Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lineage Infection, Possibly Others


  • Please log in to reply
17 replies to this topic

#1 chinbender

chinbender

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 07 December 2006 - 02:03 PM

I have run AdAware, Spybot and AVG Antivirus several times, including in safe mode. Eventually I get no threats found, but problems are detected after a startup or two. Lineage family threats and plus.vxd were recently found. Strange files show up in my C:\Program Files\Common Files folder (r.exe, z.exe, etc.), iexplore.exe is running upon startup, and CPU usage is abnormally high at times.

Any help is greatly appreciated,
ChinBender


Logfile of HijackThis v1.99.1
Scan saved at 1:51:40 PM, on 12/7/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\E_S00RP1.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\plusservices.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\winnt\system32\csmss.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\WINNT\system32\ctfmon.exe
C:\Progra~1\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\wftr01\LOCALS~1\Temp\mhsystem.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINNT\system32\taskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [FileFreedom] C:\Program Files\FileFreedom\filefreedom.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [cmssSystemProcess] c:\winnt\system32\csmss.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [\\WADECKI\EPSON Stylus Photo R1800] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P34 "\\WADECKI\EPSON Stylus Photo R1800" /O34 "\\WADECKI\EPSON Stylus Photo R1800" /M "Stylus Photo R1800"
O4 - HKLM\..\Run: [AutoRun] C:\Program Files\Internet Explorer\loadie.EXE
O4 - HKLM\..\Run: [mhsystem] C:\DOCUME~1\wftr01\LOCALS~1\Temp\mhsystem.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [sys] C:\WINNT\Intel\rundll32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: LdOglOcx - http://213.168.79.84/otis/opengl/ldoglocx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {421D8233-A58D-4FA4-A426-D6F3799D62C8} - https://projectpoint.buzzsaw.com/!/down...Point-BZ-EN.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/127df6f9dddfa5be0623/netzip/RdxIE2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148584774062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145285178328
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://129.63.200.203/activex/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E286ECF4-4682-4743-8CEC-BED2D415E000}: NameServer = 172.16.30.1,172.16.10.3
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINNT\System32\E_S00RP1.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Plus Working Service (PlusService) - Unknown owner - C:\WINNT\system32\plusservices.exe
O23 - Service: RpcService - Unknown owner - C:\WINNT\SYSTEM32\EXPLORE.EXE (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:51 AM

Posted 07 December 2006 - 04:19 PM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions.
There is a possibility some of the instructions will need to be carried out where internet access is not available.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and that you don't miss out any steps.
If you have any queries about the process or just general questions, just ask.

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop but do not run it yet.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Please open the Suspicious File Packer now.
Paste the following bold part into the Suspicious File Packer window:

C:\Program Files\Internet Explorer\loadie.EXE
C:\WINNT\Intel\rundll32.exe
C:\WINNT\system32\plusservices.exe
C:\WINNT\system32\EXPLORE.EXE


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Please reboot back into normal mode now.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.

Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

Download and save Blacklight to your desktop.
Double-click blbeta.exe then accept the agreement.
Click on scan then click next,
You'll see a list of all items found.
Do not choose for rename yet! I want to see the log first; legitimate items can also be present.
There is a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.

Please post back with the blacklight log, the uninstall list and a new Hijackthis log.

#3 chinbender

chinbender
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 07 December 2006 - 04:53 PM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions.
There is a possibility some of the instructions will need to be carried out where internet access is not available.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and that you don't miss out any steps.
If you have any queries about the process or just general questions, just ask.

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop but do not run it yet.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Please open the Suspicious File Packer now.
Paste the following bold part into the Suspicious File Packer window:

C:\Program Files\Internet Explorer\loadie.EXE
C:\WINNT\Intel\rundll32.exe
C:\WINNT\system32\plusservices.exe
C:\WINNT\system32\EXPLORE.EXE


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Please reboot back into normal mode now.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.
...


Files submitted, Im working on the logs.

#4 chinbender

chinbender
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 07 December 2006 - 05:14 PM

Thank you for the quick response David. Here is the information you asked for:

BlackLight Log: (BlackLight reports it didnt find any hidden items)

12/07/06 16:53:37 [Info]: BlackLight Engine 1.0.47 initialized
12/07/06 16:53:37 [Info]: OS: 5.0 build 2195 (Service Pack 4)
12/07/06 16:53:38 [Note]: 7019 4
12/07/06 16:53:38 [Note]: 7005 0
12/07/06 16:53:46 [Note]: 7006 0
12/07/06 16:53:46 [Note]: 7011 1128
12/07/06 16:53:46 [Note]: 7026 0
12/07/06 16:53:47 [Note]: 7026 0
12/07/06 16:53:57 [Note]: FSRAW library version 1.7.1020


Uninstall list:

3Com NIC Diagnostics
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Illustrator 10
Adobe Illustrator CS
Adobe InDesign 2.0
Adobe InDesign CS
Adobe Photoshop 6.0
Adobe Reader 8
Adobe SVG Viewer 3.0
Adobe® Photoshop® Album Starter Edition 3.0
AutoCAD 2004
AutoCAD Express Tools Volumes 1-9
Autodesk Express Viewer
Autodesk WHIP! (Release 4.0-102)
AVG Free Edition
CA eTrust Internet Security Suite
Dell ResourceCD
DellTouch
DirectX 8.1 Hotfix - KB839643
Easy CD Creator 5 Basic
EPSON Printer Software
formZ RadioZity v5.5.0
Google Earth
HijackThis 1.99.1
Hotfix for MDAC 2.53 (KB911562)
Image Web Server IE Plugins 1,7,1,43
Intel Ultra ATA Storage Driver
I-Quest 2003
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Macromedia Flash Player 8
Microsoft IntelliPoint
Microsoft Office XP Media Content
Microsoft Office XP Professional
Mozilla Firefox (2.0)
NVIDIA Windows 2000 Display Drivers
Panda ActiveScan
QuickTime for Windows (32-bit)
Security Update for Windows 2000 (KB904706)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB917734)
Sentinel System Driver
Shockwave
Spybot - Search & Destroy 1.4
Update Rollup 1 for Windows 2000 SP4
User's Guides
Viewpoint Media Player
WIBU-KEY Setup (WIBU-KEY Remove)
Winamp (remove only)
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB911567
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917422
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB920213
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB920958
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB922616
Windows 2000 Hotfix - KB922760
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB923980
Windows 2000 Hotfix - KB924191
Windows 2000 Hotfix - KB924270
Windows 2000 Hotfix - KB925486
Windows 2000 Service Pack 4
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See Q828026 for more information]
Windows Media Player system update (9 Series)
WinRAR archiver
WinZip
WRPLOT View


HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:52:23 PM, on 12/7/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\E_S00RP1.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\plusservices.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\winnt\system32\csmss.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\WINNT\system32\ctfmon.exe
C:\Progra~1\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\wftr01\LOCALS~1\Temp\mhsystem.exe
C:\WINNT\Intel\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINNT\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [FileFreedom] C:\Program Files\FileFreedom\filefreedom.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [cmssSystemProcess] c:\winnt\system32\csmss.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [\\WADECKI\EPSON Stylus Photo R1800] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P34 "\\WADECKI\EPSON Stylus Photo R1800" /O34 "\\WADECKI\EPSON Stylus Photo R1800" /M "Stylus Photo R1800"
O4 - HKLM\..\Run: [AutoRun] C:\Program Files\Internet Explorer\loadie.EXE
O4 - HKLM\..\Run: [mhsystem] C:\DOCUME~1\wftr01\LOCALS~1\Temp\mhsystem.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [sys] C:\WINNT\Intel\rundll32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: LdOglOcx - http://213.168.79.84/otis/opengl/ldoglocx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {421D8233-A58D-4FA4-A426-D6F3799D62C8} - https://projectpoint.buzzsaw.com/!/down...Point-BZ-EN.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/127df6f9dddfa5be0623/netzip/RdxIE2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148584774062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145285178328
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://129.63.200.203/activex/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E286ECF4-4682-4743-8CEC-BED2D415E000}: NameServer = 172.16.30.1,172.16.10.3
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINNT\System32\E_S00RP1.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Plus Working Service (PlusService) - Unknown owner - C:\WINNT\system32\plusservices.exe
O23 - Service: RpcService - Unknown owner - C:\WINNT\SYSTEM32\EXPLORE.EXE (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe



Again thank you, let me know if you need anything else or what the next steps are.
CB

[tomorrow would be great, have a good evening.]

Edited by chinbender, 07 December 2006 - 05:25 PM.


#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:51 AM

Posted 07 December 2006 - 05:15 PM

Thanks, I've recieved the files. I will check for a reply tomorrow.

#6 chinbender

chinbender
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 08 December 2006 - 02:19 PM

Hi David, have you had a chance to review the logs?

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:51 AM

Posted 08 December 2006 - 05:55 PM

Oh sorry, didn't realised you'd edited the replies.
If you post new replies I will get notified that you have added a post to the thread.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

I see you have Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O4 - HKLM\..\Run: [cmssSystemProcess] c:\winnt\system32\csmss.exe
O4 - HKLM\..\Run: [AutoRun] C:\Program Files\Internet Explorer\loadie.EXE
O4 - HKLM\..\Run: [mhsystem] C:\DOCUME~1\wftr01\LOCALS~1\Temp\mhsystem.exe
O4 - HKLM\..\Run: [sys] C:\WINNT\Intel\rundll32.exe
O16 - DPF: LdOglOcx - http://213.168.79.84/otis/opengl/ldoglocx.cab
O16 - DPF: {421D8233-A58D-4FA4-A426-D6F3799D62C8} - https://projectpoint.buzzsaw.com/!/down...Point-BZ-EN.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/127df6f9dddfa5be0623/netzip/RdxIE2.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://129.63.200.203/activex/AxisCamControl.ocx
O23 - Service: Plus Working Service (PlusService) - Unknown owner - C:\WINNT\system32\plusservices.exe
O23 - Service: RpcService - Unknown owner - C:\WINNT\SYSTEM32\EXPLORE.EXE (file missing)


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

c:\winnt\system32\csmss.exe
C:\Program Files\Internet Explorer\loadie.EXE
C:\WINNT\Intel\rundll32.exe
C:\WINNT\system32\plusservices.exe
C:\WINNT\SYSTEM32\EXPLORE.EXE


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Click Start> Run>and type in: "services.msc"
Click OK.
In the services window find
PlusService
Rightclick and choose "Properties". On the General tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. File-Exit the Services utility.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":
PlusService

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

Now we have to repeat the steps for another service.
Click Start> Run>and type in: "services.msc"
Click OK.
In the services window find
RpcService
Rightclick and choose "Properties". On the General tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. File-Exit the Services utility.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":
RpcService

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the fox --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

Please download, install, and update AVG antispyware
Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.

After the update finishes (the status bar at the bottom will display "Update successful")
Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine.
Click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan.
This scan can take quite a while to run, so be prepared. Ewido will list any infections found on the left hand side.

When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button.
AVG antispyware will display "All actions have been applied" on the right hand side. Click on "Save Report", then "Save Report As".
This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Close AVG antispyware and reboot!! Please post the log in your next reply.
Also post a new Hijackthis log.

David

#8 chinbender

chinbender
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 11 December 2006 - 09:46 AM

Hi David. Ive removed Viewpoint, fixed the 10 entries in HiJack this,removed the five files in Killbox, cleaned tmporary internet files, but am having a problem with disabling the services instructions.

