Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying To Remove Some Popup Malware/spyware/virus


  • This topic is locked This topic is locked
25 replies to this topic

#1 delahuerta

delahuerta

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 21 August 2006 - 12:16 PM

Hello, like most I am fighting some popup malware/spyware/virus and have tried many things but they seem to keep killing the spawned files and not the source that is creating them.

Files like these keep getting spawned in my windows directory:
sys011334692596-.exe

Sometimes they start with a 'ms' or a 'win32' , then a bunch of randome numbers. I am guessing these are the files being spawned by a trojan or whatever, but nothing I have tried can get teh actual source, so they keep comign back. Ewido anti-spyware is saying they have a Downloader.VB.akq in them, however its not finding what is spawning them.


I also get the Duce6.exe respawning all the time too, even after manually deleting it and having spyware removal software try to delete it (again, not getting to the source).


Any ideas for me?

Here is my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:14:50 PM, on 8/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Duce6.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Graphics\acro\Distillr\AcroTray.exe
C:\Internet\Trillian\trillian.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Utilities\AntiVirusStuff\HijackThis\AnyliseIt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Class - {7F930064-260E-B0C2-9EFB-0727EBD828C3} - C:\WINDOWS\mukdx1.dll (file missing)
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CfgWiz.exe" /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [sys011334692596-] C:\WINDOWS\sys011334692596-.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Trillian.lnk = C:\Internet\Trillian\trillian.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Graphics\acro\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Graphics\Adobe\Reader7\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134553508911
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {7629FB94-D530-4EF6-A968-E14ADC25C252} - http://mioctad.com/5cd754fa/10002/1/xp/FreeAccess.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BEC796E0-5836-4441-A596-DA5A815EE83E} (1.ANNA_PORN_MPEG) - http://www.burnsrecyclinginc.com/acc/ANNA_PORN_MPEG.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...831/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3515C469-417D-4772-A843-C0A25954F496}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{418528CC-329A-4CBF-BE69-C3354217F694}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{3515C469-417D-4772-A843-C0A25954F496}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsubleepa Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Edited by delahuerta, 21 August 2006 - 12:19 PM.


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:55 PM

Posted 21 August 2006 - 12:20 PM

Hey there delahuerta.

I'm pretty sure that you have been infected with the latest link-optimizer rootkit.
These files are hidden from normal view, and it's imperative we remove these files as soon as possible.

1) It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

2) Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Class - {7F930064-260E-B0C2-9EFB-0727EBD828C3} - C:\WINDOWS\mukdx1.dll (file missing)
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [sys011334692596-] C:\WINDOWS\sys011334692596-.exe
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {7629FB94-D530-4EF6-A968-E14ADC25C252} - http://mioctad.com/5cd754fa/10002/1/xp/FreeAccess.ocx
http://www.burnsrecyclinginc.com/acc/ANNA_PORN_MPEG.CAB


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

3) Download Brute Force Uninstaller.
Unzip it to a folder of its own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script ( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

4) Download GMER from Here
Right Click the Zip and Select "Extract All"
Double Click gmer.exe to launch the program.
Click on the Rootkit Tab and then click Scan.
It takes a while to run, once complete, copy the results to notepad and save them somewhere safe.
Post those results in the next reply.

Please post back with a new Hijackthis log, and the GMER log.
David

#3 delahuerta

delahuerta
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 21 August 2006 - 12:22 PM

thanks for the speedy reply, I'll follow your instructions and post results

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:55 PM

Posted 21 August 2006 - 12:24 PM

Good luck, if you have any questions along the way just ask.
When you reply I'll try and get to the thread as soon as possible.

#5 delahuerta

delahuerta
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 21 August 2006 - 12:42 PM

Ok, I have not rebooted yet as you didint mention a reboot, here is the log files after the above actions:

Logfile of HijackThis v1.99.1
Scan saved at 12:37:03 PM, on 8/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Graphics\acro\Distillr\AcroTray.exe
C:\Internet\Trillian\trillian.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Utilities\AntiVirusStuff\HijackThis\AnyliseIt.exe

O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CfgWiz.exe" /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Trillian.lnk = C:\Internet\Trillian\trillian.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Graphics\acro\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Graphics\Adobe\Reader7\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134553508911
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...831/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3515C469-417D-4772-A843-C0A25954F496}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{418528CC-329A-4CBF-BE69-C3354217F694}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{3515C469-417D-4772-A843-C0A25954F496}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsubleepa Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe



GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-21 12:41:23
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT 89DC5960 ZwConnectPort
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess

---- Registry - GMER 1.0.10 ----

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0xC6 0x95 0xAE 0x7E ...
Reg \Registry\MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version@Version 0xC6 0x95 0xAE 0x7E ...

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{414B11D8-93D7-4898-B82C-D27A53041688}

---- EOF - GMER 1.0.10 ----

#6 delahuerta

delahuerta
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 21 August 2006 - 12:44 PM

by the way, after i opened IE to post that last logs, I redid HJT and got the first few lines back:

***
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Class - {7F930064-260E-B0C2-9EFB-0727EBD828C3} - C:\WINDOWS\mukdx1.dll (file missing)
***

full log below

Logfile of HijackThis v1.99.1
Scan saved at 12:42:24 PM, on 8/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Graphics\acro\Distillr\AcroTray.exe
C:\Internet\Trillian\trillian.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Utilities\AntiVirusStuff\HijackThis\AnyliseIt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Class - {7F930064-260E-B0C2-9EFB-0727EBD828C3} - C:\WINDOWS\mukdx1.dll (file missing)
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CfgWiz.exe" /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Trillian.lnk = C:\Internet\Trillian\trillian.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Graphics\acro\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Graphics\Adobe\Reader7\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134553508911
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...831/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3515C469-417D-4772-A843-C0A25954F496}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{418528CC-329A-4CBF-BE69-C3354217F694}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{3515C469-417D-4772-A843-C0A25954F496}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsubleepa Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:55 PM

Posted 21 August 2006 - 12:55 PM

Ok, now please complete the following.

Please download and unzip Rootkit Revealer to your desktop.
Please leave the defaults set as they are to:[list]
Hide NTFS Metadata[/b] Files: this option is on by default
Scan Registry:[/b] this option is on by default.

