Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wuauclt.exe /intemp


  • This topic is locked This topic is locked
34 replies to this topic

#1 nectarN

nectarN

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 25 February 2007 - 12:50 AM

isn’t windows auto update client in the temp folder a mal ware?

wuauclt.exe
temp?

I’ve spent a lot of time on this
and not even close to having taken ALL preliminary shots at it
tired :huh: , and just want to post it out for moment.

Learning about this stuff is getting to be more interesting than trying to fix it. :thumbsup:
But all the info on it (w/client exe) is lookin pretty lean to me now. :huh:

I’ve AVGed it. –that took a whole darn hour. :flowers:
I ad-aware’d it too.
spybot (thinks it can force me online to update
by simply refusing to look at anything
till I find a fancy way to feed it what it needs)

:huh: it was only the wuauclt
it ran up the temporary memory
after while I decided to quarantine it.
I sec task manager, quarantine it over and over again –that’s fun

eventually I notice no net connecting
and sys restore wont do it’s thing (I didn’t even know that was possible – to have sys restore bug-off :huh: , till days ago)

There’s also a zvZoCrypt.dll I kicked to the recycle bin to keep it around rotting there :o
because it has the precise birthday(time) as exactly when my laptop got it’s only bout of feeling “fussy”.

when my laptop got it’s only bout of feeling “fussy”
and had started -at the birth of zvZo- entertaining the ol' extra wuau-client-.EXE, to the moderate dismay of my temporary memry behavior.
I'm still reasearching lots of these other
files one by one. ddls, ddl-threads vie wuauclt+svchost, and whatnot


Logfile of HijackThis v1.99.1
Scan saved at 11:50:08 PM, on 2/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\TEMP\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Security Task Manager\TaskMan.exe
C:\WINDOWS\system32\taskmgr.exe
C:\DOCUME~1\user1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [WheresJames Startup Manager] C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Vongo Service - Unknown owner - C:\Program Files\Vongo\VongoService.exe (file missing)

I've begun wrapping up my personal files for a more ready orderly exodus, because when I'm done having fun using this problem as a learning experience(I'm researching a lot of stuff i sort-of always wanted to know), I realise a complete reinstall might be more appropriate to squish that sucker (hopfully my reinstall disks are all in order :) , i can remember that took hours :huh: too
-making them).

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:04 PM

Posted 25 February 2007 - 05:42 AM

Hi,

The wuauclt.exe does indeed not belong there.
I really hope that you're not dealing with the same as the user here, because in his case, some legit Windows files (ndis.sys and winlogon.exe) were infected as well... and in such cases, I do indeed recommend a format and reinstall.

But, I don't say this is the same in your case, we'll find out afterwards.

Please do next..

First of all, you didn't unzip/extract hijackthis.. and it's still in the tempfolder.
So I strongly advise to unzip/extract hijackthis.zip.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

* Download SDFix and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 nectarN

nectarN
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 27 February 2007 - 03:07 AM

I had put HijackThis in folder I made for it myself in "program files", I even named the folder "HijackThis", and I noticed the same thing in my log -says temp.

Odd. I got to spend a little time. Check what's what wth that. Maby Just put HJT there over again.
I ran it from its own folder in prgrm files. Maybe it insalled both places. I'll try see.

will try th' whole SDfix instruct soon
and post, thanx

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:04 PM

Posted 27 February 2007 - 07:42 AM

Hi,

I had put HijackThis in folder I made for it myself in "program files", I even named the folder "HijackThis", and I noticed the same thing in my log -says temp.


Most probably you forgot to unzip it. To unzip it, rightclick HIjackthis and choose extract.
It's explained here how to unzip: http://consumer.installshield.com/kb.asp?id=Q108326

Edited by miekiemoes, 27 February 2007 - 07:43 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 nectarN

nectarN
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 27 February 2007 - 09:52 PM

Okay done so far.

hjt still wouldnt unzip into file made for it So i cut and pasted after open, now fine
(hjt seem :huh: kept creating it's OWN temp folder)

here is both:




SDFix: Version 1.68

Run by user1 - Tue 02/27/2007 @ 20:49:36.84

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
EXAMPLE

Path:
\??\C:\WINDOWS\system32\main.sys

EXAMPLE Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

\svchost.exe - Deleted
C:\as.txt - Deleted
C:\svchost.exe - Deleted
C:\WINDOWS\system32\advvpi32.dll - Deleted
C:\WINDOWS\system32\reg.sys - Deleted