Ive disabled and deleted 'RpcService'.
From run>services.mpc, 'PlusService' is not there. There is something called 'Plus Working Service' that looks suspicious (the description field font is wingdings or symbol). (Win32 DHCP Service and Windows DHCP Service also have this strange font).

Should I disable and delete any of these? After you let me know Ill continue with the rest of your previous instructions: cleaning all temporary files and scanning with AVG Spyware.

Thank you.

Here is the latest HiJack This log FYI:

Logfile of HijackThis v1.99.1
Scan saved at 9:30:39 AM, on 12/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\E_S00RP1.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [FileFreedom] C:\Program Files\FileFreedom\filefreedom.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [\\WADECKI\EPSON Stylus Photo R1800] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P34 "\\WADECKI\EPSON Stylus Photo R1800" /O34 "\\WADECKI\EPSON Stylus Photo R1800" /M "Stylus Photo R1800"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148584774062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145285178328
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E286ECF4-4682-4743-8CEC-BED2D415E000}: NameServer = 172.16.30.1,172.16.10.3
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINNT\System32\E_S00RP1.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Plus Working Service (PlusService) - Unknown owner - C:\WINNT\system32\plusservices.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe

#9 chinbender

chinbender
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 12 December 2006 - 01:46 PM

Hi David. Ive removed Viewpoint, fixed the 10 entries in HiJack this,removed the five files in Killbox, cleaned temporary internet files, disabled and deleted RpcService and PlusService (Plus Working Service, see post above). The cleanmgr hangs after only a few seconds, for a couple of hours. Is there a way to delete temp files manually? If not I can let it run overnight.

I ran AVG AntiVirus which found some more items. No new problems were found by anyone at startup, and the computer is performing well. Here are the requested scans, let me know if there is anything to fix. Thanks, CB.

Logfile of HijackThis v1.99.1
Scan saved at 1:32:25 PM, on 12/12/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\E_S00RP1.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [FileFreedom] C:\Program Files\FileFreedom\filefreedom.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [\\WADECKI\EPSON Stylus Photo R1800] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P34 "\\WADECKI\EPSON Stylus Photo R1800" /O34 "\\WADECKI\EPSON Stylus Photo R1800" /M "Stylus Photo R1800"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148584774062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145285178328
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E286ECF4-4682-4743-8CEC-BED2D415E000}: NameServer = 172.16.30.1,172.16.10.3
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINNT\System32\E_S00RP1.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe





---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:01:44 PM 12/12/2006

+ Scan result:



C:\!KillBox\loadie.EXE -> Downloader.Delf.awr : Cleaned with backup (quarantined).
C:\Documents and Settings\wftr01\Local Settings\Temp\g0ld.com -> Downloader.Delf.awr : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.20:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.21:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.22:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.23:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.11:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.33:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.34:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.41:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.42:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.43:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.14:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.15:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.16:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.17:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.18:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.19:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.7:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.8:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.9:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.24:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.25:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.26:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.27:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.28:C:\Documents and Settings\wftr01\Application Data\Mozilla\Firefox\Profiles\vuz728p1.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\WINNT\SYSTEM32\windhcp.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
[1024] C:\WINNT\system32\windhcp.ocx -> Trojan.Agent.abf : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\dllt.dll -> Trojan.Nilage.axk : Cleaned with backup (quarantined).
C:\Program Files\Netropa\Multimedia Keyboard\ovitfjyk.dll -> Trojan.OnLineGames.cw : Cleaned with backup (quarantined).
C:\Program Files\Netropa\Multimedia Keyboard\zkptujhv.dll -> Trojan.OnLineGames.cw : Cleaned with backup (quarantined).
C:\Program Files\Internet Explorer\Plugins\__delete_on_reboot__s_y_s_t_e_m_._s_y_s_ -> Trojan.QQPass.pg : Cleaned with backup (quarantined).
[1240] C:\Program Files\Internet Explorer\PLUGINS\system.sys -> Trojan.QQPass.pg : Cleaned with backup (quarantined).
[1244] C:\Program Files\Internet Explorer\PLUGINS\system.sys -> Trojan.QQPass.pg : Cleaned with backup (quarantined).
[1256] C:\Program Files\Internet Explorer\PLUGINS\system.sys -> Trojan.QQPass.pg : Cleaned with backup (quarantined).
[1264] C:\Program Files\Internet Explorer\PLUGINS\system.sys -> Trojan.QQPass.pg : Cleaned with backup (quarantined).
[1284] C:\Program Files\Internet Explorer\PLUGINS\system.sys -> Trojan.QQPass.pg : Cleaned with backup (quarantined).
[1316] C:\Program Files\Internet Explorer\PLUGINS\system.sys -> Trojan.QQPass.pg : Cleaned with backup (quarantined).
[1320] C:\Program Files\Internet Explorer\PLUGINS\system.sys -> Trojan.QQPass.pg : Cleaned with backup (quarantined).
[1324] C:\Program Files\Internet Explorer\PLUGINS\system.sys -> Trojan.QQPass.pg : Cleaned with backup (quarantined).
[1352] C:\Program Files\Internet Explorer\PLUGINS\system.sys -> Trojan.QQPass.pg : Cleaned with backup (quarantined).
[1356] C:\Program Files\Internet Explorer\PLUGINS\system.sys -> Trojan.QQPass.pg : Cleaned with backup (quarantined).
[1368] C:\Program Files\Internet Explorer\PLUGINS\system.sys -> Trojan.QQPass.pg : Cleaned with backup (quarantined).
[1392] C:\Program Files\Internet Explorer\PLUGINS\system.sys -> Trojan.QQPass.pg : Cleaned with backup (quarantined).
[1396] C:\Program Files\Internet Explorer\PLUGINS\system.sys -> Trojan.QQPass.pg : Cleaned with backup (quarantined).
[1432] C:\Program Files\Internet Explorer\PLUGINS\system.sys -> Trojan.QQPass.pg : Cleaned with backup (quarantined).
[1436] C:\Program Files\Internet Explorer\PLUGINS\system.sys -> Trojan.QQPass.pg : Cleaned with backup (quarantined).
[1440] C:\Program Files\Internet Explorer\PLUGINS\system.sys -> Trojan.QQPass.pg : Cleaned with backup (quarantined).
[1448] C:\Program Files\Internet Explorer\PLUGINS\system.sys -> Trojan.QQPass.pg : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\plus.vxd -> Trojan.QQPass.rr : Cleaned with backup (quarantined).


::Report end

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:51 AM

Posted 12 December 2006 - 02:23 PM

This is quite strange, I distinctly remember typing a reply to this thread.
Maybe I'm going mad, but sorry for keeping you waiting. :thumbsup:
This are looking much better, but no doubt there is a few more things to do.
I see some suspicious entries that were deleted by AVG, running from strange locations.
I want to do a handful of quick scans so I can see a bit deeper inside the PC.

1) Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply.

2) Download and save Blacklight to your desktop.
Double-click blbeta.exe then accept the agreement.
Click on scan then click next,
You'll see a list of all items found.
Do not choose for rename yet! I want to see the log first; legitimate items can also be present.
There is a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.

3) Please perform this online scan: Kaspersky Webscan
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

We should then be on final lap of this fix. :flowers:

#11 chinbender

chinbender
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 13 December 2006 - 09:33 AM

Here you go David. As always, thanks for your help.

ComboFix:


bpacb01 - Tue 12/12/2006 15:17:20.28 Service Pack 4
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\wftr01\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-12 to 2006-12-12 ))))))))))))))))))))))))))))))))))


2006-12-12 11:50 3,968 --a------ C:\WINNT\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-12-11 08:59 <DIR> d-------- C:\!KillBox
2006-12-07 13:10 <DIR> d-------- C:\WINNT\SYSTEM32\ActiveScan
2006-12-07 12:48 22,192 --a------ C:\WINNT\SYSTEM32\vsutil_oem1051.dll
2006-12-07 12:48 <DIR> d-a------ C:\WINNT\SYSTEM32\ZoneLabs
2006-12-07 12:47 26,787 --a------ C:\WINNT\SYSTEM32\DRIVERS\vetmonnt.sys
2006-12-07 10:25 <DIR> d-------- C:\Documents and Settings\wftr01\.housecall6.6
2006-12-07 10:02 <DIR> d-------- C:\Program Files\HijackThis
2006-12-07 09:58 <DIR> d-------- C:\WINNT\Intel
2006-12-07 09:57 29,278 --a------ C:\Program Files\Common Files\q.exe
2006-12-07 09:57 29,184 --a------ C:\Program Files\Common Files\r.exe
2006-12-06 11:42 <DIR