Launch rootkit revealer on the system and press the Scan button.
RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list.
It may take a long time please disconnect from the internet and leave the PC to be scanned until it is finished.
The log can be very large please edit out the items in the following folders in the log : C:\RECYCLER\NPROTECT and C:\System Volume Information, if in the log, before posting it.
Please post the balance of the log here in this thread using Add Reply (please double check that it has all been posted as it may be too long for one post)]

David

#8 delahuerta

delahuerta
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 21 August 2006 - 01:01 PM

hmm, Dled Rootkit Revealer and unzipped to desktop, ...tried to run it,... dosnt do anything, no window , no nothing... it dosnt open :-(

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:55 PM

Posted 21 August 2006 - 01:19 PM

Ok, that was expected.
The rootkit stops Rootkit Revealer from working I think.

Next click start > run
copy and paste the following line and hit enter or click ok.

C:\Documents and Settings

Now look carefully and tell me if there is a profile name you don't recognize, it will have a random name.

Run HijackThis, click on Open the Misc Tools Section
Click on Open ADS Spy
uncheck the "Quick Scan"
Check the "Ignore safe system info data streams"
Finally, click Scan button. ADS Spy will scan the system and report all the ADS present in the system.
Click Save log and post the ADS log back here.

Then double click gmer.exe
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say No.
Click the autostart tab and click scan
Wait for scan to finish.

Once done click copy
Open Notepad and hit ctrl+v to paste log.
post log please.

Finally, Start > Run > services.msc

Make the window larger so that you can see all colums. Fith column tells you how a service starts, Local system or System ... now look if you see weird random characters in that column or the name of a file. If yes, what is the name of the service in the first column ? Next, doubleclick on the entry ... what's the path to the executable ?

David

#10 delahuerta

delahuerta
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 21 August 2006 - 01:34 PM

first let me mention that I rebooted and i am no longer getting the popups and the randome named files are no longer being generated in teh windows directory. so that is good so far, thanks!!! :-)


>>Now look carefully and tell me if there is a profile name you don't
recognize, it will have a random name.

Ok, there was no random profile in there, it all looked good

>>Run HijackThis, click on Open the Misc Tools Section ..
Note: these all look like my video project stream files.