Could Not Remove C:\WINDOWS\system32\wsys.dll
Could Not Remove C:\WINDOWS\Temp\wuauclt.exe


ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Explorer"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:Explorer"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Disabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Disabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Disabled:avginet.exe"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Disabled:Earthlink"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------
C:\WINDOWS\system32\wsys.dll Found
C:\WINDOWS\Temp\wuauclt.exe Found

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\Program Files\Replay AV 8\14_43260.dll
C:\Program Files\Replay AV 8\28_83260.dll
C:\Program Files\Replay AV 8\atrc3260.dll
C:\Program Files\Replay AV 8\cook3260.dll
C:\Program Files\Replay AV 8\cygwin1.dll
C:\Program Files\Replay AV 8\cygz.dll
C:\Program Files\Replay AV 8\dnet3260.dll
C:\Program Files\Replay AV 8\drv23260.dll
C:\Program Files\Replay AV 8\drv33260.dll
C:\Program Files\Replay AV 8\drv43260.dll
C:\Program Files\Replay AV 8\ivvideo.dll
C:\Program Files\Replay AV 8\qtmlClient.dll
C:\Program Files\Replay AV 8\raac.dll
C:\Program Files\Replay AV 8\sipr3260.dll
C:\WINDOWS\system32\AVSredirect.dll
C:\WINDOWS\SMINST\HPCD.sys
C:\WINDOWS\temp\BIT127A.tmp
C:\WINDOWS\temp\BIT127C.tmp
C:\WINDOWS\temp\BIT13.tmp
C:\WINDOWS\temp\BIT15A5.tmp
C:\WINDOWS\temp\BIT164C.tmp
C:\WINDOWS\temp\BIT184D.tmp
C:\WINDOWS\temp\BIT1A1.tmp
C:\WINDOWS\temp\BIT1AE.tmp
C:\WINDOWS\temp\BIT1D1C.tmp
C:\WINDOWS\temp\BIT1EBE.tmp
C:\WINDOWS\temp\BIT1F6.tmp
C:\WINDOWS\temp\BIT20AA.tmp
C:\WINDOWS\temp\BIT247E.tmp
C:\WINDOWS\temp\BIT2571.tmp
C:\WINDOWS\temp\BIT25C2.tmp
C:\WINDOWS\temp\BIT29.tmp
C:\WINDOWS\temp\BIT2947.tmp
C:\WINDOWS\temp\BIT2989.tmp
C:\WINDOWS\temp\BIT29F7.tmp
C:\WINDOWS\temp\BIT2A87.tmp
C:\WINDOWS\temp\BIT2F.tmp
C:\WINDOWS\temp\BIT3.tmp
C:\WINDOWS\temp\BIT3CB6.tmp
C:\WINDOWS\temp\BIT3DAC.tmp
C:\WINDOWS\temp\BIT40A.tmp
C:\WINDOWS\temp\BIT445C.tmp
C:\WINDOWS\temp\BIT4567.tmp
C:\WINDOWS\temp\BIT47D8.tmp
C:\WINDOWS\temp\BIT47ED.tmp
C:\WINDOWS\temp\BIT4E75.tmp
C:\WINDOWS\temp\BIT5119.tmp
C:\WINDOWS\temp\BIT538C.tmp
C:\WINDOWS\temp\BIT54DB.tmp
C:\WINDOWS\temp\BIT58EE.tmp
C:\WINDOWS\temp\BIT5D01.tmp
C:\WINDOWS\temp\BIT603.tmp
C:\WINDOWS\temp\BIT61C5.tmp
C:\WINDOWS\temp\BIT62BF.tmp
C:\WINDOWS\temp\BIT69A7.tmp
C:\WINDOWS\temp\BIT6A50.tmp
C:\WINDOWS\temp\BIT6A6E.tmp
C:\WINDOWS\temp\BIT6F4D.tmp
C:\WINDOWS\temp\BIT74.tmp
C:\WINDOWS\temp\BIT832.tmp
C:\WINDOWS\temp\BIT8490.tmp
C:\WINDOWS\temp\BIT86C9.tmp
C:\WINDOWS\temp\BIT895F.tmp
C:\WINDOWS\temp\BIT8E.tmp
C:\WINDOWS\temp\BIT93.tmp
C:\WINDOWS\temp\BIT98D8.tmp
C:\WINDOWS\temp\BIT9D38.tmp
C:\WINDOWS\temp\BIT9D64.tmp
C:\WINDOWS\temp\BITA31.tmp
C:\WINDOWS\temp\BITA861.tmp
C:\WINDOWS\temp\BITA8B4.tmp
C:\WINDOWS\temp\BITABC5.tmp
C:\WINDOWS\temp\BITAD2.tmp
C:\WINDOWS\temp\BITAF4C.tmp
C:\WINDOWS\temp\BITBB52.tmp
C:\WINDOWS\temp\BITBBC3.tmp
C:\WINDOWS\temp\BITC0DC.tmp
C:\WINDOWS\temp\BITCAC7.tmp
C:\WINDOWS\temp\BITCF5A.tmp
C:\WINDOWS\temp\BITCF60.tmp
C:\WINDOWS\temp\BITCF62.tmp
C:\WINDOWS\temp\BITCFD7.tmp
C:\WINDOWS\temp\BITD025.tmp
C:\WINDOWS\temp\BITDAE.tmp
C:\WINDOWS\temp\BITE30.tmp
C:\WINDOWS\temp\BITE41.tmp
C:\WINDOWS\temp\BITEAE.tmp