2006-11-27 11:34 92,432 --a------ C:\WINNT\SYSTEM32\xactsrv.dll
2006-11-27 11:34 90,384 --a------ C:\WINNT\SYSTEM32\trkwks.dll
2006-11-27 11:34 87,312 --a------ C:\WINNT\SYSTEM32\TASKMGR.EXE
2006-11-27 11:34 83,888 --a------ C:\WINNT\SYSTEM32\vga.dll
2006-11-27 11:34 81,168 --a------ C:\WINNT\SYSTEM32\stobject.dll
2006-11-27 11:34 80,144 --a------ C:\WINNT\SYSTEM32\telnet.exe
2006-11-27 11:34 8,464 --a------ C:\WINNT\SYSTEM32\wshirda.dll
2006-11-27 11:34 79,120 --a------ C:\WINNT\SYSTEM32\winscard.dll
2006-11-27 11:34 74,512 --a------ C:\WINNT\SYSTEM32\wmicore.dll
2006-11-27 11:34 7,440 --a------ C:\WINNT\SYSTEM32\svcpack.dll
2006-11-27 11:34 69,904 --a------ C:\WINNT\SYSTEM32\ws2_32.dll
2006-11-27 11:34 68,368 --a------ C:\WINNT\SYSTEM32\unimdmat.dll
2006-11-27 11:34 62,736 --a------ C:\WINNT\SYSTEM32\sstext3d.scr
2006-11-27 11:34 61,712 --a------ C:\WINNT\SYSTEM32\stisvc.exe
2006-11-27 11:34 59,152 --a------ C:\WINNT\SYSTEM32\winfax.dll
2006-11-27 11:34 55,056 --a------ C:\WINNT\SYSTEM32\tlntsess.exe
2006-11-27 11:34 49,776 --------- C:\WINNT\SYSTEM32\DRIVERS\usbhub20.sys
2006-11-27 11:34 47,888 --a------ C:\WINNT\SYSTEM32\ssbezier.scr
2006-11-27 11:34 42,768 --a------ C:\WINNT\SYSTEM32\webhits.dll
2006-11-27 11:34 419,600 --a------ C:\WINNT\SYSTEM32\ssmaze.scr
2006-11-27 11:34 41,744 --a------ C:\WINNT\SYSTEM32\tcpmon.dll
2006-11-27 11:34 41,744 --a------ C:\WINNT\SYSTEM32\sti.dll
2006-11-27 11:34 41,744 --a------ C:\WINNT\SYSTEM32\ssflwbox.scr
2006-11-27 11:34 4,368 --a------ C:\WINNT\SYSTEM32\winver.exe
2006-11-27 11:34 39,696 --a------ C:\WINNT\SYSTEM32\wsnmp32.dll
2006-11-27 11:34 39,184 --a------ C:\WINNT\SYSTEM32\winsta.dll
2006-11-27 11:34 38,672 --a------ C:\WINNT\SYSTEM32\ssmarque.scr
2006-11-27 11:34 375,568 --a------ C:\WINNT\SYSTEM32\tapi3.dll
2006-11-27 11:34 36,624 --a------ C:\WINNT\SYSTEM32\ssmyst.scr
2006-11-27 11:34 35,600 --a------ C:\WINNT\SYSTEM32\storprop.dll
2006-11-27 11:34 33,040 --a------ C:\WINNT\SYSTEM32\ssstars.scr
2006-11-27 11:34 315,664 --a------ C:\WINNT\SYSTEM32\usp10.dll
2006-11-27 11:34 31,504 --a------ C:\WINNT\SYSTEM32\traffic.dll
2006-11-27 11:34 30,749 --a------ C:\WINNT\SYSTEM32\vbajet32.dll
2006-11-27 11:34 29,968 --a------ C:\WINNT\SYSTEM32\wpnpinst.exe
2006-11-27 11:34 28,400 --a------ C:\WINNT\SYSTEM32\wupdinfo.dll
2006-11-27 11:34 270,608 --a------ C:\WINNT\winhlp32.exe
2006-11-27 11:34 27,920 --a------ C:\WINNT\SYSTEM32\umandlg.dll
2006-11-27 11:34 26,384 --a------ C:\WINNT\SYSTEM32\utildll.dll
2006-11-27 11:34 246,544 --a------ C:\WINNT\SYSTEM32\strmdll.dll
2006-11-27 11:34 24,848 --a------ C:\WINNT\SYSTEM32\sqlwid.dll
2006-11-27 11:34 24,848 --a------ C:\WINNT\SYSTEM32\spdwnw2k.exe
2006-11-27 11:34 239,376 --a------ C:\WINNT\SYSTEM32\winsmon.dll
2006-11-27 11:34 22,800 --a------ C:\WINNT\SYSTEM32\utilman.exe
2006-11-27 11:34 22,752 --a------ C:\WINNT\SYSTEM32\spupdsvc.exe
2006-11-27 11:34 214,288 --a------ C:\WINNT\SYSTEM32\snmpsnap.dll
2006-11-27 11:34 21,776 --a------ C:\WINNT\SYSTEM32\wsock32.dll
2006-11-27 11:34 21,776 --------- C:\WINNT\SYSTEM32\spupdw2k.exe
2006-11-27 11:34 21,264 --a------ C:\WINNT\SYSTEM32\stimon.exe
2006-11-27 11:34 193,296 --a------ C:\WINNT\winrep.exe
2006-11-27 11:34 19,728 --------- C:\WINNT\SYSTEM32\DRIVERS\usbehci.sys
2006-11-27 11:34 187,664 --a------ C:\WINNT\SYSTEM32\thumbvw.dll
2006-11-27 11:34 187,024 --a------ C:\WINNT\SYSTEM32\spcmdcon.sys
2006-11-27 11:34 186,128 --a------ C:\WINNT\SYSTEM32\tlntsvr.exe
2006-11-27 11:34 172,664 --a------ C:\WINNT\SYSTEM32\XENROLL.DLL
2006-11-27 11:34 17,680 --a------ C:\WINNT\SYSTEM32\wshtcpip.dll
2006-11-27 11:34 17,680 --a------ C:\WINNT\SYSTEM32\tftp.exe
2006-11-27 11:34 17,680 --a------ C:\WINNT\SYSTEM32\SNMPAPI.DLL
2006-11-27 11:34 16,144 --a------ C:\WINNT\SYSTEM32\version.dll
2006-11-27 11:34 155,920 --a------ C:\WINNT\SYSTEM32\wavemsp.dll
2006-11-27 11:34 14,608 --a------ C:\WINNT\SYSTEM32\uniplat.dll
2006-11-27 11:34 138,288 --------- C:\WINNT\SYSTEM32\DRIVERS\usbport.sys
2006-11-27 11:34 138,000 --a------ C:\WINNT\SYSTEM32\ss3dfo.scr
2006-11-27 11:34 13,072 --a------ C:\WINNT\SYSTEM32\tcpmib.dll
2006-11-27 11:34 126,736 --a------ C:\WINNT\SYSTEM32\TAPI32.DLL
2006-11-27 11:34 11,536 --a------ C:\WINNT\SYSTEM32\usbmon.dll
2006-11-27 11:34 107,792 --a------ C:\WINNT\SYSTEM32\sndrec32.exe
2006-11-27 11:34 102,160 --a------ C:\WINNT\SYSTEM32\sspipes.scr
2006-11-27 11:34 10,000 --a------ C:\WINNT\SYSTEM32\wshatm.dll
2006-11-27 11:33 99,088 --a------ C:\WINNT\SYSTEM32\modemui.dll
2006-11-27 11:33 97,040 --a------ C:\WINNT\SYSTEM32\rtm.dll
2006-11-27 11:33 96,016 --a------ C:\WINNT\SYSTEM32\msdtclog.dll
2006-11-27 11:33 95,024 --a------ C:\WINNT\SYSTEM32\sfc.dll
2006-11-27 11:33 9,216 --a------ C:\WINNT\SYSTEM32\wuauserv.dll
2006-11-27 11:33 89,600 --a------ C:\WINNT\SYSTEM32\nlhtml.dll
2006-11-27 11:33 85,776 --a------ C:\WINNT\SYSTEM32\smlogsvc.exe
2006-11-27 11:33 85,776 --a------ C:\WINNT\SYSTEM32\ntsdexts.dll
2006-11-27 11:33 831,760 --a------ C:\WINNT\SYSTEM32\mswdat10.dll
2006-11-27 11:33 79,632 --a------ C:\WINNT\SYSTEM32\ntdskcc.dll
2006-11-27 11:33 77,584 --a------ C:\WINNT\SYSTEM32\scripto.dll
2006-11-27 11:33 77,072 --a------ C:\WINNT\SYSTEM32\rsvpsp.dll
2006-11-27 11:33 76,560 --a------ C:\WINNT\SYSTEM32\msw3prt.dll
2006-11-27 11:33 73,488 --a------ C:\WINNT\regedit.exe
2006-11-27 11:33 71,952 --a------ C:\WINNT\SYSTEM32\netui0.dll
2006-11-27 11:33 70,928 --a------ C:\WINNT\SYSTEM32\olethk32.dll
2006-11-27 11:33 7,440 --a------ C:\WINNT\SYSTEM32\sensapi.dll
2006-11-27 11:33 7,440 --a------ C:\WINNT\SYSTEM32\msswchx.exe
2006-11-27 11:33 692,496 --a------ C:\WINNT\SYSTEM32\OPENGL32.DLL
2006-11-27 11:33 69,904 --a------ C:\WINNT\SYSTEM32\mprddm.dll
2006-11-27 11:33 69,392 --a------ C:\WINNT\SYSTEM32\shim.dll
2006-11-27 11:33 68,368 --a------ C:\WINNT\SYSTEM32\regsvc.exe
2006-11-27 11:33 67,344 --a------ C:\WINNT\SYSTEM32\ntdsetup.dll
2006-11-27 11:33 65,601 --a------ C:\WINNT\SYSTEM32\servdeps.dll
2006-11-27 11:33 64,272 --a------ C:\WINNT\SYSTEM32\mswsock.dll
2006-11-27 11:33 63,248 --a------ C:\WINNT\SYSTEM32\RASSCRPT.DLL
2006-11-27 11:33 614,672 --a------ C:\WINNT\SYSTEM32\mswstr10.dll
2006-11-27 11:33 60,688 --a------ C:\WINNT\SYSTEM32\RASCHAP.DLL
2006-11-27 11:33 6,928 --a------ C:\WINNT\SYSTEM32\skdll.dll
2006-11-27 11:33 6,928 --------- C:\WINNT\SYSTEM32\perfvd.exe
2006-11-27 11:33 57,616 --a------ C:\WINNT\SYSTEM32\ntdsapi.dll
2006-11-27 11:33 57,104 --a------ C:\WINNT\SYSTEM32\ocmanage.dll
2006-11-27 11:33 57,104 --a------ C:\WINNT\SYSTEM32\mydocs.dll
2006-11-27 11:33 56,080 --a------ C:\WINNT\SYSTEM32\mprui.dll
2006-11-27 11:33 553,232 --a------ C:\WINNT\SYSTEM32\msrepl40.dll
2006-11-27 11:33 55,568 --------- C:\WINNT\SYSTEM32\authz.dll
2006-11-27 11:33 53,520 --a------ C:\WINNT\SYSTEM32\ntmsapi.dll
2006-11-27 11:33 53,520 --a------ C:\WINNT\SYSTEM32\msjter40.dll
2006-11-27 11:33 53,008 --a------ C:\WINNT\SYSTEM32\packager.exe
2006-11-27 11:33 52,496 --------- C:\WINNT\SYSTEM32\wzcdlg.dll
2006-11-27 11:33 514,320 --a------ C:\WINNT\SYSTEM32\msxml.dll
2006-11-27 11:33 512,272 --a------ C:\WINNT\SYSTEM32\msexch40.dll
2006-11-27 11:33 48,912 --a------ C:\WINNT\SYSTEM32\secur32.dll
2006-11-27 11:33 48,200 --------- C:\WINNT\SYSTEM32\scrdx86.dll
2006-11-27 11:33 48,200 --------- C:\WINNT\SYSTEM32\scrdenrl.dll
2006-11-27 11:33 477,456 --a------ C:\WINNT\SYSTEM32\netshell.dll
2006-11-27 11:33 47,376 --a------ C:\WINNT\SYSTEM32\mprdim.dll
2006-11-27 11:33 47,104 --a------ C:\WINNT\SYSTEM32\MSPRIVS.DLL
2006-11-27 11:33 45,840 --a------ C:\WINNT\SYSTEM32\skeys.exe
2006-11-27 11:33 45,840 --------- C:\WINNT\SYSTEM32\msmqprop.exe
2006-11-27 11:33 444,176 --a------ C:\WINNT\SYSTEM32\oieng400.dll
2006-11-27 11:33 44,816 --a------ C:\WINNT\SYSTEM32\rsm.exe
2006-11-27 11:33 431,888 --a------ C:\WINNT\SYSTEM32\riched20.dll
2006-11-27 11:33 422,160 --a------ C:\WINNT\SYSTEM32\msrd2x40.dll
2006-11-27 11:33 41,232 --a------ C:\WINNT\SYSTEM32\odbcconf.exe
2006-11-27 11:33 41,232 --a------ C:\WINNT\SYSTEM32\odbcconf.dll
2006-11-27 11:33 401,168 --a------ C:\WINNT\SYSTEM32\ntmssvc.dll
2006-11-27 11:33 40,720 --a------ C:\WINNT\SYSTEM32\RESUTILS.DLL
2006-11-27 11:33 4,880 --a------ C:\WINNT\SYSTEM32\NDDEAPIR.EXE
2006-11-27 11:33 4,126 --a------ C:\WINNT\SYSTEM32\msdxmlc.dll
2006-11-27 11:33 38,160 --a------ C:\WINNT\SYSTEM32\sens.dll
2006-11-27 11:33 37,136 --a------ C:\WINNT\SYSTEM32\ODBCAD32.exe
2006-11-27 11:33 36,624 --a------ C:\WINNT\SYSTEM32\RNR20.DLL
2006-11-27 11:33 36,112 --a------ C:\WINNT\SYSTEM32\regapi.dll
2006-11-27 11:33 352,528 --a------ C:\WINNT\SYSTEM32\msjetoledb40.dll
2006-11-27 11:33 35,648 --a------ C:\WINNT\SYSTEM32\ntio411.sys
2006-11-27 11:33 35,408 --a------ C:\WINNT\SYSTEM32\ntio412.sys
2006-11-27 11:33 35,088 --a------ C:\WINNT\SYSTEM32\MSSIGN32.DLL
2006-11-27 11:33 348,432 --a------ C:\WINNT\SYSTEM32\msxbde40.dll
2006-11-27 11:33 348,432 --a------ C:\WINNT\SYSTEM32\mspbde40.dll
2006-11-27 11:33 34,576 --------- C:\WINNT\SYSTEM32\wzcsetup.exe
2006-11-27 11:33 34,544 --a------ C:\WINNT\SYSTEM32\ntio804.sys
2006-11-27 11:33 34,544 --a------ C:\WINNT\SYSTEM32\ntio404.sys
2006-11-27 11:33 33,824 --a------ C:\WINNT\SYSTEM32\NTIO.SYS
2006-11-27 11:33 33,552 --a------ C:\WINNT\SYSTEM32\shmgrate.exe
2006-11-27 11:33 32,016 --a------ C:\WINNT\SYSTEM32\ntdsatq.dll
2006-11-27 11:33 319,760 --a------ C:\WINNT\SYSTEM32\msexcl40.dll
2006-11-27 11:33 315,664 --a------ C:\WINNT\SYSTEM32\msrd3x40.dll
2006-11-27 11:33 29,968 --a------ C:\WINNT\SYSTEM32\ntdsbsrv.dll
2006-11-27 11:33 29,968 --------- C:\WINNT\SYSTEM32\wzcsapi.dll
2006-11-27 11:33 29,456 --a------ C:\WINNT\SYSTEM32\perfproc.dll
2006-11-27 11:33 286,773 --a------ C:\WINNT\SYSTEM32\msvcrt.dll
2006-11-27 11:33 285,456 --a------ C:\WINNT\SYSTEM32\smlogcfg.dll
2006-11-27 11:33 28,432 --a------ C:\WINNT\SYSTEM32\scrnsave.scr
2006-11-27 11:33 28,432 --a------ C:\WINNT\SYSTEM32\ntdsbcli.dll
2006-11-27 11:33 278,800 --a------ C:\WINNT\SYSTEM32\odbcjt32.dll
2006-11-27 11:33 26,896 --a------ C:\WINNT\SYSTEM32\NETSTAT.EXE
2006-11-27 11:33 26,896 --a------ C:\WINNT\SYSTEM32\mtxdm.dll
2006-11-27 11:33 258,320 --a------ C:\WINNT\SYSTEM32\mstext40.dll
2006-11-27 11:33 25,360 --a------ C:\WINNT\SYSTEM32\rsfsaps.dll
2006-11-27 11:33 25,360 --a------ C:\WINNT\SYSTEM32\rapilib.dll
2006-11-27 11:33 241,936 --a------ C:\WINNT\SYSTEM32\msjtes40.dll
2006-11-27 11:33 24,848 --a------ C:\WINNT\SYSTEM32\perfdisk.dll
2006-11-27 11:33 24,848 --a------ C:\WINNT\SYSTEM32\ODBC32GT.dll
2006-11-27 11:33 24,848 --a------ C:\WINNT\SYSTEM32\narrator.exe
2006-11-27 11:33 24,848 --a------ C:\WINNT\SYSTEM32\msdart32.dll
2006-11-27 11:33 24,336 --a------ C:\WINNT\SYSTEM32\rpcns4.dll
2006-11-27 11:33 24,336 --------- C:\WINNT\SYSTEM32\ftpqfe.exe
2006-11-27 11:33 236,304 --a------ C:\WINNT\SYSTEM32\msclus.dll
2006-11-27 11:33 221,456 --a------ C:\WINNT\SYSTEM32\osk.exe
2006-11-27 11:33 22,800 --a------ C:\WINNT\SYSTEM32\routeext.dll
2006-11-27 11:33 218,896 --a------ C:\WINNT\SYSTEM32\mstask.dll
2006-11-27 11:33 214,800 --a------ C:\WINNT\SYSTEM32\objsel.dll
2006-11-27 11:33 213,264 --a------ C:\WINNT\SYSTEM32\msltus40.dll
2006-11-27 11:33 200,976 --a------ C:\WINNT\SYSTEM32\odbccu32.dll
2006-11-27 11:33 20,752 --a------ C:\WINNT\SYSTEM32\sclgntfy.dll
2006-11-27 11:33 20,752 --a------ C:\WINNT\SYSTEM32\odtext32.dll
2006-11-27 11:33 20,752 --a------ C:\WINNT\SYSTEM32\odpdx32.dll
2006-11-27 11:33 20,752 --a------ C:\WINNT\SYSTEM32\odfox32.dll
2006-11-27 11:33 20,752 --a------ C:\WINNT\SYSTEM32\odexl32.dll
2006-11-27 11:33 20,752 --a------ C:\WINNT\SYSTEM32\oddbse32.dll
2006-11-27 11:33 20,208 --a------ C:\WINNT\SYSTEM32\DRIVERS\msircomm.sys
2006-11-27 11:33 198,928 --a------ C:\WINNT\SYSTEM32\rasppp.dll
2006-11-27 11:33 196,880 --a------ C:\WINNT\SYSTEM32\odbccr32.dll
2006-11-27 11:33 195,856 --------- C:\WINNT\SYSTEM32\wzcsvc.dll
2006-11-27 11:33 18,192 --------- C:\WINNT\SYSTEM32\sp4iis.exe
2006-11-27 11:33 176,912 --a------ C:\WINNT\SYSTEM32\rsvp.exe
2006-11-27 11:33 173,840 --a------ C:\WINNT\SYSTEM32\netplwiz.dll
2006-11-27 11:33 173,328 --a------ C:\WINNT\SYSTEM32\ntmsdba.dll
2006-11-27 11:33 17,168 --a------ C:\WINNT\SYSTEM32\secedit.exe
2006-11-27 11:33 165,136 --a------ C:\WINNT\SYSTEM32\ntdsutil.exe
2006-11-27 11:33 164,112 --a------ C:\WINNT\SYSTEM32\OLEPRO32.DLL
2006-11-27 11:33 16,144 --a------ C:\WINNT\SYSTEM32\NDDEAPI.DLL
2006-11-27 11:33 155,920 --a------ C:\WINNT\SYSTEM32\ODBCTRAC.dll
2006-11-27 11:33 155,920 --a------ C:\WINNT\SYSTEM32\msorcl32.dll
2006-11-27 11:33 154,896 --a------ C:\WINNT\SYSTEM32\rasmontr.dll
2006-11-27 11:33 153,872 --a------ C:\WINNT\SYSTEM32\msdtcui.dll
2006-11-27 11:33 151,824 --a------ C:\WINNT\SYSTEM32\pdh.dll
2006-11-27 11:33 151,824 --a------ C:\WINNT\SYSTEM32\msjint40.dll
2006-11-27 11:33 15,120 --a------ C:\WINNT\SYSTEM32\sisbkup.dll
2006-11-27 11:33 147,216 --a------ C:\WINNT\SYSTEM32\dssenh.dll
2006-11-27 11:33 14,608 --a------ C:\WINNT\SYSTEM32\RASSAPI.DLL
2006-11-27 11:33 14,608 --a------ C:\WINNT\SYSTEM32\msswch.dll
2006-11-27 11:33 14,096 --a------ C:\WINNT\SYSTEM32\rsh.exe
2006-11-27 11:33 139,536 --a------ C:\WINNT\SYSTEM32\regedt32.exe
2006-11-27 11:33 134,928 --a------ C:\WINNT\SYSTEM32\rsaenh.dll
2006-11-27 11:33 132,368 --a------ C:\WINNT\SYSTEM32\RSABASE.DLL
2006-11-27 11:33 131,344 --a------ C:\WINNT\SYSTEM32\netid.dll
2006-11-27 11:33 13,824 --a------ C:\WINNT\SYSTEM32\mscpxl32.dLL