F:\Shelby RA 2004\dvd\dvd v1\Sources\Menus\Video_Bpgc_Csf.mpg : Afp_AfpInfo (48 bytes)
F:\Shelby RA 2004\dvd\dvd v1\Sources\Menus\Video_Bpgc_Csf.mpg.mcses : Afp_AfpInfo (48 bytes)
F:\Shelby RA 2004\dvd\dvd v1\Sources\VideoBlack.bmp : Afp_AfpInfo (48 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11157900910000000001.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11157900940000000006.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11157902350000000007.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11157902920000000012.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11157913460000000013.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11158488410000000022.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11158488420000000023.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11158488670000000028.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11158488690000000033.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11221991220000000042.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11221991230000000043.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11221994690000000050.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11221994710000000055.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11221994800000000056.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11221994830000000059.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11221994890000000060.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11221994900000000063.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11221995870000000064.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11221998720000000077.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11221998740000000082.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11221998880000000083.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11221998890000000086.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11221999020000000087.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11221999040000000092.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222010770000000097.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222010770000000098.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222377940000000099.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222377940000000100.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222377950000000101.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222377960000000102.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222377960000000103.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222377960000000104.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222377970000000105.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222377970000000106.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222377980000000107.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222377980000000108.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222377990000000109.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222378000000000110.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222378010000000111.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222378010000000112.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222509440000000113.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222509450000000114.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222509450000000115.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222509460000000116.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222509470000000117.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222509470000000118.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222509480000000119.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222509480000000120.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222509490000000121.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222509490000000122.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222509500000000123.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222509510000000124.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222509520000000125.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\CacheDataFiles\N_11222509520000000126.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Cache\SubtitleDataFiles\SpuSplit.ses : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Sources\credits.mpg_ses\credits.mpg.ses : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Sources\fun_clips.mpg_ses\fun_clips.mpg.ses : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Sources\main movie.m2v_ses\main movie.m2v.ses : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Sources\mainmovie.mpg_ses\mainmovie.mpg.ses : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Sources\rating.m2v_ses\rating.m2v.ses : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Sources\rating.mpg_ses\rating.mpg.ses : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Sources\raw_sessions.mpg_ses\raw_sessions.mpg.ses : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Sources\sounds_of_nwsc.mpg_ses\sounds_of_nwsc.mpg.ses : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Sources\Transcodes\dvd into part 1 in_avi\dvd into part 1 in_avi.ses : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Sources\Transcodes\intro DVD menu audio_wav\intro DVD menu audio_wav.ses : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\dvd v2\Sources\Video\Silence.ac3 : Afp_AfpInfo (48 bytes)
F:\Shelby RA 2004\dvd\main video only\Cache\CacheDataFiles\N_11158822870000000001.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\main video only\Cache\CacheDataFiles\N_11158822870000000002.bmp : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\main video only\Cache\SubtitleDataFiles\SpuSplit.ses : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\main video only\Sources\main movie.m2v_ses\main movie.m2v.ses : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\main video only\Sources\Transcodes\main movie_wav\main movie_wav.ses : Afp_AfpInfo (32 bytes)
F:\Shelby RA 2004\dvd\main video only\Sources\Video\Silence.ac3 : Afp_AfpInfo (48 bytes)
G:\NASA RA April 05\DVD\brians race\Cache\CacheDataFiles\N_11144095790000000001.bmp : Afp_AfpInfo (32 bytes)
G:\NASA RA April 05\DVD\brians race\Cache\CacheDataFiles\N_11144095910000000006.bmp : Afp_AfpInfo (32 bytes)
G:\NASA RA April 05\DVD\brians race\Sources\brians race DVD.m2v_ses\brians race DVD.m2v.ses : Afp_AfpInfo (32 bytes)
G:\NASA RA April 05\DVD\brians race\Sources\brians race DVD.wav_ses\brians race DVD.wav.ses : Afp_AfpInfo (32 bytes)
G:\NASA RA April 05\DVD\brians race\Sources\Transcodes\brians race DVD_wav\brians race DVD_wav.ses : Afp_AfpInfo (32 bytes)
G:\stcloud 8-13-05\dvd\dawn at stcloud\Cache\CacheDataFiles\N_11312208220000000001.bmp : Afp_AfpInfo (32 bytes)
G:\stcloud 8-13-05\dvd\dawn at stcloud\Cache\CacheDataFiles\N_11312208230000000002.bmp : Afp_AfpInfo (32 bytes)
G:\stcloud 8-13-05\dvd\dawn at stcloud\Cache\CacheDataFiles\N_11312230460000000003.bmp : Afp_AfpInfo (32 bytes)
G:\stcloud 8-13-05\dvd\dawn at stcloud\Cache\CacheDataFiles\N_11312230610000000006.bmp : Afp_AfpInfo (32 bytes)
G:\stcloud 8-13-05\dvd\dawn at stcloud\Cache\SubtitleDataFiles\SpuSplit.ses : Afp_AfpInfo (32 bytes)
G:\stcloud 8-13-05\dvd\dawn at stcloud\Sources\dawn_stcloud_DVD.mpg_ses\dawn_stcloud_DVD.mpg.ses : Afp_AfpInfo (32 bytes)
G:\stcloud 8-13-05\dvd\dawn at stcloud\Sources\Video\Silence.ac3 : Afp_AfpInfo (48 bytes)
G:\stcloud 8-13-05\dvd\dawn at stcloud\Sources\Video\VideoBlack.bmp : Afp_AfpInfo (48 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11168829530000000096.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11168829550000000097.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11168829560000000098.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11168829570000000099.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11168829580000000100.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11168829590000000101.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11168829610000000102.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11168829620000000103.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11168829630000000104.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11168829640000000105.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11168829660000000106.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11168829670000000107.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11168829680000000108.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11168829690000000109.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11168829700000000110.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11168829710000000111.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11168829720000000112.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11168829730000000113.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11168829730000000114.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244297760000000115.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244297780000000116.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244297810000000117.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244297830000000118.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244297850000000119.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244297880000000120.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244297900000000121.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244297910000000122.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244297950000000123.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244297970000000124.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244297990000000125.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298020000000126.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298050000000127.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298070000000128.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298100000000129.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298120000000130.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298150000000131.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298170000000132.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298200000000133.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298220000000134.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298240000000135.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298270000000136.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298300000000137.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298330000000138.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298340000000139.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298370000000140.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298390000000141.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298410000000142.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298430000000143.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298450000000144.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298470000000145.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298480000000146.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298510000000147.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298530000000148.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298550000000149.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298570000000150.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298600000000151.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244298620000000152.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244320150000000153.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244320190000000160.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244344490000000161.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244344520000000168.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244355590000000169.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244355620000000174.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244362280000000175.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\CacheDataFiles\N_11244362310000000180.bmp : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Cache\SubtitleDataFiles\SpuSplit.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\08-07-2002-bir DVD.mpg_ses\08-07-2002-bir DVD.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\7-10-2004_vscr_chasing_500plus_rwhp_z06_.mpg_ses\7-10-2004_vscr_chasing_500plus_rwhp_z06_.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\bir_08-04-2004_chasing_lambo_1_dvd.mpg_ses\bir_08-04-2004_chasing_lambo_1_dvd.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\bir_08-04-2004_chasing_lambo_2_dvd.mpg_ses\bir_08-04-2004_chasing_lambo_2_dvd.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\BIR_8-4-05_fastlap DVD.mpg_ses\BIR_8-4-05_fastlap DVD.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\bir_preview_august_2003_DVD.mpg_ses\bir_preview_august_2003_DVD.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\DVD mowog1 2002 music video.mpg_ses\DVD mowog1 2002 music video.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\Laguna Seca 1 Lap DVD.mpg_ses\Laguna Seca 1 Lap DVD.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\Laguna Seca Track Car DVD.mpg_ses\Laguna Seca Track Car DVD.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\MAM - May 1-2 2004 DVD.mpg_ses\MAM - May 1-2 2004 DVD.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\mam_10_30_04_911turbo DVD.mpg_ses\mam_10_30_04_911turbo DVD.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\mam_10_30_04_c6 DVD.mpg_ses\mam_10_30_04_c6 DVD.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\mam_10_30_04_gt3 DVD.mpg_ses\mam_10_30_04_gt3 DVD.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\mam_10_30_04_pjerk DVD.mpg_ses\mam_10_30_04_pjerk DVD.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\mrr_2002_DVD.mpg_ses\mrr_2002_DVD.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\nasa_autobahn_06-05_fastlap DVD.mpg_ses\nasa_autobahn_06-05_fastlap DVD.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\nasa_autobahn_06-05_roof_cam DVD.mpg_ses\nasa_autobahn_06-05_roof_cam DVD.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\nasa_autobahn_07-05_fastlap DVD.mpg_ses\nasa_autobahn_07-05_fastlap DVD.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\nasa_fast_lap_ra_04-10-05_dvd.mpg_ses\nasa_fast_lap_ra_04-10-05_dvd.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\PassingGame - DVD.mpg_ses\PassingGame - DVD.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\ra_10_16_04_spltscreen DVD.mpg_ses\ra_10_16_04_spltscreen DVD.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\ra_10_16_04_vertigo_DVD.mpg_ses\ra_10_16_04_vertigo_DVD.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\run1.mpg_ses\run1.mpg.ses : Afp_AfpInfo (32 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\Video\Silence.ac3 : Afp_AfpInfo (48 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\Video\Transparent.spu : Afp_AfpInfo (48 bytes)
G:\track movies data disk\dvd\track dvd v1\Sources\Video\VideoBlack.bmp : Afp_AfpInfo (48 bytes)



>>Click the autostart tab and click scan...post log

GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-08-21 13:28:04
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@DLLName = WgaLogon.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = \\?\C:\WINDOWS\com6.iwx

