Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System32:lzx32.sys And Rustbfix.exe Problems!


  • This topic is locked This topic is locked
24 replies to this topic

#1 indarkflames

indarkflames

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 19 January 2007 - 07:41 PM

I originally posted my problem here;
http://www.bleepingcomputer.com/forums/t/78588/serious-problem-regarding-rustbfixexe/

" Alright, yesterday I got a bunch of spyware and virus infections. I have been fixing them but today, I keep getting a System32:Lzx32.sys BSOD. I would log in XP, and within a few minutes, the BSOD would pop up, forcing me to reboot. I did a research on this on google (on another computer) and I came upon this page;
http://www.bleepingcomputer.com/forums/t/77339/system32-lzx32sys/

So, like it states on that page, I downloaded rustbfix.exe and combofix.exe and I ran rustbfix.exe. Rustbfix.exe said something like "the first step has been fixed, now reboot to activate Avenger on startup" or something along that line. I rebooted. Now, even in safe mode, whenever I log in XP, command prompt pops up, and just sits there. Its the only thing on the screen, besides my wallpaper. When I shut the command prompts off, there is nothing on the desktop, not even any toolbars or the start bar, yet I can control+alt+delete.

PLEASE, any kind of help will be appriciated!

Also BTW, when I execute explorer.exe on the command prompt, it pops up "my documents" and I am able to browse through my computer, but of course, I do not know what to do."

Logfile of HijackThis v1.99.1
Scan saved at 4:36:22 PM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\coolstuff\programs\programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
F2 - REG:system.ini: Shell=cmd.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jrcwqkt.exe
O1 - Hosts: 64.34.77.24 L2authd.lineage2.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E} - (no file)
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [eqbuhg] c:\windows\system32\eqbuhg.exe eqbuhg
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [impcykjn] C:\a^vkyvna.bat
O4 - HKCU\..\Run: [Kana WallChanger] "C:\Program Files\Kana WallChanger\KanaWall.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{362E3676-8D7F-4BD0-AF31-9C3F6FD5D402}: NameServer = 66.35.255.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FA30A05-A150-4C5E-B1C9-82DA32A97131}: NameServer = 66.35.255.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{500653DB-7091-40CE-9FAD-AA3AD3FE2549}: NameServer = 66.35.255.12
O17 - HKLM\System\CS4\Services\Tcpip\..\{362E3676-8D7F-4BD0-AF31-9C3F6FD5D402}: NameServer = 66.35.255.12
O17 - HKLM\System\CS5\Services\Tcpip\..\{362E3676-8D7F-4BD0-AF31-9C3F6FD5D402}: NameServer = 66.35.255.12
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)
O21 - SSODL: CDRecorder029 - {A3BC5E20-0235-1ABF-9CE1-00AA00512029} - (no file)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:20 AM

Posted 20 January 2007 - 01:30 PM

Hi,

Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

I already see the reason why cmd starts up instead of explorer, because that has been modified in the shell. We can fix this using Hijackthis, because Hijackthis will set it to default again shell=explorer.
Not sure if malware set the cmd value there though, haven't seen this before caused by malware. I did see this before, but that was because someone tinkered with these values in the registry.

Anyway, perform next steps..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
F2 - REG:system.ini: Shell=cmd.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jrcwqkt.exe
O2 - BHO: (no name) - {B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E} - (no file)
O4 - HKLM\..\Run: [eqbuhg] c:\windows\system32\eqbuhg.exe eqbuhg
O4 - HKLM\..\Run: [impcykjn] C:\a^vkyvna.bat
O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)
O21 - SSODL: CDRecorder029 - {A3BC5E20-0235-1ABF-9CE1-00AA00512029} - (no file)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

REBOOT your computer.

I see you are also dealing with the "egdaccess dialer", but it looks like this one isn't active anymore since it's visible in your log, however, we'll check that afterwards..

* Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover.
Save it in the same folder you made earlier (c:\BFU).

