\Jiwa6.5.9\Export Queue Processing Service\JiwaExportQueueProcessingService.exe
O23 - Service: Jiwa File Watcher (JiwaFileWatcher) - Jiwa Financials - C:\Program Files\Jiwa Financials\Jiwa6.5.9\Jiwa File Watcher\JiwaFileWatcher.exe
O23 - Service: Jiwa GoldMine Sync Service (JiwaGoldMineSyncService) - Jiwa Financials - C:\Program Files\Jiwa Financials\Jiwa6.5.9\Jiwa GoldMine Sync Service\JiwaGoldMineSyncService.exe
O23 - Service: Jiwa Import Queue Processing Service (JiwaImportQueueProcessingService) - Jiwa Financials - C:\Program Files\Jiwa Financials\Jiwa6.5.9\Import Queue Processing Service\JiwaImportQueueProcessingService.exe
O23 - Service: Jiwa Notification Service (JiwaNotificationService) - Jiwa Financials - C:\Program Files\Jiwa Financials\Jiwa6.5.9\Jiwa Notification Service\JiwaNotificationService.exe
O23 - Service: Jiwa POS Integration (JiwaPOSIntegration) - Jiwa Financials - C:\Program Files\Jiwa Financials\Jiwa6.5.9\POS Integration Service\JiwaPOSIntegrationService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: OpenSSH Server (OpenSSHd) - Unknown owner - C:\Program Files\OpenSSH\bin\cygrunsrv.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

End of file - 13065 bytes

-- Files created between 2008-05-26 and 2008-06-26 -----------------------------

2008-06-22 22:03:18 0 d-------- C:\WINDOWS\pss
2008-06-22 21:56:17 0 d--h----- C:\$AVG8.VAULT$
2008-06-22 17:58:05 0 d-------- C:\Documents and Settings\csw2002\Application Data\AVGTOOLBAR
2008-06-22 17:57:47 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-22 12:23:34 0 d-------- C:\cmdcons
2008-06-22 09:06:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-06-21 22:20:54 68096 --a------ C:\WINDOWS\zip.exe
2008-06-21 22:20:54 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-21 22:20:54 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-21 22:20:54 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-21 22:20:54 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-21 22:20:54 98816 --a------ C:\WINDOWS\sed.exe
2008-06-21 22:20:54 80412 --a------ C:\WINDOWS\grep.exe
2008-06-21 22:20:54 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-09 18:32:43 0 d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files

-- Find3M Report ---------------------------------------------------------------

2008-06-26 12:59:08 0 d-------- C:\Program Files\GPStill
2008-06-26 10:29:21 12 --a------ C:\WINDOWS\bthservsdp.dat
2008-06-26 10:16:49 0 d-------- C:\Program Files\Trend Micro
2008-06-23 03:24:10 0 d-------- C:\Program Files\FlashGet
2008-06-22 20:15:54 0 d-------- C:\Documents and Settings\csw2002\Application Data\Azureus
2008-06-21 21:22:32 0 d-------- C:\Program Files\Common Files
2008-06-21 12:04:21 0 d-------- C:\Program Files\Azureus
2008-06-09 18:35:43 0 d-------- C:\Program Files\SmartFTP Client
2008-06-07 19:16:28 0 d-------- C:\Documents and Settings\csw2002\Application Data\Skype
2008-06-02 21:49:41 0 d-------- C:\Program Files\Citrix
2008-05-28 22:06:13 0 d-------- C:\Program Files\Windows Live Safety Center
2008-05-22 13:01:30 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-05 17:59:50 0 d-------- C:\Program Files\Analytical Models

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [23/01/2005 12:36 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [23/01/2005 12:31 PM]
"SMSERIAL"="sm56hlpr.exe" [30/12/2004 11:01 PM C:\WINDOWS\sm56hlpr.exe]
"KTPWare"="C:\Program Files\Elantech\ktp.exe" [01/03/2005 09:46 PM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04/08/2004 10:00 PM]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [04/08/2004 10:00 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [04/08/2004 10:00 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 10:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 10:00 PM]
"SoundMan"="SOUNDMAN.EXE" [24/03/2005 09:20 PM C:\WINDOWS\SOUNDMAN.EXE]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [28/02/2006 02:25 PM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [28/02/2006 02:25 PM]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [28/02/2006 02:29 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/09/2006 02:57 PM]
"MMReminderService"="C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe" [22/06/2006 11:16 PM]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [16/02/2008 12:56 AM]

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 10:34 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 10:00 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [24/10/2005 03:53 PM]
"GoToMeeting"="C:\Program Files\Citrix\GoToMeeting\198\g2mstart.exe" [16/10/2007 07:26 PM]
"GoToAssist Express Expert"="C:\Program Files\Citrix\GoToAssist Express Expert\86\g2ax_start.exe" [21/05/2008 10:34 PM]

"mpckxw29vj"=%systemroot%\system32\Rundll32.exe %systemroot%\system32\mpckxw29vj.dll,DllUnregisterServer

"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 10:05:26 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 1:01:04 AM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [10/04/2006 8:53:41 PM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [5/07/2006 1:07:37 AM]

"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^csw2002^Start Menu^Programs^Startup^Check for TWS Updates.lnk]
path=C:\Documents and Settings\csw2002\Start Menu\Programs\Startup\Check for TWS Updates.lnk
backup=C:\WINDOWS\pss\Check for TWS Updates.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

-- End of Deckard's System Scanner: finished at 2008-06-26 17:24:30 ------------

BC AdBot (Login to Remove)


#2 lusitano


    Portuguese Malware Fighter

  • Members
  • 1,443 posts
  • Gender:Male
  • Location:Portugal
  • Local time:10:18 AM

Posted 18 July 2008 - 06:00 AM


You might want to save this page on your favorites, so you can find it again when you return.

Welcome to the Bleeping Computer Malware Removal Forum, sorry for the delay in responding, but the amount of people posting with infected computers is through the roof and we sometimes can't get to logs as fast as we would like to.

If you have not resolved this issue and still need assistance, post a HJT log as your system may have changed since your original post.

Thanks for your patience. :thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lusitano


    Portuguese Malware Fighter

  • Members
  • 1,443 posts
  • Gender:Male
  • Location:Portugal
  • Local time:10:18 AM

Posted 22 July 2008 - 05:41 AM

Due to inactivity this thread has been closed to prevent others with similar problems posting to it.
If you need it re-opened please PM a member of the moderating team with a link to your thread.

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users