Add/Remove Programs List:

AVG 7.5
Conexant HD Audio
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 1.99.1
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP Rhapsody
Customer Experience Enhancement
Easy Internet Sign-up
Microsoft Money 2006
Netscape Browser (remove only)
Intel® PRO Network Connections Drivers
RealPlayer
Replay AV 8
Security Task Manager 1.7
Adobe Flash Player 9 ActiveX
Spybot - Search & Destroy 1.4
Star Trek Armada II
Synaptics Pointing Device Driver
System Spyware Interrogator
Ulead PhotoImpact 5
Windows Genuine Advantage Validation Tool
WheresJames Startup Manager 2.22
My HP Games
WinPcap 3.1
Windows Media Connect
Yahoo! Toolbar for Internet Explorer
Yahoo! Toolbar
Sonic Data Module
Wireless Home Network Setup
AutoUpdate
CP_CalendarTemplates1
Sonic MyDVD Plus
Customer Experience Enhancement
CP_Package_Variety2
Destinations
Quicken 2006
SkinsHP1
Sonic Update Manager
J2SE Runtime Environment 5.0 Update 6
HP Quick Launch Buttons 6.10 A2
Unload
OptionalContentQFolder
NetWaiting
RandMap
BufferChm
Microsoft Works
HP Wireless Assistant 2.00 G2
Photosmart 140,240,7200,7600,7700,7900 Series
HP DVD Play 2.3
Office 2003 Trial Assistant
CP_Panorama1Config
cp_LightScribeConfig
DigitImg
CP_Package_Variety1
FullDPAppQFolder
cp_PosterPrintConfig
PSShortcuts
HP User Guides 0027
Sonic Express Labeler
Macromedia Flash Player 8
LightScribe 1.4.97.1
CP_Package_Basic1
Ad-Aware SE Personal
Sonic_PrimoSDK
DivX
cp_UpdateProjectsConfig
Easy Internet Sign-up
Macromedia Shockwave Player
PhotoGallery
Intel® Graphics Media Accelerator Driver
Microsoft Office Standard Edition 2003
CueTour
TourSetup
PS7700
HP Help and Support
DeviceManagementQFolder
Sonic Audio Module
Adobe Reader 7.0.5
CP_AtenaShokunin1Config
Sonic Copy Module
HP Memories Disc
CP_Package_Variety3
HP Update
cp_OnlineProjectsConfig
Microsoft .NET Framework 1.1
HpSdpAppCoreApp
Vongo
PSUsage
muvee autoProducer 5.0
InstantShareDevices

Finished





(fresh hjt AFTER running SDfix:)

Logfile of HijackThis v1.99.1
Scan saved at 9:02:11 PM, on 2/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [WheresJames Startup Manager] C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: Vongo Service - Unknown owner - C:\Program Files\Vongo\VongoService.exe (file missing)

easy enough..
no :thumbsup: te: this is HJTlog before turning the laptop off.


:huh:
additional note:

Holy crap :flowers: I don't like the look of this wsys.dll
This is why i generally keep any info i need secure off just about any comp :huh: uter anywhere.

Edited by nectarN, 27 February 2007 - 10:37 PM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:04 PM

Posted 28 February 2007 - 03:07 AM

Hello,

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Delete the entire contents of this folder:

C:\Windows\Temp

Do not delete the folder itself.