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Automatic LiveUpdate Scheduler /*Automatic LiveUpdate Scheduler*/@ = "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
Avg7Alrt /*AVG7 Alert Manager Server*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
Avg7UpdSvc /*AVG7 Update Service*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C-DillaCdaC11BA /*C-DillaCdaC11BA*/@ = C:\WINDOWS\system32\drivers\CDAC11BA.EXE
ccEvtMgr /*Symantec Event Manager*/@ = "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
ccSetMgr /*Symantec Settings Manager*/@ = "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
CLTNetCnService /*Symantec Lic NetConnect service*/@ = "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
ewido anti-spyware 4.0 guard /*ewido anti-spyware 4.0 guard*/@ = C:\Program Files\ewido anti-spyware 4.0\guard.exe
MDM /*Machine Debug Manager*/@ = "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
NVSvc /*NVIDIA Display Driver Service*/@ = %SystemRoot%\system32\nvsvc32.exe
PMJ151LA /*PMJ151 AutoLaunch Service*/@ = %SystemRoot%\PMJ151LA.BIN
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SDhelper /*PC Tools Spyware Doctor*/@ = C:\Program Files\Spyware Doctor\sdhelp.exe
SMTPSVC /*Simple Mail Transfer Protocol (SMTP)*/@ = C:\WINDOWS\system32\inetsrv\inetinfo.exe
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
SymAppCore /*Symantec AppCore Service*/@ = "C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"
WinDefend /*Windows Defender Service*/@ = "C:\Program Files\Windows Defender\MsMpEng.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ /*file not found*/ = /*file not found*/
@NVIDIA nTune"C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear = "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
@nwiznwiz.exe /install = nwiz.exe /install
@NvMediaCenterRunDLL32.exe NvMCTray.dll,NvTaskbarInit = RunDLL32.exe NvMCTray.dll,NvTaskbarInit
@NAV CfgWiz"C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CfgWiz.exe" /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT" /*file not found*/ = "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CfgWiz.exe" /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT" /*file not found*/
@!ewido"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized = "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
@AVG7_CCC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Steam = /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ >>>
SharedTaskScheduler@{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D} =

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}C:\PROGRA~1\WINDOW~4\MpShHook.dll = C:\PROGRA~1\WINDOW~4\MpShHook.dll
@{57B86673-276A-48B2-BAE7-C6DBB3020EB8}C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{5a61f7a0-cde1-11cf-9113-00aa00425c62} /*IIS Shell Extension*/C:\WINDOWS\System32\inetsrv\w3ext.dll = C:\WINDOWS\System32\inetsrv\w3ext.dll
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\System32\nvcpl.dll = C:\WINDOWS\System32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{5E44E225-A408-11CF-B581-008029601108} /*Roxio DragToDisc Shell Extension*/C:\Utilities\Easy Media Creator 7\Drag to Disc\Shellex.dll = C:\Utilities\Easy Media Creator 7\Drag to Disc\Shellex.dll
@{0873D142-79EF-49fa-81B5-211AAC0B0A7F} /*Target Finder Shell Extension*/C:\Utilities\Easy Media Creator 7\Creator Classic\TargetFinder.dll = C:\Utilities\Easy Media Creator 7\Creator Classic\TargetFinder.dll
@{9AF41401-0C93-11D4-A854-00105A80791C} /*OKI Network Extension*/C:\WINDOWS\system32\opnetext.dll = C:\WINDOWS\system32\opnetext.dll
@{0AC6C6C5-F7A8-11D2-BEF4-00C04F990001} /*Macromedia FTP & RDS*/C:\WINDOWS\system32\CfShellFtpRds.dll = C:\WINDOWS\system32\CfShellFtpRds.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Utilities\itunes\iTunesMiniPlayer.dll = C:\Utilities\itunes\iTunesMiniPlayer.dll
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Program Files\Grisoft\AVG Free\avgse.dll = C:\Program Files\Grisoft\AVG Free\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Program Files\Grisoft\AVG Free\avgse.dll = C:\Program Files\Grisoft\AVG Free\avgse.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
Symantec.Norton.Antivirus.IEContextMenu@{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll /*file not found*/

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
Symantec.Norton.Antivirus.IEContextMenu@{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{7F930064-260E-B0C2-9EFB-0727EBD828C3} = C:\WINDOWS\mukdx1.dll

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.com/ = http://www.google.com/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3515C469-417D-4772-A843-C0A25954F496} /*Local Area Connection*/ >>>
@IPAddress192.168.1.38 = 192.168.1.38
@NameServer192.168.1.1 = 192.168.1.1
@DefaultGateway192.168.1.1 = 192.168.1.1
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{418528CC-329A-4CBF-BE69-C3354217F694} /*Local Area Connection 2*/ >>>
@IPAddress192.168.1.38 = 192.168.1.38
@NameServer68.87.77.130,68.87.72.130 = 68.87.77.130,68.87.72.130
@DefaultGateway192.168.1.1 = 192.168.1.1
@Domain =

C:\Documents and Settings\Damian Dela Huerta\Start Menu\Programs\Startup >>>
Adobe Gamma.lnk = Adobe Gamma.lnk
Trillian.lnk = Trillian.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Acrobat Assistant.lnk = Acrobat Assistant.lnk
Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk

---- EOF - GMER 1.0.10 ----

>>Make the window larger so that you can see all colums. Fith column tells you how a service starts, Local system or System ... now look if you see weird random characters in that column or the name of a file. If yes, what is the name of the service in the first column ?

Nothing odd there, all were either Local system or Network Service

so far so good?

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:55 PM

Posted 21 August 2006 - 01:40 PM

Gotcha! Found the offending file:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = \\?\C:\WINDOWS\com6.iwx

I've got enough info now, let's remove it!
Good luck!

1) It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

2) Please complete the following for every username on the computer.
Clean your Cache and Cookies in IE

Close all instances of Internet Explorer .
Go to your control panel and open "Internet Options".
Click on the "General" tab.
Click the "Delete Cookies" button, then the "Delete Files" button.
When prompted, place a tick in the "Delete all offline content" box and click OK.

Clean other Temporary files and Empty the Recycle Bin

Go to start and click on the "run" button.
Type the following in the fox --> cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
Press OK to remove them.

Now log back into the administrator account (probably you).

3) A. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
B. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\WINDOWS\com6.iwx
C:\WINDOWS\mukdx1.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

C. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
D. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4) Launch Notepad, and copy/paste the box below into a new text file. Save it as Options.txt on your Desktop.

RegSearch Options File

[Search]
mukdx1
com6
7F930064-260E-B0C2-9EFB-0727EBD828C3
[Exclude]

[Options]
Filter=KVDLUI

Download Registry Search and extract it. Doubleclick the icon to run and click on "Import...". Select the file you created above. Click "OK" and Registry Search will search the Registry and report what it finds. Post that here.

5) Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Class - {7F930064-260E-B0C2-9EFB-0727EBD828C3} - C:\WINDOWS\mukdx1.dll (file missing)


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

6) Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply. Also post the regsearch log.

David

#12 delahuerta

delahuerta
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 21 August 2006 - 01:58 PM

ok, avernger log:
NOTE: I though i saw for a second a comand prompt screen flash with some details on what avenger was doing, and I thought is said somthing about not being able to delete or remove the com6 file? But the log shows otherwise?


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fvnhuojx

*******************

Script file located at: \??\C:\Documents and Settings\orqxgfjg.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\com6.iwx deleted successfully.
File C:\WINDOWS\mukdx1.dll deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.


regsearch log:

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.1.0

; Results at 8/21/2006 1:56:46 PM for strings:
; 'mukdx1'
; 'com6'
; '7f930064-260e-b0c2-9efb-0727ebd828c3'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01177166-E49F-1937-225E-2F649D887AC9}\InprocServer32]
@="C:\\WINDOWS\\mukdx1.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5BC49BE3-C97D-0699-9FD7-6E82F1D1628A}\InprocServer32]
@="C:\\WINDOWS\\mukdx1.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks]
"{7F930064-260E-B0C2-9EFB-0727EBD828C3}"=""

[HKEY_USERS\S-1-5-21-1547161642-412668190-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7F930064-260E-B0C2-9EFB-0727EBD828C3}]

[HKEY_USERS\S-1-5-21-1547161642-412668190-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7F930064-260E-B0C2-9EFB-0727EBD828C3}\iexplore]

; End Of The Log...




fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:53:12 PM, on 8/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Graphics\acro\Distillr\AcroTray.exe
C:\Internet\Trillian\trillian.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Downloads\virus fixers\regsearch.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Utilities\AntiVirusStuff\HijackThis\AnyliseIt.exe

O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CfgWiz.exe" /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Trillian.lnk = C:\Internet\Trillian\trillian.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Graphics\acro\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Graphics\Adobe\Reader7\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134553508911
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...831/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3515C469-417D-4772-A843-C0A25954F496}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{418528CC-329A-4CBF-BE69-C3354217F694}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{3515C469-417D-4772-A843-C0A25954F496}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsubleepa Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:55 PM

Posted 21 August 2006 - 02:09 PM

Hey there,

Not too sure about what you saw the Avenger doing, but it was able to sucessfully delete the files.
Now we just have a bit of clearing up to do, there are a few leftovers in the registry that I want to delete.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01177166-E49F-1937-225E-2F649D887AC9}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5BC49BE3-C97D-0699-9FD7-6E82F1D1628A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks]
"{7F930064-260E-B0C2-9EFB-0727EBD828C3}"=-

[-HKEY_USERS\S-1-5-21-1547161642-412668190-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7F930064-260E-B0C2-9EFB-0727EBD828C3}]


Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Also let me know how the computer is running.
David

Edited by D-Trojanator, 21 August 2006 - 02:09 PM.


#14 delahuerta

delahuerta
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 21 August 2006 - 02:19 PM

ok, did the reg change and ran combo, so far so good, here is the combo log:

Damian Dela Huerta - 06-08-21 14:12:51.23
ComboFix 06.08.18 - Running from: C:\Documents and Settings\Damian Dela Huerta\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-07-21 to 2006-08-21 ))))))))))))))))))))))))))))))))))