Copy the part in bold below into notepad and save it as aftermath.bfu
Save it in the same folder you made earlier (c:\BFU) and set Filetype to "All files"

RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eqbuhg
RegDelValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run|eqbuhg
FileDelete %SYSDIR%\eqbuhg_navps.dat
FileDelete %SYSDIR%\eqbuhg_nav.dat
FileDelete %SYSDIR%\eqbuhg.dat
FileDelete %SYSDIR%\eqbuhg.exe
FileDelete %SYSDIR%\eqbuhg_m2s.xml
FileDelete %WINDIR%\eqbuhg.exe-*.pf


So now there should be three files present in the C:\BFU-folder:

- EGDACCESS.bfu
- aftermath.bfu (the one you created)
- BFU.exe

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select EGDACCESS.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Behind the scriptline to execute field click the folder icon Posted Image again and this time select aftermath.bfu
  • Press Execute and let it do it’s job.
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot your computer.

After reboot, Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
I need that log later.

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog and the log from Blacklight.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 indarkflames

indarkflames
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 21 January 2007 - 11:01 PM

Spybot keeps finding spywares, fixes them, but they keep reappearing. Also, my computer has been running slower, I can already tell. Any kind of help will be appreciated. Here is the log;

Logfile of HijackThis v1.99.1
Scan saved at 7:58:42 PM, on 1/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kana WallChanger\KanaWall.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\coolstuff\programs\programs\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Kana WallChanger] "C:\Program Files\Kana WallChanger\KanaWall.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:20 AM

Posted 21 January 2007 - 11:44 PM

Hi indarkflames,

I merged your new log with your this thread (Topic). When you post follow up logs, please stick to the same thread unitl your helper, in this case miekiemoes, has cleared you. Just click the Add Reply button to the original Topic. Do not create a new topic for your reply. This will cause confusion and a delay in the help you are receiving.

Please subscribe to this topic so you get an email notice and a link to it when you get a response. To do that click on the Options box toward the top right of your topic (just underneath Add Reply and New Topic). Then click on Track this topic, put a dot next to Immediate Email Notification, then scroll down and click Proceed.

Or, when you visit the forum, click on My Topics toward the top of any bleepingcomputer forum page. Thanks!

miekiemoes will be with you when available.

The thing about people

is they change

when they walk away.--Mipso


#5 indarkflames

indarkflames
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 22 January 2007 - 02:19 AM

Oh sorry, its because I got help from another forum that fixed the initial problem, not miekiemoes I didn't see his post until now, the problem got fixed yesterday morning, but of course, not fully, I still seem to have at the least minor problems. This is why I went ahead and made a brand new topic, but of course, this is just as good :thumbsup:

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:20 AM

Posted 22 January 2007 - 03:11 AM

Hi indarkflames,

If you also start a thread at other forums and received help already, it would have been nice that you made a note in this original thread that you already received help somewhere else. Because I actually wasted my time with posting my previous instructions and could help someone else instead.

Why did you start a new thread now again and didn't post your problem in the other forum where you already received help?
You have to understand that this is now very confusing for us, since we don't know what steps have been performed previously (because you were dealing with several different infectios and not only rustock).
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 indarkflames

indarkflames
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 22 January 2007 - 04:58 AM

I am truly sorry if I caused any confusing or frusturation, my post kept getting put from different parts of the forum back and forward. I remember posting a "the problem has been solved" post in my original topic, but I might have been mistaken, for that I am sorry.
Basically initially I posted this issue on 2 boards at the same time, one being this forum. I hadn't received a reply back from here by the time I had my problems resolved by the other forum. Thats when I came back and 'supposedly' posted the 'problem solved' reply, but I dont see it posted, I must have been mistaken.
Then, since yesterday my computer has been running slower than usual, and Spybot is finding around 30 spywares, deletes them, but they come back. This I saw as another new problem I should deal with, instead of a continuation of my "System32:lzx32.sys And Rustbfix.exe" problem, thus I made a new topic.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:20 AM

Posted 22 January 2007 - 01:42 PM

Hi,

Can you post a link to the thread where they already helped you and perform my instructions anyway?
Just skip the step with Hijackthis, because those entries are not present anymore.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 indarkflames

indarkflames
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 22 January 2007 - 03:32 PM

Here is the topic;
http://forums.techguy.org/security/536660-...tml#post4372536

Working on your steps right now.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:20 AM

Posted 22 January 2007 - 03:43 PM

Ok, because as far as I can see from the other thread, MANY leftovers will still be present.
That's why performing my steps in the right order is really important.