Then,

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe, Click Start and Allow to run the express scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • It could be possible it displays a popup to buy it in between, to buy or 50% discount. Just close that popup again.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • I need that log later.
* Download ComboScan to your Desktop.
  • Close all applications and windows.
  • Double-click on comboscan.exe to run it, and follow the prompts.
  • The scan may take a minute. When the scan is complete, a text file will open - ComboScan.txt
  • A folder Comboscan will also open which contains the Comboscan.txt and a Supplementary.txt.
  • Copy and paste the contents of ComboScan.txt in your next reply together with the log from DrWeb CureIt. (Do not post the Supplementary.txt - only post this when being asked)
Extra Note: When running Comboscan, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags Comboscan as suspicious. Please allow the Comboscan to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 nectarN

nectarN
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 02 March 2007 - 01:55 AM

:thumbsup: Okay, will do.

Edited by nectarN, 02 March 2007 - 02:01 AM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:04 PM

Posted 03 March 2007 - 01:12 AM

Please don't wait too long with this, because you are dealing with some very nasty malware and the longer you wait, the more malware it will download and install.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 nectarN

nectarN
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 06 March 2007 - 10:27 PM

:flowers: have run those steps

:huh:
will post back the new
logs
:thumbsup: :huh: :huh:

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:04 PM

Posted 07 March 2007 - 04:16 AM

Hi,

Not sure why it takes so long. Are you doing this for someone else? Because that makes it confusing since this is a priority. If you wait a couple of days everytime to proceed with steps, there's no way we can clean this, since this malware downloads and installs more malware all the time.
We are already 2 weeks further and we haven't done anything yet. This could be a very long thread if steps aren't performed asap.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 nectarN

nectarN
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 10 March 2007 - 04:31 PM

Okay here goes. :huh:

I apologize for delay.
(I am performing each of these steps FISRT thing each time BTW, as soon as I'm back at cmputr.)

I had been using someone else's computer to post, and did not have my laptop online. Was reluctant to check, but not only does wuaucalt :huh: and a whole lot of that other junk i could now see seem gone, I checked and it IS working online again.

Also when I saw wuauclt finally go i was so psyched :huh: to finally got at some of it effectively, i didn't have acces to the
second computer :o :huh: at the time and admittedly,
i was just tempted to be away from the prob a little while at last.

:) READY for the next now.


ComboScan v20070226.18 run by user1 on 2007-03-02 at 21:01:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Successfully created restore point.
Performed disk cleanup.


-- HijackThis (run as page.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:01:41 PM, on 3/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\user1\Desktop\comboscan.exe
C:\PROGRA~1\HIJACK~1\page.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [WheresJames Startup Manager] C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: Vongo Service - Unknown owner - C:\Program Files\Vongo\VongoService.exe (file missing)