2006-11-27 11:33 13,584 --a------ C:\WINNT\SYSTEM32\powrprof.dll
2006-11-27 11:33 13,072 --a------ C:\WINNT\SYSTEM32\spiisupd.exe
2006-11-27 11:33 124,176 --a------ C:\WINNT\SYSTEM32\net1.exe
2006-11-27 11:33 123,152 --a------ C:\WINNT\SYSTEM32\mtxoci.dll
2006-11-27 11:33 116,496 --a------ C:\WINNT\SYSTEM32\msvfw32.dll
2006-11-27 11:33 110,352 --a------ C:\WINNT\SYSTEM32\NETDDE.EXE
2006-11-27 11:33 110,352 --a------ C:\WINNT\SYSTEM32\mycomput.dll
2006-11-27 11:33 110,080 --a------ C:\WINNT\SYSTEM32\offfilt.dll
2006-11-27 11:33 11,984 --------- C:\WINNT\SYSTEM32\DRIVERS\ndisuio.sys
2006-11-27 11:33 11,536 --------- C:\WINNT\SYSTEM32\sptsupd.exe
2006-11-27 11:33 11,024 --a------ C:\WINNT\SYSTEM32\REGSVR32.EXE
2006-11-27 11:33 11,024 --a------ C:\WINNT\SYSTEM32\msrle32.dll
2006-11-27 11:33 108,816 --a------ C:\WINNT\SYSTEM32\msafd.dll
2006-11-27 11:33 108,304 --a------ C:\WINNT\SYSTEM32\rsnotify.exe
2006-11-27 11:33 106,256 --a------ C:\WINNT\SYSTEM32\oleprn.dll
2006-11-27 11:33 105,232 --a------ C:\WINNT\SYSTEM32\rend.dll
2006-11-27 11:33 102,672 --a------ C:\WINNT\SYSTEM32\NTMARTA.DLL
2006-11-27 11:33 100,624 --a------ C:\WINNT\SYSTEM32\rastls.dll
2006-11-27 11:33 10,288 --a------ C:\WINNT\SYSTEM32\DRIVERS\irenum.sys
2006-11-27 11:33 10,000 --a------ C:\WINNT\SYSTEM32\runas.exe
2006-11-27 11:33 1,507,600 --a------ C:\WINNT\SYSTEM32\msjet40.dll
2006-11-27 11:33 1,385,744 --a------ C:\WINNT\SYSTEM32\MSVBVM60.DLL
2006-11-27 11:32 97,552 --a------ C:\WINNT\SYSTEM32\comrepl.dll
2006-11-27 11:32 97,040 --a------ C:\WINNT\SYSTEM32\iasrad.dll
2006-11-27 11:32 97,040 --a------ C:\WINNT\SYSTEM32\clbcatex.dll
2006-11-27 11:32 96,528 --a------ C:\WINNT\SYSTEM32\imm32.dll
2006-11-27 11:32 94,992 --a------ C:\WINNT\SYSTEM32\FAXSVC.EXE
2006-11-27 11:32 92,944 --a------ C:\WINNT\SYSTEM32\faxadmin.dll
2006-11-27 11:32 92,944 --a------ C:\WINNT\SYSTEM32\dskquota.dll
2006-11-27 11:32 92,032 --a------ C:\WINNT\SYSTEM32\KRNL386.EXE
2006-11-27 11:32 90,384 --a------ C:\WINNT\SYSTEM32\CRYPTDLG.DLL
2006-11-27 11:32 840,976 --a------ C:\WINNT\SYSTEM32\mmcndmgr.dll
2006-11-27 11:32 82,704 --a------ C:\WINNT\SYSTEM32\cmnquery.dll
2006-11-27 11:32 80,144 --a------ C:\WINNT\SYSTEM32\faxcom.dll
2006-11-27 11:32 8,976 --a------ C:\WINNT\SYSTEM32\autolfn.exe
2006-11-27 11:32 78,608 --a------ C:\WINNT\SYSTEM32\avifil32.dll
2006-11-27 11:32 78,096 --a------ C:\WINNT\SYSTEM32\aclui.dll
2006-11-27 11:32 77,584 --------- C:\WINNT\SYSTEM32\gpresult.exe
2006-11-27 11:32 76,560 --a------ C:\WINNT\SYSTEM32\hotplug.dll
2006-11-27 11:32 76,048 --a------ C:\WINNT\SYSTEM32\mdhcp.dll
2006-11-27 11:32 75,536 --a------ C:\WINNT\SYSTEM32\iasads.dll
2006-11-27 11:32 74,810 --a------ C:\WINNT\SYSTEM32\atl.dll
2006-11-27 11:32 74,512 --a------ C:\WINNT\SYSTEM32\dsauth.dll
2006-11-27 11:32 73,488 --a------ C:\WINNT\SYSTEM32\irmon.dll
2006-11-27 11:32 72,464 --a------ C:\WINNT\SYSTEM32\isign32.dll
2006-11-27 11:32 7,440 --a------ C:\WINNT\SYSTEM32\control.exe
2006-11-27 11:32 66,832 --a------ C:\WINNT\SYSTEM32\inetpp.dll
2006-11-27 11:32 66,320 --a------ C:\WINNT\SYSTEM32\LOADPERF.DLL
2006-11-27 11:32 63,760 --a------ C:\WINNT\SYSTEM32\CRYPTNET.DLL
2006-11-27 11:32 625,936 --a------ C:\WINNT\SYSTEM32\comuid.dll
2006-11-27 11:32 62,224 --a------ C:\WINNT\SYSTEM32\dfrgfat.exe
2006-11-27 11:32 613,648 --a------ C:\WINNT\SYSTEM32\mmc.exe
2006-11-27 11:32 60,176 --a------ C:\WINNT\SYSTEM32\iassvcs.dll
2006-11-27 11:32 60,176 --a------ C:\WINNT\SYSTEM32\iasnap.dll
2006-11-27 11:32 6,928 --a------ C:\WINNT\SYSTEM32\KBDCA.DLL
2006-11-27 11:32 6,416 --------- C:\WINNT\SYSTEM32\hccoin.dll
2006-11-27 11:32 595,728 --a------ C:\WINNT\SYSTEM32\catsrvut.dll
2006-11-27 11:32 57,296 --a------ C:\WINNT\SYSTEM32\DRIVERS\irda.sys
2006-11-27 11:32 568,592 --a------ C:\WINNT\SYSTEM32\autofmt.exe
2006-11-27 11:32 55,568 --a------ C:\WINNT\SYSTEM32\esentutl.exe
2006-11-27 11:32 55,568 --a------ C:\WINNT\SYSTEM32\CLUSAPI.DLL
2006-11-27 11:32 50,448 --a------ C:\WINNT\SYSTEM32\fdeploy.dll
2006-11-27 11:32 5,904 --a------ C:\WINNT\SYSTEM32\dllhst3g.exe
2006-11-27 11:32 498,717 --a------ C:\WINNT\SYSTEM32\dxmasf.dll
2006-11-27 11:32 49,936 --a------ C:\WINNT\SYSTEM32\ixsso.dll
2006-11-27 11:32 48,400 --a------ C:\WINNT\SYSTEM32\loghours.dll
2006-11-27 11:32 45,328 --a------ C:\WINNT\SYSTEM32\cmstp.exe
2006-11-27 11:32 442,640 --a------ C:\WINNT\SYSTEM32\ipnathlp.dll
2006-11-27 11:32 44,304 --a------ C:\WINNT\SYSTEM32\cryptdll.dll
2006-11-27 11:32 43,792 --a------ C:\WINNT\SYSTEM32\magnify.exe
2006-11-27 11:32 43,280 --a------ C:\WINNT\SYSTEM32\dmutil.dll
2006-11-27 11:32 422,160 --a------ C:\WINNT\SYSTEM32\certmgr.dll
2006-11-27 11:32 42,768 --a------ C:\WINNT\SYSTEM32\dfrgsnap.dll
2006-11-27 11:32 41,744 --a------ C:\WINNT\SYSTEM32\dsfolder.dll
2006-11-27 11:32 41,744 --a------ C:\WINNT\SYSTEM32\colbact.dll
2006-11-27 11:32 402,704 --a------ C:\WINNT\SYSTEM32\cdonts.dll
2006-11-27 11:32 4,368 --a------ C:\WINNT\SYSTEM32\IPROP.DLL
2006-11-27 11:32 380,957 --a------ C:\WINNT\SYSTEM32\expsrv.dll
2006-11-27 11:32 38,912 --a------ C:\WINNT\SYSTEM32\hhsetup.dll
2006-11-27 11:32 374,032 --a------ C:\WINNT\SYSTEM32\JET500.DLL
2006-11-27 11:32 36,112 --a------ C:\WINNT\SYSTEM32\cipher.exe
2006-11-27 11:32 33,040 --a------ C:\WINNT\SYSTEM32\dbmsspxn.dll
2006-11-27 11:32 33,040 --a------ C:\WINNT\SYSTEM32\DBMSSHRN.DLL
2006-11-27 11:32 33,040 --a------ C:\WINNT\SYSTEM32\dbmsadsn.dll
2006-11-27 11:32 316,176 --a------ C:\WINNT\SYSTEM32\dmconfig.dll
2006-11-27 11:32 31,504 --a------ C:\WINNT\SYSTEM32\atmlib.dll
2006-11-27 11:32 306,448 --a------ C:\WINNT\SYSTEM32\dhcpmon.dll
2006-11-27 11:32 305,424 --a------ C:\WINNT\SYSTEM32\gpedit.dll
2006-11-27 11:32 3,856 --a------ C:\WINNT\SYSTEM32\COMCAT.DLL
2006-11-27 11:32 294,672 --a------ C:\WINNT\SYSTEM32\filemgmt.dll
2006-11-27 11:32 291,888 --a------ C:\WINNT\SYSTEM32\atmfd.dll
2006-11-27 11:32 29,456 --a------ C:\WINNT\SYSTEM32\INETMIB1.DLL
2006-11-27 11:32 28,944 --a------ C:\WINNT\SYSTEM32\iasacct.dll
2006-11-27 11:32 28,944 --a------ C:\WINNT\SYSTEM32\dssec.dll
2006-11-27 11:32 269,584 --a------ C:\WINNT\SYSTEM32\iassdo.dll
2006-11-27 11:32 265,488 --a------ C:\WINNT\SYSTEM32\dxmrtp.dll
2006-11-27 11:32 25,872 --a------ C:\WINNT\SYSTEM32\LODCTR.EXE
2006-11-27 11:32 25,872 --a------ C:\WINNT\SYSTEM32\findstr.exe
2006-11-27 11:32 25,872 --a------ C:\WINNT\SYSTEM32\conime.exe
2006-11-27 11:32 246,032 --a------ C:\WINNT\SYSTEM32\localsec.dll
2006-11-27 11:32 246,032 --a------ C:\WINNT\SYSTEM32\icm32.dll
2006-11-27 11:32 243,472 --a------ C:\WINNT\explorer.exe
2006-11-27 11:32 242,960 --a------ C:\WINNT\SYSTEM32\cscui.dll
2006-11-27 11:32 24,848 --a------ C:\WINNT\SYSTEM32\ds32gt.dll
2006-11-27 11:32 23,824 --a------ C:\WINNT\SYSTEM32\at.exe
2006-11-27 11:32 226,576 --a------ C:\WINNT\SYSTEM32\avtapi.dll
2006-11-27 11:32 224,016 --a------ C:\WINNT\SYSTEM32\appmgr.dll
2006-11-27 11:32 221,968 --a------ C:\WINNT\SYSTEM32\devmgr.dll
2006-11-27 11:32 22,800 --a------ C:\WINNT\SYSTEM32\dfsshlex.dll
2006-11-27 11:32 22,288 --a------ C:\WINNT\SYSTEM32\cmutil.dll
2006-11-27 11:32 219,920 --a------ C:\WINNT\SYSTEM32\confmsp.dll
2006-11-27 11:32 21,776 --a------ C:\WINNT\SYSTEM32\HTICONS.DLL
2006-11-27 11:32 206,096 --a------ C:\WINNT\SYSTEM32\infosoft.dll
2006-11-27 11:32 201,488 --a------ C:\WINNT\SYSTEM32\adsnt.dll
2006-11-27 11:32 200,976 --a------ C:\WINNT\SYSTEM32\FONTEXT.DLL
2006-11-27 11:32 20,752 --a------ C:\WINNT\SYSTEM32\iasperf.dll
2006-11-27 11:32 20,752 --a------ C:\WINNT\SYSTEM32\batmeter.dll
2006-11-27 11:32 20,240 --a------ C:\WINNT\SYSTEM32\lpk.dll
2006-11-27 11:32 2,532,112 --a------ C:\WINNT\SYSTEM32\cdosys.dll
2006-11-27 11:32 193,808 --a------ C:\WINNT\SYSTEM32\cmdial32.dll
2006-11-27 11:32 19,728 --a------ C:\WINNT\SYSTEM32\mimefilt.dll
2006-11-27 11:32 187,152 --a------ C:\WINNT\SYSTEM32\eudcedit.exe
2006-11-27 11:32 185,616 --a------ C:\WINNT\SYSTEM32\faxt30.dll
2006-11-27 11:32 182,032 --a------ C:\WINNT\SYSTEM32\activeds.dll
2006-11-27 11:32 18,192 --a------ C:\WINNT\SYSTEM32\LPRMON.DLL
2006-11-27 11:32 18,192 --a------ C:\WINNT\SYSTEM32\hid.dll
2006-11-27 11:32 174,864 --a------ C:\WINNT\SYSTEM32\dmdlgs.dll
2006-11-27 11:32 169,232 --a------ C:\WINNT\SYSTEM32\mobsync.dll
2006-11-27 11:32 165,648 --a------ C:\WINNT\SYSTEM32\catsrv.dll
2006-11-27 11:32 164,112 --a------ C:\WINNT\SYSTEM32\adsnds.dll
2006-11-27 11:32 163,600 --a------ C:\WINNT\SYSTEM32\dmdskmgr.dll
2006-11-27 11:32 163,088 --a------ C:\WINNT\SYSTEM32\h323msp.dll
2006-11-27 11:32 163,088 --a------ C:\WINNT\SYSTEM32\dbghelp.dll
2006-11-27 11:32 16,144 --a------ C:\WINNT\SYSTEM32\diskcopy.dll
2006-11-27 11:32 159,807 --a------ C:\WINNT\SYSTEM32\cmprops.dll
2006-11-27 11:32 159,504 --a------ C:\WINNT\SYSTEM32\iprtrmgr.dll
2006-11-27 11:32 157,968 --a------ C:\WINNT\SYSTEM32\els.dll
2006-11-27 11:32 157,456 --a------ C:\WINNT\SYSTEM32\dsquery.dll
2006-11-27 11:32 156,944 --a------ C:\WINNT\SYSTEM32\ciadmin.dll
2006-11-27 11:32 150,800 --a------ C:\WINNT\SYSTEM32\accwiz.exe
2006-11-27 11:32 15,120 --a------ C:\WINNT\SYSTEM32\faxdrv.dll
2006-11-27 11:32 147,728 --a------ C:\WINNT\SYSTEM32\dmadmin.exe
2006-11-27 11:32 146,192 --a------ C:\WINNT\SYSTEM32\dskquoui.dll
2006-11-27 11:32 145,680 --a------ C:\WINNT\SYSTEM32\DSSBASE.DLL
2006-11-27 11:32 143,872 --a------ C:\WINNT\SYSTEM32\itircl.dll
2006-11-27 11:32 143,632 --a------ C:\WINNT\SYSTEM32\ASYCFILT.DLL
2006-11-27 11:32 14,096 --a------ C:\WINNT\SYSTEM32\diskperf.exe
2006-11-27 11:32 14,096 --a------ C:\WINNT\SYSTEM32\atkctrs.dll
2006-11-27 11:32 138,000 --a------ C:\WINNT\SYSTEM32\INITPKI.DLL
2006-11-27 11:32 135,440 --a------ C:\WINNT\SYSTEM32\certcli.dll
2006-11-27 11:32 130,832 --a------ C:\WINNT\SYSTEM32\logon.scr
2006-11-27 11:32 130,832 --a------ C:\WINNT\SYSTEM32\CLUSTER.EXE
2006-11-27 11:32 13,072 --a------ C:\WINNT\SYSTEM32\dmintf.dll
2006-11-27 11:32 13,072 --a------ C:\WINNT\SYSTEM32\CHKNTFS.EXE
2006-11-27 11:32 128,000 --a------ C:\WINNT\SYSTEM32\itss.dll
2006-11-27 11:32 127,760 --a------ C:\WINNT\SYSTEM32\capesnpn.dll
2006-11-27 11:32 122,368 --a------ C:\WINNT\SYSTEM32\dmdskres.dll
2006-11-27 11:32 122,128 --a------ C:\WINNT\SYSTEM32\idq.dll
2006-11-27 11:32 120,592 --a------ C:\WINNT\SYSTEM32\appmgmts.dll
2006-11-27 11:32 12,048 --a------ C:\WINNT\SYSTEM32\dmserver.dll
2006-11-27 11:32 118,544 --a------ C:\WINNT\SYSTEM32\gptext.dll
2006-11-27 11:32 113,936 --a------ C:\WINNT\SYSTEM32\DCOMCNFG.EXE
2006-11-27 11:32 112,400 --a------ C:\WINNT\SYSTEM32\adsnw.dll
2006-11-27 11:32 111,376 --a------ C:\WINNT\SYSTEM32\mobsync.exe
2006-11-27 11:32 110,864 --a------ C:\WINNT\SYSTEM32\dsuiext.dll
2006-11-27 11:32 102,160 --a------ C:\WINNT\SYSTEM32\mdminst.dll
2006-11-27 11:32 101,136 --a------ C:\WINNT\SYSTEM32\cscdll.dll
2006-11-27 11:32 100,624 --a------ C:\WINNT\SYSTEM32\iassam.dll
2006-11-27 11:32 10,752 --a------ C:\WINNT\hh.exe
2006-11-27 11:32 10,512 --a------ C:\WINNT\SYSTEM32\dmremote.exe
2006-11-27 11:32 10,000 --a------ C:\WINNT\SYSTEM32\lz32.dll
2006-11-27 11:32 1,842,672 --a------ C:\WINNT\SYSTEM32\dtcsetup.exe
2006-11-27 11:32 1,135,376 --a------ C:\WINNT\SYSTEM32\esent.dll
2006-11-27 11:32 1,015,859 --a------ C:\WINNT\SYSTEM32\mfc42.dll
2006-11-27 11:32 1,011,764 --a------ C:\WINNT\SYSTEM32\mfc42u.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-11 09:07 -------- d-a------ C:\Program Files\Internet Explorer
2006-12-08 14:34 -------- d-a------ C:\Program Files\Common Files
2006-12-08 14:16 -------- d-------- C:\Documents and Settings\wftr01\Application Data\AdobeUM
2006-12-08 12:09 -------- d-------- C:\Program Files\Common Files\Adobe
2006-12-07 12:47 629264 --a------ C:\WINNT\SYSTEM32\DRIVERS\VetEFile.sys
2006-12-07 12:47 108592 --a------ C:\WINNT\SYSTEM32\DRIVERS\VetEBoot.sys
2006-12-07 12:46 99880 --a------ C:\WINNT\UnVet32.exe
2006-12-07 12:46 75304 --a------ C:\WINNT\SYSTEM32\VetRedir.dll
2006-12-07 12:46 21032 --a------ C:\WINNT\SYSTEM32\DRIVERS\Vet-Filt.sys
2006-12-07 12:46 15736 --a------ C:\WINNT\SYSTEM32\DRIVERS\VetFDDNT.sys
2006-12-07 12:46 15479 --a------ C:\WINNT\SYSTEM32\DRIVERS\Vet-Rec.sys
2006-12-07 12:46 112168 --a------ C:\WINNT\AVShlExt.dll
2006-12-06 11:42 -------- d-------- C:\Program Files\Adobe
2006-12-06 11:40 -------- d-------- C:\Documents and Settings\wftr01\Application Data\Adobe
2006-12-05 13:39 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-05 13:15 -------- d-------- C:\Program Files\Common Files\Wextech Shared
2006-12-05 12:59 -------- d-------- C:\Documents and Settings\wftr01\Application Data\Aim
2006-12-05 12:57 -------- d-------- C:\Program Files\QuickTime
2006-12-04 18:01 -------- d---s---- C:\Documents and Settings\wftr01\Application Data\Microsoft
2006-12-04 17:25 -------- d-a------ C:\Program Files\Outlook Express
2006-12-04 17:25 -------- d-a------ C:\Program Files\Common Files\SYSTEM
2006-12-04 17:23 -------- d-a------ C:\Program Files\Windows Media Player
2006-12-04 17:21 -------- d-a------ C:\Program Files\Common Files\Microsoft Shared
2006-12-04 17:16 -------- d-a------ C:\Program Files\NetMeeting
2006-12-04 17:09 -------- d-ah----- C:\Program Files\Uninstall Information
2006-11-27 11:42 -------- d-a------ C:\Program Files\Windows NT
2006-10-27 08:44 -------- d-a------ C:\Program Files\Common Files\SERVICES
2006-09-12 06:48 1713536 --a------ C:\WINNT\SYSTEM32\NTKRNLPA.EXE
2006-09-12 06:48 1690880 --a------ C:\WINNT\SYSTEM32\NTOSKRNL.EXE