Also, concerning your slow system - this may be because of malware, but keep in mind even after malware has been removed, your computer may still be slow.
Because after all, it's not always malware causing a slow system.
You may want to read this page as well:
http://users.telenet.be/bluepatchy/miekiem...owcomputer.html

I also wrote there that Desktop enhancement tools are one of the main causes of a slow system. And I do see you use them: AlienGUIse, LogonStudio, Kana WallChanger...

Edited by miekiemoes, 22 January 2007 - 03:43 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:20 AM

Posted 22 January 2007 - 03:51 PM

By the way...

You had this previously as well in your Hijackthislog:

O17 - HKLM\System\CCS\Services\Tcpip\..\{362E3676-8D7F-4BD0-AF31-9C3F6FD5D402}: NameServer = 66.35.255.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FA30A05-A150-4C5E-B1C9-82DA32A97131}: NameServer = 66.35.255.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{500653DB-7091-40CE-9FAD-AA3AD3FE2549}: NameServer = 66.35.255.12
O17 - HKLM\System\CS4\Services\Tcpip\..\{362E3676-8D7F-4BD0-AF31-9C3F6FD5D402}: NameServer = 66.35.255.12
O17 - HKLM\System\CS5\Services\Tcpip\..\{362E3676-8D7F-4BD0-AF31-9C3F6FD5D402}: NameServer = 66.35.255.12

You were advised to fix them in the other thread. Actually, I wanted some more explanation about those entries, because they are from trendmicro.com
Any idea how they ended up in there? Did you put them there???
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 indarkflames

indarkflames
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 22 January 2007 - 03:52 PM

Its that I noticed a significant slowdown after my frustration with the malware/spyware issues, so that would be my first guess at the moment, but I do agree that Desktop enchancement tools slow down the computer, but I am not willing to sacrifice them just yet.

Here are the logs.

Combofix;

"Ali" - 07-01-22 12:46:16 Service Pack 2
ComboFix 07-01-18 - Running from: "C:\Program Files\coolstuff\programs\programs"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{3466C~1
C:\Program Files\Common Files\{F466C~1
C:\Documents and Settings\All Users\Documents\Settings


((((((((((((((((((((((((((((((( Files Created from 2006-12-22 to 2007-01-22 ))))))))))))))))))))))))))))))))))