-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

1R AFS2K - C:\WINDOWS\system32\drivers\AFS2K.SYS
4S agpCPQ (Compaq AGP Bus Filter) - C:\WINDOWS\system32\drivers\AGPCPQ.SYS
4S alim1541 (ALI AGP Bus Filter) - C:\WINDOWS\system32\drivers\ALIM1541.SYS
4S amdagp (AMD AGP Bus Filter Driver) - C:\WINDOWS\system32\drivers\AMDAGP.SYS
3S APLMp50 (APLMp50 NDIS Protocol Driver) - C:\WINDOWS\system32\drivers\APLMp50.sys
3S Arp1394 (1394 ARP Client Protocol) - C:\WINDOWS\system32\drivers\arp1394.sys
1R Avg7Core (AVG7 Kernel) - C:\WINDOWS\system32\drivers\avg7core.sys
1R Avg7RsW (AVG7 Wrap Driver) - C:\WINDOWS\system32\drivers\avg7rsw.sys
1R Avg7RsXP (AVG7 Resident Driver XP) - C:\WINDOWS\system32\drivers\avg7rsxp.sys
1R AvgClean (AVG7 Clean Driver) - C:\WINDOWS\system32\drivers\avgclean.sys
3S BCM43XX (Broadcom 802.11 Network Adapter Driver) - C:\WINDOWS\system32\drivers\BCMWL5.SYS
4S cbidf - C:\WINDOWS\system32\drivers\cbidf2k.sys
4S dac2w2k - C:\WINDOWS\system32\drivers\dac2w2k.sys
3S DetectAC2000 - C:\WINDOWS\system32\FinePointLib\DetectAC2000.sys
3R E100B (Intel® PRO Network Connection Driver) - C:\WINDOWS\system32\drivers\e100b325.sys
1R eabfiltr - C:\WINDOWS\system32\drivers\eabfiltr.sys
3S eabusb - C:\WINDOWS\system32\drivers\EabUsb.sys
3R HBtnKey - C:\WINDOWS\system32\drivers\CPQBttn.sys
3R HdAudAddService (Microsoft UAA Function Driver for High Definition Audio Service) - C:\WINDOWS\system32\drivers\CHDAud.sys
3R HDAudBus (Microsoft UAA Bus Driver for High Definition Audio) - C:\WINDOWS\system32\drivers\Hdaudbus.sys
3S HPZid412 (IEEE-1284.4 Driver HPZid412) - C:\WINDOWS\system32\drivers\hpzid412.sys
3S HPZipr12 (Print Class Driver for IEEE-1284.4 HPZipr12) - C:\WINDOWS\system32\drivers\HPZipr12.sys
3S HPZius12 (USB to IEEE-1284.4 Translation Driver HPZius12) - C:\WINDOWS\system32\drivers\HPZius12.sys
3R HSFHWAZL - C:\WINDOWS\system32\drivers\HSFHWAZL.sys
3R HSF_DPV - C:\WINDOWS\system32\drivers\HSF_DPV.sys
3R ialm - C:\WINDOWS\system32\drivers\ialmnt5.sys
0R iaStor (Intel AHCI Controller) - C:\WINDOWS\system32\drivers\iaStor.sys
1R intelppm (Intel Processor Driver) - C:\WINDOWS\system32\drivers\intelppm.sys
1R kbdhid (Keyboard HID Driver) - C:\WINDOWS\system32\drivers\kbdhid.sys
2R mdmxsdk - C:\WINDOWS\system32\drivers\mdmxsdk.sys
3S NIC1394 (1394 Net Driver) - C:\WINDOWS\system32\drivers\nic1394.sys
3S nm (Network Monitor Driver) - C:\WINDOWS\system32\drivers\nmnt.sys
3S NPF (NetGroup Packet Filter Driver) - C:\WINDOWS\system32\drivers\npf.sys
0R ohci1394 (Texas Instruments OHCI Compliant IEEE 1394 Host Controller) - C:\WINDOWS\system32\drivers\ohci1394.sys
0R PxHelp20 - C:\WINDOWS\system32\drivers\pxhelp20.sys
3S rtl8139 (Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver) - C:\WINDOWS\system32\drivers\RTL8139.sys
3S sdbus - C:\WINDOWS\system32\drivers\sdbus.sys
4S sisagp (SIS AGP Bus Filter) - C:\WINDOWS\system32\drivers\SISAGP.SYS
3R SynTP (Synaptics TouchPad Driver) - C:\WINDOWS\system32\drivers\SynTP.sys
3S usbccgp (Microsoft USB Generic Parent Driver) - C:\WINDOWS\system32\drivers\usbccgp.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3S usbprint (Microsoft USB PRINTER Class) - C:\WINDOWS\system32\drivers\usbprint.sys
3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
4S viaagp (VIA AGP Bus Filter) - C:\WINDOWS\system32\drivers\VIAAGP.SYS
3R winachsf - C:\WINDOWS\system32\drivers\HSF_CNXT.sys
1R WmiAcpi (Microsoft Windows Management Interface for ACPI) - C:\WINDOWS\system32\drivers\wmiacpi.sys
1R WS2IFSL (Windows Socket 2.0 Non-IFS Service Provider Support Environment) - C:\WINDOWS\system32\drivers\ws2ifsl.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3S AddFiltr - "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe"
3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
2R Avg7Alrt (AVG7 Alert Manager Server) - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
2R Avg7UpdSvc (AVG7 Update Service) - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
2R hpqwmiex - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
3S IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
2R LightScribeService (LightScribeService Direct Disc Labeling Service) - "C:\Program Files\Common Files\LightScribe\LSSrvc.exe"
3S ose (Office Source Engine) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
3S Pml Driver HPZ12 - C:\WINDOWS\system32\HPZipm12.exe
3S rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "C:\Program Files\WinPcap\rpcapd.exe" -d -f "C:\Program Files\WinPcap\rpcapd.ini"
2R SysEnforce - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
2R UMWdf (Windows User Mode Driver Framework) - C:\WINDOWS\system32\wdfmgr.exe
2S Vongo Service - C:\Program Files\Vongo\VongoService.exe
3S WMConnectCDS (Windows Media Connect Service) - C:\Program Files\Windows Media Connect 2\wmccds.exe