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="ctfmon.exe"
"\\\\WADECKI\\EPSON Stylus Photo R1800"="C:\\WINNT\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9LA.EXE /P34 \"\\\\WADECKI\\EPSON Stylus Photo R1800\" /M \"Stylus Photo R1800\" /EF \"HKCU\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"POINTER"="point32.exe"
"TCASUTIEXE"="TCAUDIAG -off"
"MULTIMEDIA KEYBOARD"="C:\\Program Files\\Netropa\\Multimedia Keyboard\\MMKeybd.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"FileFreedom"="C:\\Program Files\\FileFreedom\\filefreedom.exe"
"LoadQM"="loadqm.exe"
"CaISSDT"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\caissdt.exe\""
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust PestPatrol Anti-Spyware\\PPActiveDetection.exe\""
"QOELOADER"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust Anti-Spam\\QSP-4.0.380.0\\QOELoader.exe\""
"CaAvTray"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\CAVRID.exe\""
"\\\\WADECKI\\EPSON Stylus Photo R1800"="C:\\WINNT\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9LA.EXE /P34 \"\\\\WADECKI\\EPSON Stylus Photo R1800\" /O34 \"\\\\WADECKI\\EPSON Stylus Photo R1800\" /M \"Stylus Photo R1800\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"Zone Labs Client"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust Personal Firewall\\ca.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,62,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,c0
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,b5,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{9915CFD1-6b7d-4AC5-ABAC-136924579E91}"=""
"{1A404685-7563-4d02-B0F6-58B308A406A9}"=""
"{C54B4AFB-7A2A-6C3E-BA4D-C20F02941125}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: Tue 2006-12-12 15:19:13.35
C:\ComboFix.txt ... 06-12-12 15:19