2007-01-22 12:37 <DIR> d-------- C:\WINDOWS\system32\bfubackups
2007-01-22 12:33 <DIR> d-------- C:\bfu
2007-01-22 00:29 <DIR> d-------- C:\Program Files\Free Download Manager
2007-01-22 00:29 <DIR> d-------- C:\DOCUME~1\Ali\Application Data\Free Download Manager
2007-01-19 22:10 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-19 21:28 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-19 17:41 <DIR> d-------- C:\SDFix
2007-01-19 17:14 <DIR> d-------- C:\WINDOWS\ERDNT
2007-01-19 17:14 <DIR> d-------- C:\!KillBox
2007-01-19 12:05 96 --a------ C:\avexport.bat
2007-01-19 12:05 60,416 --a------ C:\WINDOWS\system32\drivers\kgtaqqlo.sys
2007-01-19 12:05 378 --a------ C:\reboot.bat
2007-01-19 12:05 19,814 --a------ C:\reboot.exe
2007-01-19 12:05 16 --a------ C:\chdir.bat
2007-01-19 12:05 126,976 --a------ C:\zip.exe
2007-01-19 12:05 <DIR> d-------- C:\Rustbfix
2007-01-19 12:05 <DIR> d-------- C:\Avenger
2007-01-19 11:03 <DIR> d--hs---- C:\WINDOWS\CSC
2007-01-18 15:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-01-18 14:50 <DIR> d-------- C:\DOCUME~1\Ali\DoctorWeb
2007-01-18 14:46 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-01-18 14:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SUPERAntiSpyware.com
2007-01-18 14:46 <DIR> d-------- C:\DOCUME~1\Ali\Application Data\SUPERAntiSpyware.com
2007-01-18 14:22 <DIR> d-------- C:\Program Files\Windows Defender
2007-01-18 11:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-18 11:03 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-01-18 11:03 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2007-01-18 11:03 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-01-18 11:03 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-01-18 11:03 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-01-18 11:03 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-01-18 11:03 <DIR> d-------- C:\Program Files\Grisoft
2007-01-18 11:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft
2007-01-18 10:51 1,000,429 --ahs---- C:\WINDOWS\system32\nqtwa.bak1
2007-01-18 10:48 <DIR> d-------- C:\Program Files\ssystem v5.1.1 build 3
2007-01-18 10:48 <DIR> d-------- C:\Program Files\advanced invisible keylogger
2007-01-18 10:48 <DIR> d-------- C:\Program Files\123wasp
2007-01-18 10:46 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-01-18 10:46 276 --a------ C:\WINDOWS\gilvx.dll
2007-01-18 10:45 <DIR> d-------- C:\Program Files\àppPatch
2007-01-17 22:00 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-01-17 22:00 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-01-17 22:00 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-01-16 18:57 4,644 --------- C:\WINDOWS\system32\drivers\AsProbe.sys
2007-01-16 18:04 6,272 --a------ C:\WINDOWS\system32\drivers\ASLM75.SYS
2007-01-16 18:04 299,008 --a------ C:\WINDOWS\uninst.exe
2007-01-16 18:04 <DIR> d-------- C:\Program Files\ASUS
2007-01-16 18:00 <DIR> d-------- C:\Program Files\Realtek AC97
2007-01-13 18:33 60,416 --a------ C:\WINDOWS\ALCFDRTM.EXE
2007-01-13 18:33 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-01-12 00:46 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-08 21:24 <DIR> d-------- C:\Program Files\Maxis
2006-12-29 20:10 <DIR> d-------- C:\Program Files\TinkleBell
2006-12-27 10:35 <DIR> d-------- C:\WINDOWS\Hewlett-Packard
2006-12-24 18:15 <DIR> d-------- C:\DOCUME~1\Ali\Application Data\Leadertech
2006-12-24 11:26 <DIR> d--hs---- C:\found.000