-- Scheduled Tasks --------------------------------------------------------------

2007-03-02 19:06:01 318 --a------ C:\WINDOWS\Tasks\HP Usg Daily.job<HPUSGD~1.JOB>
2007-02-09 23:06:22 322 --a------ C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7700#MY3CK22038Q0.job<HPDARC~1.JOB>


-- Files created between 2007-02-02 and 2007-03-02 ------------------------------

2007-03-02 13:14:25 0 d-------- C:\Documents and Settings\user1\DoctorWeb<DOCTOR~1>
2007-02-27 20:44:58 0 d-------- C:\SDFix
2007-02-24 02:01:49 0 d-------- C:\Documents and Settings\user1\Application Data\Lavasoft
2007-02-24 02:01:24 0 d-------- C:\Program Files\Lavasoft
2007-02-24 01:58:49 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-02-24 01:47:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-02-24 01:27:07 159744 --a------ C:\WINDOWS\system32\hasher.dll
2007-02-24 01:27:06 0 d-------- C:\Program Files\Trisnap Technologies<TRISNA~1>
2007-02-23 22:58:53 0 d-------- C:\Program Files\HijackThis<HIJACK~1>
2007-02-23 00:41:09 0 d-------- C:\Documents and Settings\user1\Application Data\AdobeUM
2007-02-23 00:40:24 0 d-------- C:\Documents and Settings\user1\Application Data\Adobe
2007-02-22 19:47:56 18432 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-02-22 19:47:56 3968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-02-22 19:47:56 27776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-02-22 19:47:56 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-02-22 19:47:55 839936 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-02-22 19:47:51 0 d-------- C:\Program Files\Grisoft
2007-02-22 19:47:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-02-22 14:12:40 0 d-------- C:\Program Files\Verizon Online<VERIZO~1>
2007-02-22 14:12:38 0 d-------- C:\WINDOWS\system32\FinePointLib<FINEPO~1>
2007-02-21 17:39:27 0 d-------- C:\WINDOWS\VerizonOnline<VERIZO~1>
2007-02-21 17:39:18 171280 --a------ C:\WINDOWS\system32\jit.dll
2007-02-21 17:39:18 46352 --a------ C:\WINDOWS\setdebug.exe
2007-02-21 17:39:17 139536 --a------ C:\WINDOWS\system32\javaee.dll
2007-02-21 17:39:17 313856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-02-21 17:39:17 6550 --a------ C:\WINDOWS\jautoexp.dat
2007-02-21 17:39:15 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-02-21 17:39:15 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-02-21 17:39:15 171792 --a------ C:\WINDOWS\system32\wjview.exe
2007-02-21 17:39:15 286992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-02-21 17:39:15 21264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-02-21 17:39:14 945424 --a------ C:\WINDOWS\system32\msjava.dll
2007-02-21 17:39:14 154896 --a------ C:\WINDOWS\system32\msawt.dll
2007-02-21 17:39:14 172304 --a------ C:\WINDOWS\system32\jview.exe
2007-02-21 17:39:14 15120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-02-21 17:39:14 404752 --a------ C:\WINDOWS\system32\javart.dll
2007-02-21 17:39:14 63248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-02-21 17:39:14 187152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-02-21 17:39:13 49424 --a------ C:\WINDOWS\system32\clspack.exe
2007-02-21 17:38:15 49210 -----n--- C:\WINDOWS\system32\vzServices.dll<VZSERV~1.DLL>
2007-02-21 17:38:10 0 d-------- C:\Program Files\Common Files\Verizon Online<VERIZO~1>
2007-02-20 18:42:21 0 d-------- C:\Documents and Settings\user2\usernote<NOTE-T~1>
2007-02-20 10:58:53 0 d-------- C:\Documents and Settings\user3\Application Data\AVG7
2007-02-20 09:12:55 0 d-------- C:\Documents and Settings\user1\usernote<NOTE-P~1>
2007-02-18 02:41:42 209956 --a------ C:\LSPRegBackup_18022007_024139.REG<LSPREG~1.REG>
2007-02-17 15:41:55 0 d-------- C:\Documents and Settings\user5\Application Data\Real
2007-02-17 15:36:51 0 d-------- C:\Documents and Settings\user5\Application Data\Prevx
2007-02-17 15:36:39 0 d-------- C:\Documents and Settings\user5\Application Data\AVG7
2007-02-17 15:35:12 0 d-------- C:\Documents and Settings\user1\Application Data\Prevx
2007-02-17 15:34:59 0 d-------- C:\Documents and Settings\user1\Application Data\AVG7
2007-02-17 15:24:05 0 d-------- C:\Documents and Settings\user4\Application Data\AVG7
2007-02-17 15:24:03 0 d-------- C:\Documents and Settings\user4\Application Data\Prevx
2007-02-14 12:18:19 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-02-14 12:10:23 0 d-------- C:\WINDOWS\Internet Logs<INTERN~1>