2006-08-21 04:39 <DIR> C:\WINDOWS\McAfee.com
2006-08-18 10:07 48,824 C:\WINDOWS\system32\S32EVNT1.DLL
2006-08-12 00:10 857,792 C:\WINDOWS\system32\SymNeti.dll
2006-08-12 00:10 399,552 C:\WINDOWS\system32\SymRedir.dll
2006-08-11 23:21 9,728 C:\WINDOWS\system32\comsdupd.exe
2006-08-11 23:21 870,784 C:\WINDOWS\system32\ati3d1ag.dll
2006-08-11 23:21 86,016 C:\WINDOWS\system32\mdmxsdk.dll
2006-08-11 23:21 73,832 C:\WINDOWS\system32\slcoinst.dll
2006-08-11 23:21 73,796 C:\WINDOWS\system32\slserv.exe
2006-08-11 23:21 7,168 C:\WINDOWS\system32\hccoin.dll
2006-08-11 23:21 516,768 C:\WINDOWS\system32\ativvaxx.dll
2006-08-11 23:21 397,056 C:\WINDOWS\system32\s3gnb.dll
2006-08-11 23:21 377,984 C:\WINDOWS\system32\ati2dvaa.dll
2006-08-11 23:21 32,866 C:\WINDOWS\system32\slrundll.exe
2006-08-11 23:21 32,866 C:\WINDOWS\slrundll.exe
2006-08-11 23:21 32,768 C:\WINDOWS\system32\ativtmxx.dll
2006-08-11 23:21 32,285 C:\WINDOWS\system32\hsfcisp2.dll
2006-08-11 23:21 286,792 C:\WINDOWS\system32\slextspk.dll
2006-08-11 23:21 229,376 C:\WINDOWS\system32\ati2cqag.dll
2006-08-11 23:21 201,728 C:\WINDOWS\system32\ati2dvag.dll
2006-08-11 23:21 188,508 C:\WINDOWS\system32\slgen.dll
2006-08-11 23:21 1,888,992 C:\WINDOWS\system32\ati3duag.dll
2006-08-11 23:21 1,737,856 C:\WINDOWS\system32\mtxparhd.dll
2006-08-11 21:18 62,744 C:\WINDOWS\system32\xinput1_2.dll
2006-08-11 21:18 236,824 C:\WINDOWS\system32\xactengine2_3.dll
2006-08-11 21:18 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-08-11 21:17 83,456 C:\WINDOWS\system32\dpvsetup.exe
2006-08-11 21:17 825,344 C:\WINDOWS\system32\d3dim700.dll
2006-08-11 21:17 82,432 C:\WINDOWS\system32\dmscript.dll
2006-08-11 21:17 8,192 C:\WINDOWS\system32\d3d8thk.dll
2006-08-11 21:17 733,696 C:\WINDOWS\system32\qedwipes.dll
2006-08-11 21:17 71,680 C:\WINDOWS\system32\dsdmoprp.dll
2006-08-11 21:17 70,656 C:\WINDOWS\system32\amstream.dll
2006-08-11 21:17 63,768 C:\WINDOWS\system32\dxdllreg.exe
2006-08-11 21:17 619,008 C:\WINDOWS\system32\dx7vb.dll
2006-08-11 21:17 61,440 C:\WINDOWS\system32\dmcompos.dll
2006-08-11 21:17 60,928 C:\WINDOWS\system32\dpnhupnp.dll
2006-08-11 21:17 59,904 C:\WINDOWS\system32\devenum.dll
2006-08-11 21:17 57,344 C:\WINDOWS\system32\dpwsockx.dll
2006-08-11 21:17 562,176 C:\WINDOWS\system32\qedit.dll
2006-08-11 21:17 50,688 C:\WINDOWS\system32\wstdecod.dll
2006-08-11 21:17 4,096 C:\WINDOWS\system32\ksuser.dll
2006-08-11 21:17 385,024 C:\WINDOWS\system32\qdvd.dll
2006-08-11 21:17 375,296 C:\WINDOWS\system32\dpnet.dll
2006-08-11 21:17 367,616 C:\WINDOWS\system32\dsound.dll
2006-08-11 21:17 363,520 C:\WINDOWS\system32\psisdecd.dll
2006-08-11 21:17 35,840 C:\WINDOWS\system32\dmloader.dll
2006-08-11 21:17 35,328 C:\WINDOWS\system32\mciqtz32.dll
2006-08-11 21:17 35,328 C:\WINDOWS\system32\dpnhpast.dll
2006-08-11 21:17 30,208 C:\WINDOWS\system32\dplaysvr.exe
2006-08-11 21:17 3,584 C:\WINDOWS\system32\dpnlobby.dll
2006-08-11 21:17 3,584 C:\WINDOWS\system32\dpnaddr.dll
2006-08-11 21:17 28,672 C:\WINDOWS\system32\dmband.dll
2006-08-11 21:17 279,040 C:\WINDOWS\system32\qdv.dll
2006-08-11 21:17 27,136 C:\WINDOWS\system32\ddrawex.dll
2006-08-11 21:17 266,240 C:\WINDOWS\system32\ddraw.dll
2006-08-11 21:17 23,552 C:\WINDOWS\system32\dpmodemx.dll
2006-08-11 21:17 229,888 C:\WINDOWS\system32\dplayx.dll
2006-08-11 21:17 212,480 C:\WINDOWS\system32\dpvoice.dll
2006-08-11 21:17 21,504 C:\WINDOWS\system32\dpvacm.dll
2006-08-11 21:17 204,288 C:\WINDOWS\system32\mswebdvd.dll
2006-08-11 21:17 20,480 C:\WINDOWS\system32\encapi.dll
2006-08-11 21:17 192,512 C:\WINDOWS\system32\qcap.dll
2006-08-11 21:17 19,456 C:\WINDOWS\system32\dswave.dll
2006-08-11 21:17 181,760 C:\WINDOWS\system32\dsdmo.dll
2006-08-11 21:17 181,248 C:\WINDOWS\system32\dmime.dll
2006-08-11 21:17 18,432 C:\WINDOWS\system32\dpnsvr.exe
2006-08-11 21:17 17,408 C:\WINDOWS\system32\msyuv.dll
2006-08-11 21:17 14,336 C:\WINDOWS\system32\msdmo.dll
2006-08-11 21:17 116,736 C:\WINDOWS\system32\dpvvox.dll
2006-08-11 21:17 105,984 C:\WINDOWS\system32\dmstyle.dll
2006-08-11 21:17 104,448 C:\WINDOWS\system32\dmusic.dll
2006-08-11 21:17 103,424 C:\WINDOWS\system32\dmsynth.dll
2006-08-11 21:17 1,428,480 C:\WINDOWS\system32\msvidctl.dll
2006-08-11 21:17 1,298,432 C:\WINDOWS\system32\dxdiag.exe
2006-08-11 21:17 1,294,336 C:\WINDOWS\system32\dsound3d.dll
2006-08-11 21:17 1,287,168 C:\WINDOWS\system32\quartz.dll
2006-08-11 21:17 1,227,264 C:\WINDOWS\system32\dx8vb.dll
2006-08-11 21:17 1,179,648 C:\WINDOWS\system32\d3d8.dll
2006-08-11 21:14 1,082,368 C:\WINDOWS\system32\esent.dll
2006-08-11 20:59 351,232 C:\WINDOWS\system32\winhttp.dll
2006-08-11 20:59 18,944 C:\WINDOWS\system32\qmgrprxy.dll
2006-08-11 20:56 614,912 C:\WINDOWS\system32\h323msp.dll
2006-08-11 20:56 39,936 C:\WINDOWS\system32\mf3216.dll
2006-08-11 20:56 331,264 C:\WINDOWS\system32\ipnathlp.dll
2006-08-11 20:56 26,112 C:\WINDOWS\system32\xpsp1hfm.exe
2006-08-11 15:50 8,704 C:\WINDOWS\system32\infoctrs.dll
2006-08-11 15:50 8,192 C:\WINDOWS\system32\staxmem.dll
2006-08-11 15:50 7,168 C:\WINDOWS\system32\wamregps.dll
2006-08-11 15:50 68,608 C:\WINDOWS\system32\iisext.dll
2006-08-11 15:50 64,512 C:\WINDOWS\system32\iismap.dll
2006-08-11 15:50 6,144 C:\WINDOWS\system32\ftpsapi2.dll
2006-08-11 15:50 6,144 C:\WINDOWS\system32\admxprox.dll
2006-08-11 15:50 56,320 C:\WINDOWS\system32\convlog.exe
2006-08-11 15:50 5,632 C:\WINDOWS\system32\w3svapi.dll
2006-08-11 15:50 5,632 C:\WINDOWS\system32\iisrstap.dll