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-22 12:40 -------- d-------- C:\Program Files\mozilla firefox
2007-01-22 12:27 -------- d-------- C:\DOCUME~1\Ali\Application Data\avg7
2007-01-22 00:36 -------- d-------- C:\DOCUME~1\Ali\Application Data\utorrent
2007-01-22 00:35 -------- d-------- C:\Program Files\coolstuff
2007-01-20 16:17 -------- d-------- C:\Program Files\stuff
2007-01-20 11:03 -------- d-------- C:\Program Files\dc++
2007-01-19 22:22 -------- d-------- C:\Program Files\kana wallchanger
2007-01-19 22:22 -------- d-------- C:\Program Files\itunes
2007-01-19 22:18 -------- d-------- C:\Program Files\daemon tools
2007-01-19 22:16 -------- d-------- C:\Program Files\alienguise
2007-01-18 15:29 -------- d-------- C:\Program Files\games
2007-01-18 11:06 558 --a------ C:\Program Files\Common Files\lavuq267
2007-01-18 11:03 -------- d---s---- C:\DOCUME~1\Ali\Application Data\microsoft
2007-01-18 10:48 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-01-16 12:25 -------- d-------- C:\Program Files\powerstrip
2007-01-08 21:29 12400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-12-29 14:48 4026112 -ra------ C:\WINDOWS\system32\drivers\alcxwdm.sys
2006-12-27 13:12 -------- d-------- C:\Program Files\winamp
2006-12-27 10:35 -------- d-------- C:\Program Files\hewlett-packard
2006-12-26 10:08 -------- d-------- C:\Program Files\quicktime alternative
2006-12-16 14:31 -------- d-------- C:\Program Files\soulseek
2006-12-16 14:12 -------- dr------- C:\Program Files\documents
2006-12-16 02:57 1682 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2006-12-16 02:47 56 -r-hs---- C:\WINDOWS\system32\3f9d5a3f01.sys
2006-12-16 02:47 -------- d-------- C:\Program Files\Common Files\enterbrain
2006-12-16 01:34 -------- d-------- C:\Program Files\chessmaster 9000
2006-12-15 15:10 -------- d-------- C:\Program Files\sony setup
2006-12-15 15:10 -------- d-------- C:\Program Files\sony
2006-12-15 15:10 -------- d-------- C:\DOCUME~1\Ali\Application Data\sony
2006-12-12 20:39 -------- d-------- C:\Program Files\microsoft activesync
2006-12-08 15:20 10528768 --a------ C:\WINDOWS\system32\rtlcpl.exe
2006-12-06 15:41 -------- d-------- C:\DOCUME~1\Ali\Application Data\dvdcss
2006-12-06 13:54 -------- d-------- C:\DOCUME~1\Ali\Application Data\real
2006-12-06 13:53 -------- d-------- C:\Program Files\Common Files\xing shared
2006-12-06 13:53 -------- d-------- C:\Program Files\Common Files\real
2006-12-06 13:52 -------- d-------- C:\Program Files\real
2006-11-30 19:54 -------- d-------- C:\Program Files\minitab 14
2006-11-28 22:48 -------- d-------- C:\DOCUME~1\Ali\Application Data\adobeum
2006-11-28 17:44 -------- d-------- C:\Program Files\easy video joiner
2006-11-27 19:23 -------- d-------- C:\DOCUME~1\Ali\Application Data\apple computer
2006-11-26 15:58 -------- d-------- C:\Program Files\abisuite2
2006-11-26 15:55 -------- d-------- C:\Program Files\nvidia corporation
2006-11-17 05:42 577536 --a------ C:\WINDOWS\soundman.exe
2006-11-07 21:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --a------ C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --a------ C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --a------ C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --a------ C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-03 12:46 164112 --a------ C:\WINDOWS\system32\wnaspi32.dll
2006-10-25 16:03 8736768 --a------ C:\WINDOWS\system32\logonuix.exe
2006-10-23 19:01 737280 --a------ C:\WINDOWS\iun6002.exe
2006-10-23 15:50 262144 --a------ C:\WINDOWS\system32\wrap_oal.dll
2006-10-22 21:52 1179136 --a------ C:\WINDOWS\system32\autopartnt.exe
2006-10-22 21:32 879 --a------ C:\DOCUME~1\Ali\Application Data\adobedlm.log
2006-10-22 21:32 0 --a------ C:\DOCUME~1\Ali\Application Data\dm.ini
2006-10-22 18:12 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-10-22 18:12 348160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-10-22 15:12 0 -r-hs---- C:\MSDOS.SYS
2006-10-22 15:12 0 -r-hs---- C:\IO.SYS
2006-10-22 15:12 0 --------- C:\CONFIG.SYS
2006-10-22 15:12 0 --------- C:\AUTOEXEC.BAT
2006-10-22 12:22 888832 --a------ C:\WINDOWS\system32\nvmobls.dll
2006-10-22 12:22 86016 --a------ C:\WINDOWS\system32\nvmctray.dll
2006-10-22 12:22 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2006-10-22 12:22 794624 --a------ C:\WINDOWS\system32\nvcplui.exe