2007-02-14 06:00:32 0 d-------- C:\Documents and Settings\user6\Application Data\AVG7
2007-02-14 05:23:29 0 d-------- C:\WINDOWS\Sun
2007-02-14 05:23:29 0 d-------- C:\Documents and Settings\user2\Application Data\Sun
2007-02-14 05:21:59 0 dr-h----- C:\$VAULT$.AVG
2007-02-14 05:21:44 0 -rahs---- C:\MSDOS.SYS
2007-02-14 05:21:44 0 -rahs---- C:\IO.SYS
2007-02-14 04:20:21 0 d-------- C:\Documents and Settings\user2\Application Data\AVG7
2007-02-14 04:20:03 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-02-14 04:19:59 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-02-14 01:32:06 0 d-------- C:\Documents and Settings\user4\usernote<NOTE-P~1>
2007-02-11 06:15:38 0 d-------- C:\Documents and Settings\user1\Application Data\Google
2007-02-11 06:13:28 0 d-------- C:\Documents and Settings\user3\Application Data\Google
2007-02-10 07:27:58 0 d-------- C:\Documents and Settings\user4\Application Data\Google
2007-02-10 02:40:35 0 d-------- C:\Program Files\WinPcap
2007-02-10 02:39:21 737280 --a------ C:\WINDOWS\iun6002.exe
2007-02-10 02:38:24 0 d-------- C:\Program Files\Replay AV 8<REPLAY~1>
2007-02-10 02:17:37 0 --a------ C:\WINDOWS\nsreg.dat
2007-02-10 02:17:26 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-02-10 02:00:43 0 d-------- C:\Documents and Settings\user2\Application Data\Google
2007-02-10 02:00:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-02-09 23:05:44 57344 -ra------ C:\WINDOWS\system32\HPZisn12.dll
2007-02-09 23:05:44 94208 -ra------ C:\WINDOWS\system32\HPZipt12.dll
2007-02-09 23:05:44 65795 -ra------ C:\WINDOWS\system32\HPZipm12.exe
2007-02-09 23:05:44 61699 -ra------ C:\WINDOWS\system32\HPZinw12.exe
2007-02-09 23:05:43 196608 -ra------ C:\WINDOWS\system32\HPZipr12.dll
2007-02-09 23:05:43 266296 -ra------ C:\WINDOWS\system32\HPZidr12.dll
2007-02-09 23:05:43 16496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-02-09 23:05:34 51056 -ra------ C:\WINDOWS\system32\drivers\hpzid412.sys
2007-02-09 23:05:11 262144 -ra------ C:\WINDOWS\system32\HPZc3212.dll
2007-02-09 23:05:11 25856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-02-09 23:05:11 21488 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2007-02-09 23:05:08 31616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-02-09 22:49:47 483328 -ra------ C:\WINDOWS\system32\hphmon05.exe
2007-02-09 22:49:38 6371 -ra------ C:\WINDOWS\system32\hphmon05.dat
2007-02-09 21:36:32 0 d-------- C:\WINDOWS\system32\NtmsData
2007-02-09 21:26:37 344064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2007-02-09 21:26:37 487424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2007-02-09 21:26:37 626960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2007-02-09 21:26:18 82380 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-02-09 21:15:05 4284 -----n--- C:\WINDOWS\hphmdl01.dat
2007-02-09 21:15:05 18270 --a------ C:\WINDOWS\HPHins01.dat
2007-02-09 20:49:01 0 d-------- C:\Documents and Settings\user2\usernote<JUSTAN~1>
2007-02-09 19:05:47 0 d-------- C:\Program Files\WheresJames<WHERES~1>
2007-02-09 14:32:03 0 d-------- C:\Documents and Settings\user6\Application Data\Help
2007-02-09 14:24:26 0 d-------- C:\Documents and Settings\user6\Security Task Manager<SECURI~1>
2007-02-09 03:54:55 0 d-------- C:\Documents and Settings\user2\Application Data\Help
2007-02-09 03:50:12 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan<SECTAS~1>
2007-02-09 03:50:05 0 d-------- C:\Program Files\Security Task Manager<SECURI~1>
2007-02-09 01:24:03 0 d-------- C:\Documents and Settings\user3\Application Data\Template
2007-02-09 01:24:02 292 --a------ C:\Documents and Settings\user3\Application Data\wklnhst.dat
2007-02-09 01:01:10 0 d-------- C:\Documents and Settings\user2\Application Data\Adobe
2007-02-09 00:50:07 0 d-------- C:\Documents and Settings\user3\Application Data\Adobe
2007-02-07 05:41:53 0 d-------- C:\spoolerlogs<SPOOLE~1>
2007-02-07 04:37:34 0 d---s---- C:\Documents and Settings\user2\UserData
2007-02-07 01:33:55 0 d-------- C:\Documents and Settings\user4\Application Data\Real
2007-02-04 13:18:05 0 d-------- C:\Documents and Settings\user6\Application Data\Real
2007-02-04 07:23:04 0 d-------- C:\Documents and Settings\user2\Application Data\Real
2007-02-04 07:21:39 0 d-------- C:\Documents and Settings\user3\Application Data\Real