Blacklight

12/12/06 15:19:41 [Info]: BlackLight Engine 1.0.47 initialized
12/12/06 15:19:41 [Info]: OS: 5.0 build 2195 (Service Pack 4)
12/12/06 15:19:42 [Note]: 7019 4
12/12/06 15:19:42 [Note]: 7005 0
12/12/06 15:19:46 [Note]: 7006 0
12/12/06 15:19:47 [Note]: 7011 1092
12/12/06 15:19:47 [Note]: 7026 0
12/12/06 15:19:48 [Note]: 7026 0
12/12/06 15:20:00 [Note]: FSRAW library version 1.7.1020
12/12/06 15:28:50 [Note]: 7007 0


Kaspersky

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, December 13, 2006 9:20:07 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 12/12/2006
Kaspersky Anti-Virus database records: 236278
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 52794
Number of viruses found: 4
Number of infected objects: 19 / 0
Number of suspicious objects: 2
Duration of the scan process: 01:04:52

Infected Object Name / Virus Name / Last Action
C:\!KillBox\plusservices.exe Infected: Trojan-PSW.Win32.QQPass.ru skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\wftr01\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\wftr01\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\wftr01\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\wftr01\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\wftr01\Local Settings\History\History.IE5\MSHist012006121220061213\index.dat Object is locked skipped
C:\Documents and Settings\wftr01\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\wftr01\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\wftr01\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\r.exe Object is locked skipped
C:\Program Files\Netropa\Multimedia Keyboard\aelpflzz.dll Infected: Trojan-PSW.Win32.OnLineGames.cu skipped
C:\Program Files\Netropa\Multimedia Keyboard\aeqxhrak.dll Infected: Trojan-PSW.Win32.OnLineGames.cu skipped
C:\Program Files\Netropa\Multimedia Keyboard\bvtmsuzv.dll Infected: Trojan-PSW.Win32.OnLineGames.cu skipped
C:\Program Files\Netropa\Multimedia Keyboard\dhgyorak.dll Infected: Trojan-PSW.Win32.OnLineGames.cu skipped
C:\Program Files\Netropa\Multimedia Keyboard\fbpvqmth.dll Infected: Trojan-PSW.Win32.OnLineGames.cu skipped
C:\Program Files\Netropa\Multimedia Keyboard\gmgamdpd.dll Infected: Trojan-PSW.Win32.OnLineGames.cu skipped
C:\Program Files\Netropa\Multimedia Keyboard\jceywxxy.dll Infected: Trojan-PSW.Win32.OnLineGames.cu skipped
C:\Program Files\Netropa\Multimedia Keyboard\myhbcfpu.dll Infected: Trojan-PSW.Win32.OnLineGames.cu skipped
C:\Program Files\Netropa\Multimedia Keyboard\oehgmrmv.dll Infected: Trojan-PSW.Win32.OnLineGames.cu skipped
C:\Program Files\Netropa\Multimedia Keyboard\qqosbpbn.dll Infected: Trojan-PSW.Win32.OnLineGames.cu skipped
C:\Program Files\Netropa\Multimedia Keyboard\rppgutir.dll Infected: Trojan-PSW.Win32.OnLineGames.cu skipped
C:\Program Files\Netropa\Multimedia Keyboard\sogqbtfa.dll Infected: Trojan-PSW.Win32.OnLineGames.cu skipped
C:\Program Files\Netropa\Multimedia Keyboard\tjgijvvn.dll Infected: Trojan-PSW.Win32.OnLineGames.cu skipped
C:\Program Files\Netropa\Multimedia Keyboard\tqzgcvfh.dll Infected: Trojan-PSW.Win32.OnLineGames.cu skipped
C:\Program Files\Netropa\Multimedia Keyboard\ujtxadlw.dll Infected: Trojan-PSW.Win32.OnLineGames.cu skipped
C:\Program Files\Netropa\Multimedia Keyboard\vyduzamm.dll Infected: Trojan-PSW.Win32.OnLineGames.cu skipped
C:\Program Files\plrzevhj.dll Infected: Trojan-PSW.Win32.OnLineGames.cu skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\DEBUG\ipsecpa.log Object is locked skipped
C:\WINNT\DEBUG\oakley.log Object is locked skipped
C:\WINNT\DEBUG\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\HUGOPENA.ldb Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SCHEDLGU.TXT Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SYSTEM.ALT Object is locked skipped
C:\WINNT\SYSTEM32\windhcp.dll Infected: Trojan.Win32.Agent.abf skipped
C:\WINNT\Temp\ZLT034e9.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\xtemp\backup.pst/Personal Folders/Sent Items/03 Sep 2002 13:07 to bereznicki:RE: Details..html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\xtemp\backup.pst Mail MS Mail: suspicious - 1 skipped

Scan process completed.