2006-08-11 15:50 43,520 C:\WINDOWS\system32\admwprox.dll
2006-08-11 15:50 4,608 C:\WINDOWS\system32\w3ctrs.dll
2006-08-11 15:50 3,584 C:\WINDOWS\system32\iismui.dll
2006-08-11 15:50 19,968 C:\WINDOWS\system32\inetsloc.dll
2006-08-11 15:50 14,336 C:\WINDOWS\system32\iisreset.exe
2006-08-11 15:50 14,336 C:\WINDOWS\system32\exstrace.dll
2006-08-11 15:50 133,632 C:\WINDOWS\system32\iisrtl.dll
2006-08-11 15:50 13,312 C:\WINDOWS\system32\infoadmn.dll
2006-08-11 15:50 124,184 C:\WINDOWS\system32\wuauclt.exe
2006-08-11 15:50 10,240 C:\WINDOWS\system32\aspperf.dll
2006-08-11 15:50 1,343,768 C:\WINDOWS\system32\wuaueng.dll
2006-08-11 15:49 290,816 C:\WINDOWS\system32\adsiis.dll
2006-08-11 15:42 201,728 C:\WINDOWS\system32\fdco1ins.dll
2006-08-11 15:16 24,661 C:\WINDOWS\system32\spxcoins.dll
2006-08-11 15:16 13,312 C:\WINDOWS\system32\irclass.dll
2006-08-11 14:17 77,824 C:\WINDOWS\soundman.exe
2006-08-11 14:15 9,728 C:\WINDOWS\system32\bdco1ins.dll
2006-08-11 13:28 81,920 C:\WINDOWS\system32\isign32.dll
2006-08-11 13:28 81,920 C:\WINDOWS\system32\ils.dll
2006-08-11 13:28 73,728 C:\WINDOWS\system32\icwdial.dll
2006-08-11 13:28 69,632 C:\WINDOWS\system32\msconf.dll
2006-08-11 13:28 679,424 C:\WINDOWS\system32\inetcomm.dll
2006-08-11 13:28 67,584 C:\WINDOWS\system32\srclient.dll
2006-08-11 13:28 65,536 C:\WINDOWS\system32\icwphbk.dll
2006-08-11 13:28 48,128 C:\WINDOWS\system32\inetres.dll
2006-08-11 13:28 45,568 C:\WINDOWS\system32\safrslv.dll
2006-08-11 13:28 43,520 C:\WINDOWS\system32\safrcdlg.dll
2006-08-11 13:28 43,520 C:\WINDOWS\system32\racpldlg.dll
2006-08-11 13:28 382,464 C:\WINDOWS\system32\qmgr.dll
2006-08-11 13:28 34,560 C:\WINDOWS\system32\mnmdd.dll
2006-08-11 13:28 32,768 C:\WINDOWS\system32\mnmsrvc.exe
2006-08-11 13:28 32,768 C:\WINDOWS\system32\isrdbg32.dll
2006-08-11 13:28 29,696 C:\WINDOWS\system32\safrdm.dll
2006-08-11 13:28 28,672 C:\WINDOWS\system32\nmmkcert.dll
2006-08-11 13:28 274,944 C:\WINDOWS\system32\mstask.dll
2006-08-11 13:28 274,432 C:\WINDOWS\system32\inetcfg.dll
2006-08-11 13:28 252,928 C:\WINDOWS\system32\msoeacct.dll
2006-08-11 13:28 239,104 C:\WINDOWS\system32\srrstr.dll
2006-08-11 13:28 190,976 C:\WINDOWS\system32\schedsvc.dll
2006-08-11 13:28 170,496 C:\WINDOWS\system32\srsvc.dll
2006-08-11 13:28 12,288 C:\WINDOWS\system32\mstinit.exe
2006-08-11 13:28 105,984 C:\WINDOWS\system32\msoert2.dll
2006-08-11 13:27 97,792 C:\WINDOWS\system32\comrepl.dll
2006-08-11 13:27 956,416 C:\WINDOWS\system32\msdtctm.dll
2006-08-11 13:27 93,696 C:\WINDOWS\system32\tscfgwmi.dll
2006-08-11 13:27 87,176 C:\WINDOWS\system32\rdpwsx.dll
2006-08-11 13:27 85,504 C:\WINDOWS\system32\catsrvps.dll
2006-08-11 13:27 67,072 C:\WINDOWS\system32\rdshost.exe
2006-08-11 13:27 655,360 C:\WINDOWS\system32\mstscax.dll
2006-08-11 13:27 625,152 C:\WINDOWS\system32\catsrvut.dll
2006-08-11 13:27 62,464 C:\WINDOWS\system32\rdpclip.exe
2006-08-11 13:27 60,416 C:\WINDOWS\system32\remotepg.dll
2006-08-11 13:27 6,656 C:\WINDOWS\system32\wuauserv.dll
2006-08-11 13:27 6,144 C:\WINDOWS\system32\msdtc.exe
2006-08-11 13:27 58,880 C:\WINDOWS\system32\msdtclog.dll
2006-08-11 13:27 58,880 C:\WINDOWS\system32\licwmi.dll
2006-08-11 13:27 56,320 C:\WINDOWS\system32\servdeps.dll
2006-08-11 13:27 540,160 C:\WINDOWS\system32\comuid.dll
2006-08-11 13:27 538,624 C:\WINDOWS\system32\spider.exe
2006-08-11 13:27 44,544 C:\WINDOWS\system32\tscupgrd.exe
2006-08-11 13:27 426,496 C:\WINDOWS\system32\msdtcprx.dll
2006-08-11 13:27 407,552 C:\WINDOWS\system32\mstsc.exe
2006-08-11 13:27 38,912 C:\WINDOWS\system32\cfgbkend.dll
2006-08-11 13:27 343,040 C:\WINDOWS\system32\mspaint.exe
2006-08-11 13:27 295,424 C:\WINDOWS\system32\termsrv.dll
2006-08-11 13:27 225,792 C:\WINDOWS\system32\catsrv.dll
2006-08-11 13:27 20,480 C:\WINDOWS\system32\qprocess.exe
2006-08-11 13:27 19,968 C:\WINDOWS\system32\rdpsnd.dll
2006-08-11 13:27 185,344 C:\WINDOWS\system32\cmprops.dll
2006-08-11 13:27 183,808 C:\WINDOWS\system32\accwiz.exe
2006-08-11 13:27 17,408 C:\WINDOWS\system32\mmfutil.dll
2006-08-11 13:27 161,280 C:\WINDOWS\system32\msdtcuiu.dll
2006-08-11 13:27 147,968 C:\WINDOWS\system32\rdchost.dll
2006-08-11 13:27 140,800 C:\WINDOWS\system32\sessmgr.exe
2006-08-11 13:27 131,584 C:\WINDOWS\system32\sndrec32.exe
2006-08-11 13:27 13,824 C:\WINDOWS\system32\rdsaddin.exe
2006-08-11 13:27 123,392 C:\WINDOWS\system32\mplay32.exe
2006-08-11 13:27 110,080 C:\WINDOWS\system32\clbcatex.dll
2006-08-11 13:27 11,776 C:\WINDOWS\system32\xolehlp.dll
2006-08-11 13:27 11,264 C:\WINDOWS\system32\icaapi.dll
2006-08-11 13:27 102,912 C:\WINDOWS\system32\clipbrd.exe
2006-08-11 13:17 74,752 C:\WINDOWS\system32\storprop.dll
2006-08-11 12:40 81,920 C:\WINDOWS\system32\ieencode.dll
2006-08-11 12:38 117,760 C:\WINDOWS\system32\xmllite.dll
2006-08-11 01:43 13,600 C:\WINDOWS\system32\dswm.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-21 12:04 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-21 12:04 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-08-21 12:04 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-21 12:04 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-08-21 12:04 -------- d-------- C:\Program Files\Grisoft
2006-08-21 12:04 -------- d-------- C:\Documents and Settings\Damian Dela Huerta\Application Data\AVG7
2006-08-21 10:46 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-21 10:37 -------- d-------- C:\Program Files\Spyware Doctor