2006-10-22 12:22 7700480 --a------ C:\WINDOWS\system32\nvcpl.dll
2006-10-22 12:22 581632 --a------ C:\WINDOWS\system32\nvhwvid.dll
2006-10-22 12:22 5644288 --a------ C:\WINDOWS\system32\nvoglnt.dll
2006-10-22 12:22 5619712 --a------ C:\WINDOWS\system32\nvdisps.dll
2006-10-22 12:22 5255168 --a------ C:\WINDOWS\system32\nvdispsr.dll
2006-10-22 12:22 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2006-10-22 12:22 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2006-10-22 12:22 4527488 --a------ C:\WINDOWS\system32\nv4_disp.dll
2006-10-22 12:22 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2006-10-22 12:22 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2006-10-22 12:22 425984 --a------ C:\WINDOWS\system32\keystone.exe
2006-10-22 12:22 35840 --a------ C:\WINDOWS\system32\nvcodins.dll
2006-10-22 12:22 35840 --a------ C:\WINDOWS\system32\nvcod.dll
2006-10-22 12:22 3203072 --a------ C:\WINDOWS\system32\nvgamesr.dll
2006-10-22 12:22 311296 --a------ C:\WINDOWS\system32\nvexpbar.dll
2006-10-22 12:22 3047424 --a------ C:\WINDOWS\system32\nvgames.dll
2006-10-22 12:22 2973696 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2006-10-22 12:22 2924544 --a------ C:\WINDOWS\system32\nvvitvs.dll
2006-10-22 12:22 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2006-10-22 12:22 2859008 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2006-10-22 12:22 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2006-10-22 12:22 212992 --a------ C:\WINDOWS\system32\nvapi.dll
2006-10-22 12:22 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2006-10-22 12:22 1732608 --a------ C:\WINDOWS\system32\nvwssr.dll
2006-10-22 12:22 1662976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2006-10-22 12:22 1622016 --a------ C:\WINDOWS\system32\nwiz.exe
2006-10-22 12:22 159810 --a------ C:\WINDOWS\system32\nvsvc32.exe
2006-10-22 12:22 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2006-10-22 12:22 1470464 --a------ C:\WINDOWS\system32\nview.dll
2006-10-22 12:22 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2006-10-22 12:22 1236992 --a------ C:\WINDOWS\system32\nvwss.dll
2006-10-22 12:22 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2006-10-22 12:22 1011712 --a------ C:\WINDOWS\system32\nvcpluir.dll
2006-10-22 08:07 62 --ahs---- C:\DOCUME~1\Ali\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Kana WallChanger"="\"C:\\Program Files\\Kana WallChanger\\KanaWall.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Free Download Manager"="C:\\Program Files\\Free Download Manager\\fdm.exe -autorun"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NVRaidService"="C:\\WINDOWS\\system32\\nvraidservice.exe"
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"TrueImageMonitor.exe"="C:\\Program Files\\Acronis\\TrueImageHome\\TrueImageMonitor.exe"
"AcronisTimounterMonitor"="C:\\Program Files\\Acronis\\TrueImageHome\\TimounterMonitor.exe"
"Acronis Scheduler2 Service"="\"C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"LogonStudio"="\"C:\\Program Files\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"QuickTime Task"="\"C:\\Program Files\\QuickTime Alternative\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"SoundMan"="SOUNDMAN.EXE"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^auqpm.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\auqpm.exe"
"backup"="C:\\WINDOWS\\pss\\auqpm.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\auqpm.exe"
"item"="auqpm"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dxc"
"hkey"="HKLM"
"command"="C:\\Program Files\\DeluxeCommunications\\Dxc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nTrayFw"
"hkey"="HKLM"
"command"="C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\bin\\nTrayFw.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerStrip]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pstrip"
"hkey"="HKLM"
"command"="c:\\program files\\powerstrip\\pstrip.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="wbsys.dll"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E}"=""
"System Registry Hook"="{309C96FA-8C40-4bce-879C-989DC33DCD25}"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\OblivionLauncher.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0e068f90-6223-11db-994d-0018f37d4455}]
Shell\AutoRun\command D:\install.bat