Hijack THis

Logfile of HijackThis v1.99.1
Scan saved at 9:24:04 AM, on 12/13/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\E_S00RP1.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [FileFreedom] C:\Program Files\FileFreedom\filefreedom.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [\\WADECKI\EPSON Stylus Photo R1800] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P34 "\\WADECKI\EPSON Stylus Photo R1800" /O34 "\\WADECKI\EPSON Stylus Photo R1800" /M "Stylus Photo R1800"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148584774062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145285178328
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E286ECF4-4682-4743-8CEC-BED2D415E000}: NameServer = 172.16.30.1,172.16.10.3
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINNT\System32\E_S00RP1.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:51 AM

Posted 14 December 2006 - 12:05 PM

Hello there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop but do not run it.

Paste the following bold part into the Suspicious File Packer window:

C:\Program Files\Common Files\q.exe
C:\Program Files\Common Files\r.exe


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9915CFD1-6b7d-4AC5-ABAC-136924579E91}"=-
"{1A404685-7563-4d02-B0F6-58B308A406A9}"=-
"{C54B4AFB-7A2A-6C3E-BA4D-C20F02941125}"=-

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Find and delete the following files:
C:\Program Files\Netropa\Multimedia Keyboard\aelpflzz.dll
C:\Program Files\Netropa\Multimedia Keyboard\aeqxhrak.dll
C:\Program Files\Netropa\Multimedia Keyboard\bvtmsuzv.dll
C:\Program Files\Netropa\Multimedia Keyboard\dhgyorak.dll
C:\Program Files\Netropa\Multimedia Keyboard\fbpvqmth.dll
C:\Program Files\Netropa\Multimedia Keyboard\gmgamdpd.dll
C:\Program Files\Netropa\Multimedia Keyboard\jceywxxy.dll
C:\Program Files\Netropa\Multimedia Keyboard\myhbcfpu.dll
C:\Program Files\Netropa\Multimedia Keyboard\oehgmrmv.dll
C:\Program Files\Netropa\Multimedia Keyboard\qqosbpbn.dll
C:\Program Files\Netropa\Multimedia Keyboard\rppgutir.dll
C:\Program Files\Netropa\Multimedia Keyboard\sogqbtfa.dll
C:\Program Files\Netropa\Multimedia Keyboard\tjgijvvn.dll
C:\Program Files\Netropa\Multimedia Keyboard\tqzgcvfh.dll
C:\Program Files\Netropa\Multimedia Keyboard\ujtxadlw.dll
C:\Program Files\Netropa\Multimedia Keyboard\vyduzamm.dll
C:\Program Files\plrzevhj.dll

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the fox --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

Reboot a final time. I'll get back to you about the files. :thumbsup:

#13 chinbender

chinbender
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 14 December 2006 - 01:06 PM

I just uploaded the SFP created files. I have a question about the next step:

Please open notepad and and copy and paste next bold in it:

(don't forget to copy and paste REGEDIT4)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9915CFD1-6b7d-4AC5-ABAC-136924579E91}"=-
"{1A404685-7563-4d02-B0F6-58B308A406A9}"=-
"{C54B4AFB-7A2A-6C3E-BA4D-C20F02941125}"=-

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.


What does "...copy and paste REGEDIT4)" mean?

I will try to run clnmgr overnight, however it seems to stall. If there were a way to manually delete the temp folders I could do that straight away.

Thanks,
CB

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:51 AM

Posted 14 December 2006 - 04:30 PM

Ok, I had a look at the files and they are indeed bad.
So start by deleting these two:
C:\Program Files\Common Files\q.exe
C:\Program Files\Common Files\r.exe

Sorry I copied the regedit wrong there.
Try and follow the following instructions:
Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT 4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{9915CFD1-6b7d-4AC5-ABAC-136924579E91}"=-
"{1A404685-7563-4d02-B0F6-58B308A406A9}"=-
"{C54B4AFB-7A2A-6C3E-BA4D-C20F02941125}"=-

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Try running cleanmgr in safe mode to start with.
If that doesn't work, Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Try running that, then try cleanmgr again.
Reboot and let me know how the system is running,
I see clean logs here! :thumbsup:

Edited by D-Trojanator, 14 December 2006 - 04:31 PM.


#15 chinbender

chinbender
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 15 December 2006 - 11:43 AM

The system seems to be running fine, although I am not positive the registry change took place correctly. When double clicking on the fix.reg, it asked me to add the files to the registry.(It did not ask me to merge the files.) I clicked yes.

Adaware finds two of the registry entries as problems, and also finds two other problems. I did not tell Adaware to fix these issues, since we were just working with the registry I wanted your advice first.

Let me know if there is anything else I should do. Thank you,

CB


Ad-Aware SE Build 1.06r1
Logfile Created on:Friday, December 15, 2006 11:15:20 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R136 04.12.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Adware.BHO(generic)(TAC index:3):11 total references
Win32.Trojan.Agent(TAC index:10):1 total references
Win32.Trojan.Delf(TAC index:10):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


12-15-2006 11:15:20 AM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 180
ThreadCreationTime : 12-15-2006 4:07:56 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 204
ThreadCreationTime : 12-15-2006 4:08:01 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 200
ThreadCreationTime : 12-15-2006 4:08:03 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 252
ThreadCreationTime : 12-15-2006 4:08:04 PM
BasePriority : Normal
FileVersion : 5.00.2195.7035
ProductVersion : 5.00.2195.7035
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 264
ThreadCreationTime : 12-15-2006 4:08:04 PM
BasePriority : Normal
FileVersion : 5.00.2195.7011
ProductVersion : 5.00.2195.7011
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 440
ThreadCreationTime : 12-15-2006 4:08:08 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:7 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 472
ThreadCreationTime : 12-15-2006 4:08:08 PM
BasePriority : Normal
FileVersion : 5.00.2195.7059
ProductVersion : 5.00.2195.7059
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : spoolss.exe

#:8 [nhksrv.exe]
FilePath : C:\Program Files\Netropa\Multimedia Keyboard\
ProcessID : 500
ThreadCreationTime : 12-15-2006 4:08:08 PM
BasePriority : Normal


#:9 [guard.exe]
FilePath : C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\
ProcessID : 516
ThreadCreationTime : 12-15-2006 4:08:09 PM
BasePriority : Normal
FileVersion : 7, 5, 0, 47
ProductVersion : 7, 5, 0, 47
ProductName : AVG Anti-Spyware
CompanyName : Anti-Malware Development a.s.
FileDescription : AVG Anti-Spyware guard
InternalName : AVG Anti-Spyware guard
LegalCopyright : Copyright © 2006 Anti-Malware Development a.s.
OriginalFilename : guard.exe

#:10 [avgamsvr.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 528
ThreadCreationTime : 12-15-2006 4:08:09 PM
BasePriority : Normal
FileVersion : 7.5.0.420
ProductVersion : 7.5.0.420
ProductName : AVG 7.5 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:11 [avgupsvc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 556
ThreadCreationTime : 12-15-2006 4:08:10 PM
BasePriority : Normal
FileVersion : 7.5.0.420
ProductVersion : 7.5.0.420
ProductName : AVG 7.5 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:12 [cisvc.exe]
FilePath : C:\WINNT\System32\
ProcessID : 580
ThreadCreationTime : 12-15-2006 4:08:10 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : cisvc.exe

#:13 [e_s00rp1.exe]
FilePath : C:\WINNT\System32\
ProcessID : 624
ThreadCreationTime : 12-15-2006 4:08:12 PM
BasePriority : Normal
FileVersion : 2.03
ProductVersion : 2.03
ProductName : EPSON Status Monitor 3
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Status Monitor 3
InternalName : E_S00RP1
LegalCopyright : Copyright © SEIKO EPSON CORP. 2004
OriginalFilename : E_S00RP1.EXE

#:14 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 636
ThreadCreationTime : 12-15-2006 4:08:12 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:15 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ProcessID : 672
ThreadCreationTime : 12-15-2006 4:08:14 PM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe

#:16 [nvsvc32.exe]
FilePath : C:\WINNT\System32\
ProcessID : 696
ThreadCreationTime : 12-15-2006 4:08:14 PM
BasePriority : Normal
FileVersion : 6.13.10.2311
ProductVersion : 6.13.10.2311
ProductName : NVIDIA Driver Helper Service, Version 23.11
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 23.11
InternalName : NVSVC
LegalCopyright : Copyright © 1998-2001 NVIDIA Corporation
OriginalFilename : nvsvc32.exe

#:17 [regsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 736
ThreadCreationTime : 12-15-2006 4:08:14 PM
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : REGSVC.EXE

#:18 [mstask.exe]
FilePath : C:\WINNT\system32\
ProcessID : 772
ThreadCreationTime : 12-15-2006 4:08:15 PM
BasePriority : Normal
FileVersion : 4.71.2195.6972
ProductVersion : 4.71.2195.6972
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:19 [vetmsg.exe]
FilePath : C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\
ProcessID : 848
ThreadCreationTime : 12-15-2006 4:08:16 PM
BasePriority : Normal
FileVersion : Version 7.1.6.0
ProductVersion : Version 7.1.6.0
ProductName : Computer Associates Antivirus
CompanyName : Computer Associates International, Inc.
FileDescription : CA Antivirus Realtime Messaging Service
InternalName : vetmsg
LegalCopyright : © 2004 Computer Associates International, Inc.
LegalTrademarks : Trademark of Computer Associates International, Inc.
OriginalFilename : vetmsg.exe

#:20 [vsmon.exe]
FilePath : C:\WINNT\SYSTEM32\ZoneLabs\
ProcessID : 676
ThreadCreationTime : 12-15-2006 4:08:18 PM
BasePriority : Normal
FileVersion : 5.5.114.000
ProductVersion : 5.5.114.000
ProductName : TrueVector Service
CompanyName : Zone Labs, LLC
FileDescription : TrueVector Service
InternalName : vsmon
LegalCopyright : Copyright © 1998-2005, Zone Labs, LLC
OriginalFilename : vsmon.exe