2006-08-21 10:23 -------- d-------- C:\Documents and Settings\Damian Dela Huerta\Application Data\PC Tools
2006-08-21 04:34 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-21 04:33 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-08-21 04:33 -------- d-------- C:\Program Files\Symantec
2006-08-21 04:33 -------- d-------- C:\Program Files\Norton AntiVirus
2006-08-18 15:11 -------- d-------- C:\Program Files\Norton Internet Security
2006-08-18 15:07 -------- d-------- C:\Program Files\Windows Defender
2006-08-18 11:09 28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2006-08-18 10:51 -------- d-------- C:\Program Files\Microsoft Windows OneCare Live
2006-08-18 10:07 -------- d-------- C:\Program Files\Common Files
2006-08-13 03:54 -------- d-------- C:\Program Files\MSXML 4.0
2006-08-12 13:11 -------- d-------- C:\Program Files\Internet Explorer
2006-08-12 13:10 -------- d-------- C:\Program Files\Outlook Express
2006-08-12 13:10 -------- d-------- C:\Program Files\Common Files\System
2006-08-12 00:10 857792 --a------ C:\WINDOWS\system32\SymNeti.dll
2006-08-12 00:10 399552 --a------ C:\WINDOWS\system32\SymRedir.dll
2006-08-12 00:09 38976 --a------ C:\WINDOWS\system32\drivers\symids.sys
2006-08-12 00:09 36544 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2006-08-12 00:09 26560 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2006-08-12 00:09 186432 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2006-08-12 00:08 33600 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2006-08-12 00:08 145344 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2006-08-12 00:08 11968 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2006-08-11 23:21 -------- d-------- C:\Program Files\Windows Media Player
2006-08-11 23:21 -------- d-------- C:\Program Files\Messenger
2006-08-11 23:20 -------- d-------- C:\Program Files\Windows NT
2006-08-11 23:20 -------- d-------- C:\Program Files\NetMeeting
2006-08-11 23:20 -------- d-------- C:\Program Files\Movie Maker
2006-08-11 16:06 -------- d--h----- C:\Program Files\WindowsUpdate
2006-08-11 14:17 -------- d-------- C:\Program Files\AvRack
2006-08-11 01:43 13600 --a------ C:\WINDOWS\system32\dswm.dll
2006-08-10 21:37 48824 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-08-10 21:37 108728 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-08-10 02:00 -------- d-------- C:\Documents and Settings\Damian Dela Huerta\Application Data\combustion4
2006-08-08 19:22 275112 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2006-08-08 19:22 243368 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2006-08-08 19:22 24232 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2006-07-28 09:30 63768 --a------ C:\WINDOWS\system32\dxdllreg.exe
2006-07-28 09:30 62744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-07-28 09:30 236824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-12 06:56 73 --a------ C:\WINDOWS\system32\ssprs.dll
2006-07-12 06:56 205 --a------ C:\WINDOWS\system32\lsprst7.dll
2006-07-10 16:38 51072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-07-10 16:38 30592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-07-09 13:41 -------- d-------- C:\Documents and Settings\Damian Dela Huerta\Application Data\AdobeUM
2006-05-25 01:22 53248 --a------ C:\WINDOWS\bdoscandel.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@=""
"NVIDIA nTune"="\"C:\\Program Files\\NVIDIA Corporation\\nTune\\\\nTune.exe\" clear"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"NAV CfgWiz"="\"C:\\Program Files\\Common Files\\Symantec Shared\\OPC\\{31011D49-D90C-4da0-878B-78D28AD507AF}\\CfgWiz.exe\" /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE \"REBOOT\""
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,01,00,00,00,00,00,00,00,06,00,00,94,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"=""
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"=""
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SM1BG"="C:\\WINDOWS\\SM1BG.EXE"
"SoundMan"="SOUNDMAN.EXE"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Mon 08/21/2006 14:13:24.09
ComboFix.txt
ComboFix2.txt
ComboFix3.txt


The computer is runing much better, the browser no longer hangs before loading pages, et, et

#15 delahuerta

delahuerta
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 21 August 2006 - 02:20 PM

and the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:18:50 PM, on 8/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Graphics\acro\Distillr\AcroTray.exe
C:\Internet\Trillian\trillian.exe
C:\Utilities\AntiVirusStuff\HijackThis\AnyliseIt.exe

O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CfgWiz.exe" /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Trillian.lnk = C:\Internet\Trillian\trillian.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Graphics\acro\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Graphics\Adobe\Reader7\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134553508911
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...831/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3515C469-417D-4772-A843-C0A25954F496}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{418528CC-329A-4CBF-BE69-C3354217F694}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{3515C469-417D-4772-A843-C0A25954F496}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsubleepa Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users