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{86f9d0c0-6231-11db-a99c-806d6172696f}]
Shell\AutoRun\command E:\Info.exe folder.htt 480 480


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 07-01-22 12:47:36



Blacklight;

01/22/07 12:41:19 [Info]: BlackLight Engine 1.0.55 initialized
01/22/07 12:41:19 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/22/07 12:41:19 [Note]: 7019 4
01/22/07 12:41:19 [Note]: 7005 0
01/22/07 12:41:30 [Note]: 7006 0
01/22/07 12:41:30 [Note]: 7011 1568
01/22/07 12:41:30 [Note]: 7026 0
01/22/07 12:41:30 [Note]: 7026 0
01/22/07 12:41:34 [Note]: FSRAW library version 1.7.1021
01/22/07 12:45:41 [Note]: 7007 0





HJT;

Logfile of HijackThis v1.99.1
Scan saved at 12:51:08 PM, on 1/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kana WallChanger\KanaWall.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\coolstuff\programs\programs\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Kana WallChanger] "C:\Program Files\Kana WallChanger\KanaWall.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe

#13 indarkflames

indarkflames
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 22 January 2007 - 03:54 PM

By the way...

You had this previously as well in your Hijackthislog:

O17 - HKLM\System\CCS\Services\Tcpip\..\{362E3676-8D7F-4BD0-AF31-9C3F6FD5D402}: NameServer = 66.35.255.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FA30A05-A150-4C5E-B1C9-82DA32A97131}: NameServer = 66.35.255.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{500653DB-7091-40CE-9FAD-AA3AD3FE2549}: NameServer = 66.35.255.12
O17 - HKLM\System\CS4\Services\Tcpip\..\{362E3676-8D7F-4BD0-AF31-9C3F6FD5D402}: NameServer = 66.35.255.12
O17 - HKLM\System\CS5\Services\Tcpip\..\{362E3676-8D7F-4BD0-AF31-9C3F6FD5D402}: NameServer = 66.35.255.12

You were advised to fix them in the other thread. Actually, I wanted some more explanation about those entries, because they are from trendmicro.com
Any idea how they ended up in there? Did you put them there???


I am not sure what Trendmicro.com is...I doubt that It was I who put them there, but I am not certain...

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:20 AM

Posted 22 January 2007 - 04:21 PM

Hi,

I see you installed AlienGUIse/Windowblinds recently as well.

What is this you installed?

C:\Program Files\coolstuff

Do next please..

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Delete next files:

C:\WINDOWS\gilvx.dll
C:\WINDOWS\system32\nqtwa.bak1

Next file is most probably related with the Avenger, the random driver:
C:\WINDOWS\system32\drivers\kgtaqqlo.sys
That one is ok.

Are you aware that there is a keylogger installed on your system?
This program is installed manually, I mean, someone installed this... this keylogger doesn't come with malware.

The program is called "advanced invisible keylogger".
It dropped the next folders:

2007-01-18 10:48 <DIR> d-------- C:\Program Files\ssystem v5.1.1 build 3
2007-01-18 10:48 <DIR> d-------- C:\Program Files\advanced invisible keylogger
2007-01-18 10:48 <DIR> d-------- C:\Program Files\123wasp

Don't delete those folders yet. It could be possible that your scanner is finding them all the time.
Just let me know if you're aware of them. If not, do not delete those folders yet, since the uninstaller is present in one or more of these folders and we better remove it using the uninstaller.

Download the Registry Search Tool from next page:
http://www.billsway.com/vbspage/
Unzip it and run it.
If your antivirus interferes, you have to disable script blocking in the antivirus.
Put the following in the search box:

{309C96FA-8C40-4bce-879C-989DC33DCD25}

Let it start the scan.
Post the results of the textfile you get in your next reply.

Do the same for {B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E}

Trendmicro is an AV Vendor:
http://www.trendmicro.com/vinfo/

Edited by miekiemoes, 22 January 2007 - 04:22 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 indarkflames

indarkflames
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 22 January 2007 - 04:34 PM

AlienGUIse/Windowblinds were not installed recently, they actually came with the computer, as a part of Alienware.
Coolstuff is a folder I made that keeps various software shortcuts and others.
I have not installed a keylogger on this computer, I remember having one in my past one, so I guess it is possible that it got transfered from the old computer, but I am 100% sure that I didnt install it on this computer, nor did I purposely transported it here, which I believe I hadnt.

Here are the Registy Search Tool logs;

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{309C96FA-8C40-4bce-879C-989DC33DCD25}" 1/22/2007 1:29:45 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"System Registry Hook"="{309C96FA-8C40-4bce-879C-989DC33DCD25}"

[HKEY_USERS\S-1-5-21-1078081533-1770027372-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"System Registry Hook"="{309C96FA-8C40-4bce-879C-989DC33DCD25}"


REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E}" 1/22/2007 1:30:30 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E}"=""

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E} {00000000-0000-0000-C000-000000000046} 0x401"=hex:01,\

[HKEY_USERS\S-1-5-21-1078081533-1770027372-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E}]

[HKEY_USERS\S-1-5-21-1078081533-1770027372-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E}\iexplore]

[HKEY_USERS\S-1-5-21-1078081533-1770027372-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E} {00000000-0000-0000-C000-000000000046} 0x401"=hex:01,\

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E} {00000000-0000-0000-C000-000000000046} 0x401"=hex:01,\




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users