#:21 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 908
ThreadCreationTime : 12-15-2006 4:08:53 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:22 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 1132
ThreadCreationTime : 12-15-2006 4:09:13 PM
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:23 [point32.exe]
FilePath : C:\Program Files\Microsoft Hardware\Mouse\
ProcessID : 1296
ThreadCreationTime : 12-15-2006 4:09:22 PM
BasePriority : Normal


#:24 [mmkeybd.exe]
FilePath : C:\Program Files\Netropa\Multimedia Keyboard\
ProcessID : 1288
ThreadCreationTime : 12-15-2006 4:09:23 PM
BasePriority : Normal
FileVersion : 1.00
ProductVersion : 1.00
ProductName : DellTouch Programmable Keys
CompanyName : Netropa Corp.
FileDescription : Netropa™ Hot Key
InternalName : DellTouch Programmable Keys
LegalCopyright : Copyright © 2000 Netropa Corp.
OriginalFilename : nhk.exe

#:25 [directcd.exe]
FilePath : C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\
ProcessID : 1304
ThreadCreationTime : 12-15-2006 4:09:24 PM
BasePriority : Normal
FileVersion : 5.1.1.210
ProductVersion : 5.1.1.210
ProductName : DirectCD
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright © 2001-2002, Roxio, Inc.
OriginalFilename : Directcd.exe

#:26 [mmusbkb2.exe]
FilePath : C:\Program Files\Netropa\Multimedia Keyboard\
ProcessID : 1328
ThreadCreationTime : 12-15-2006 4:09:24 PM
BasePriority : Normal
FileVersion : 1.70
ProductVersion : 1.70
ProductName : USB Multimedia Keyboard Driver 2
CompanyName : Netropa Corporation
FileDescription : USB Multimedia Keyboard Driver 2
InternalName : mmusbkb2
LegalCopyright : Copyright © 1998-2000 Netropa Corporation
OriginalFilename : mmusbkb2.exe

#:27 [caissdt.exe]
FilePath : C:\Program Files\CA\eTrust Internet Security Suite\
ProcessID : 1340
ThreadCreationTime : 12-15-2006 4:09:25 PM
BasePriority : Normal
FileVersion : Version 2.0.1.0
ProductVersion : Version 2.0.1.0
ProductName : Computer Associates Dashboard Tray
CompanyName : Computer Associates International, Inc.
FileDescription : CA ISS Dashboard Tray
InternalName : CAISSDT
LegalCopyright : Copyright © 2005 Computer Associates International, Inc. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.
OriginalFilename : CAISSDT.exe

#:28 [traymon.exe]
FilePath : C:\Program Files\Netropa\Multimedia Keyboard\
ProcessID : 1356
ThreadCreationTime : 12-15-2006 4:09:25 PM
BasePriority : Normal


#:29 [osd.exe]
FilePath : C:\Program Files\Netropa\Onscreen Display\
ProcessID : 1364
ThreadCreationTime : 12-15-2006 4:09:25 PM
BasePriority : Normal
FileVersion : 2.01
ProductVersion : 2.01
ProductName : Onscreen Display
CompanyName : Netropa Corp.
FileDescription : Netropa™ Onscreen Display
InternalName : OSD
LegalCopyright : Copyright © 2000 Netropa Corp.
OriginalFilename : osd.exe

#:30 [ppactivedetection.exe]
FilePath : C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\
ProcessID : 1368
ThreadCreationTime : 12-15-2006 4:09:26 PM
BasePriority : Normal
FileVersion : 8, 0, 0, 3
ProductVersion : 8, 0, 0, 3
ProductName : eTrust PestPatrol
CompanyName : Computer Associates
FileDescription : eTrust PestPatrol background protection application
InternalName : PPActiveDetection
LegalCopyright : © 2005 Computer Associates International, Inc.
LegalTrademarks : PestPatrol®, eTrust™, Center for Pest Research™
OriginalFilename : PPActiveDetection.EXE
Comments : The advanced technology is brought to you by the fine eTrust PestPatrol product development team

#:31 [qoeloader.exe]
FilePath : C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\
ProcessID : 1384
ThreadCreationTime : 12-15-2006 4:09:27 PM
BasePriority : Normal
FileVersion : 4.0.380.0
ProductVersion : 4.0.380.0
ProductName : QOELoader Application
CompanyName : Computer Associates, Inc.
FileDescription : QOELoader Application
InternalName : QOELoader
LegalCopyright : Copyright © 2002-2005 Computer Associates, Inc. All rights reserved.
OriginalFilename : QOELoader.exe

#:32 [cavtray.exe]
FilePath : C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\
ProcessID : 1404
ThreadCreationTime : 12-15-2006 4:09:28 PM
BasePriority : Normal
FileVersion : Version 7.1.6.0
ProductVersion : Version 7.1.6.0
ProductName : Computer Associates Antivirus
CompanyName : Computer Associates International, Inc.
FileDescription : CA Antivirus System Tray Application
InternalName : CAVTray
LegalCopyright : © 2004 Computer Associates International, Inc.
LegalTrademarks : Trademark of Computer Associates International, Inc.
OriginalFilename : CAVTray.exe

#:33 [cavrid.exe]
FilePath : C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\
ProcessID : 1412
ThreadCreationTime : 12-15-2006 4:09:28 PM
BasePriority : Normal
FileVersion : Version 7.1.6.0
ProductVersion : Version 7.1.6.0
ProductName : Computer Associates Antivirus
CompanyName : Computer Associates International, Inc.
FileDescription : CA Antivirus Realtime Infection Report
InternalName : CAVRid
LegalCopyright : © 2004 Computer Associates International, Inc.
LegalTrademarks : Trademark of Computer Associates International, Inc.
OriginalFilename : CAVRid.exe

#:34 [e_fati9la.exe]
FilePath : C:\WINNT\System32\spool\DRIVERS\W32X86\3\
ProcessID : 1420
ThreadCreationTime : 12-15-2006 4:09:29 PM
BasePriority : Normal
FileVersion : 3.00
ProductVersion : 3.00
ProductName : EPSON Status Monitor 3
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Status Monitor 3
InternalName : E_S5I2L1
LegalCopyright : Copyright © SEIKO EPSON CORP. 2004
OriginalFilename : E_S5I2L1.EXE

#:35 [avgcc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1444
ThreadCreationTime : 12-15-2006 4:09:29 PM
BasePriority : Normal
FileVersion : 7.5.0.418
ProductVersion : 7.5.0.418
ProductName : AVG 7.5 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:36 [ca.exe]
FilePath : C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\
ProcessID : 1436
ThreadCreationTime : 12-15-2006 4:09:31 PM
BasePriority : Normal
FileVersion : 5.5.114.000
ProductVersion : 5.5.114.000
ProductName : eTrust Security
CompanyName : Computer Associates
FileDescription : CA eTrust Security Software
InternalName : OEM 1051
LegalCopyright : © 2005, Computer Associates
OriginalFilename : CA

#:37 [avgas.exe]
FilePath : C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\
ProcessID : 1528
ThreadCreationTime : 12-15-2006 4:09:37 PM
BasePriority : Normal
FileVersion : 7, 5, 0, 50
ProductVersion : 7, 5, 0, 50
ProductName : AVG Anti-Spyware
CompanyName : Anti-Malware Development a.s.
FileDescription : AVG Anti-Spyware
InternalName : AVG Anti-Spyware
LegalCopyright : Copyright © 2006 Anti-Malware Development a.s.
OriginalFilename : avgas.exe

#:38 [kmw_run.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1536
ThreadCreationTime : 12-15-2006 4:09:38 PM
BasePriority : Normal
FileVersion : 6.22.4.1
ProductVersion : 6.22.4.1
ProductName : KMW
CompanyName : Kensington Technology Group
FileDescription : Kensington MouseWorks Win32 Support
InternalName : KMW_RUN.EXE
LegalCopyright : Copyright ©2004 ACCO Brands, Inc.
OriginalFilename : KMW_RUN.EXE
Comments : Kensington MouseWorks

#:39 [ctfmon.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1556
ThreadCreationTime : 12-15-2006 4:09:39 PM
BasePriority : Normal
FileVersion : 1.00.2409.7 built by: Lab06_N
ProductVersion : 1.00.2409.7
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : Cicero Loader
InternalName : CICLOAD
LegalCopyright : Copyright © Microsoft Corporation. 1981-2001
OriginalFilename : CICLOAD.EXE

#:40 [kmw_show.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1084
ThreadCreationTime : 12-15-2006 4:09:41 PM
BasePriority : Normal


#:41 [acrotray.exe]
FilePath : C:\Program Files\Adobe\Acrobat 6.0\Distillr\
ProcessID : 1560
ThreadCreationTime : 12-15-2006 4:09:41 PM
BasePriority : Normal
FileVersion : 6.0.0.2003051500
ProductVersion : 6.0.0.0
ProductName : AcroTray - Adobe Acrobat Distiller helper application.
CompanyName : Adobe Systems Inc.
FileDescription : AcroTray
InternalName : AcroTray
LegalCopyright : Copyright 1984-2003 Adobe Systems Incorporated and its licensors. All rights reserved.
OriginalFilename : AcroTray.exe

#:42 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 820
ThreadCreationTime : 12-15-2006 4:15:05 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Adware.BHO(generic) Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{ce7c3cf0-4b15-11d1-abed-709549c10000}

Win32.Trojan.Agent Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{1a404685-7563-4d02-b0f6-58b308a406a9}

Win32.Trojan.Delf Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{9915cfd1-6b7d-4ac5-abac-136924579e91}

Adware.BHO(generic) Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{ce7c3cf0-4b15-11d1-abed-709549c10000}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 4


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 4




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Adware.BHO(generic) Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet account manager\accounts\bigfoot

Adware.BHO(generic) Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet account manager\accounts\bigfoot
Value : Account Name

Adware.BHO(generic) Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet account manager\accounts\bigfoot
Value : LDAP Server

Adware.BHO(generic) Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet account manager\accounts\bigfoot
Value : LDAP URL

Adware.BHO(generic) Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet account manager\accounts\bigfoot
Value : LDAP Search Return

Adware.BHO(generic) Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet account manager\accounts\bigfoot
Value : LDAP Timeout

Adware.BHO(generic) Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet account manager\accounts\bigfoot
Value : LDAP Authentication

Adware.BHO(generic) Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet account manager\accounts\bigfoot
Value : LDAP Simple Search

Adware.BHO(generic) Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet account manager\accounts\bigfoot
Value : LDAP Logo

Win32.Trojan.Delf Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\ms\qqhooker6

Win32.Trojan.Delf Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\ms\qqhooker6
Value : DXown

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 11
Objects found so far: 15

11:21:22 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:06:02.0
Objects scanned:110164
Objects identified:15
Objects ignored:0
New critical objects:15


And the Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 11:24:42 AM, on 12/15/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\E_S00RP1.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\kmw_run.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\KMW_SHOW.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IEHlprObjClass - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Kensington\MouseWorks\IE_KMW.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [FileFreedom] C:\Program Files\FileFreedom\filefreedom.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [\\WADECKI\EPSON Stylus Photo R1800] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P34 "\\WADECKI\EPSON Stylus Photo R1800" /O34 "\\WADECKI\EPSON Stylus Photo R1800" /M "Stylus Photo R1800"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1148584774062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145285178328
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E286ECF4-4682-4743-8CEC-BED2D415E000}: NameServer = 172.16.30.1,172.16.10.3
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINNT\System32\E_S00RP1.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users