-- Find3M Report ----------------------------------------------------------------

2007-03-02 20:59:11 7818 --a------ C:\Documents and Settings\user1\Application Data\wklnhst.dat
2007-02-25 05:08:32 0 d-------- C:\Program Files\HP Games<HPGAME~1>
2007-02-25 05:08:29 0 d-------- C:\Program Files\WildTangent<WILDTA~1>
2007-02-22 23:38:04 0 d---s---- C:\Documents and Settings\user1\Application Data\Microsoft<MICROS~1>
2007-02-19 23:47:54 0 d-------- C:\Program Files\Google
2007-02-14 06:51:58 504320 --a------ C:\WINDOWS\system32\winlogon.exe
2007-02-09 22:51:09 0 d-------- C:\Program Files\HP
2007-02-09 02:15:41 0 d-------- C:\Program Files\Yahoo!
2007-01-28 03:24:50 0 d-------- C:\Documents and Settings\user1\Application Data\Real
2007-01-28 03:19:32 0 d-------- C:\Program Files\Common Files\xing shared<XINGSH~1>
2007-01-28 03:19:31 0 d-------- C:\Program Files\Common Files\Real
2007-01-28 03:19:24 0 d-------- C:\Program Files\Real
2007-01-27 22:57:57 0 d-------- C:\Documents and Settings\user1\Application Data\Help
2007-01-23 23:06:24 0 d-------- C:\Documents and Settings\user1\Application Data\Template
2007-01-23 23:05:14 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-01-18 14:30:28 0 d-------- C:\Documents and Settings\user1\Application Data\Macromedia<MACROM~1>


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"WheresJames Startup Manager"="C:\\Program Files\\WheresJames\\StartupMgr\\StartupMgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{8A5849C4-93F3-429D-FF34-660A2068897C}"="OpenGL additional"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"System Registry Hook"="{309C96FA-8C40-4bce-879C-989DC33DCD25}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480


-- End of ComboScan: finished at 2007-03-02 at 21:02:01 -------------------------






~tmp0374.exe;C:\Documents and Settings\user2;Trojan.DownLoader.18475;Deleted.;
A0000002.old;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP2;Trojan.DownLoader.18510;Deleted.;
A0000018.old;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP4;Trojan.DownLoader.18510;Deleted.;
A0000045.old;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP5;Trojan.DownLoader.18510;Deleted.;
A0000064.old;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP6;Trojan.DownLoader.18510;Deleted.;
A0001112.old;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP8;Trojan.DownLoader.18510;Deleted.;
A0001129.old;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP9;Trojan.DownLoader.18510;Deleted.;
A0001146.old;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP10;Trojan.DownLoader.18510;Deleted.;
A0001154.old;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP11;Trojan.DownLoader.18510;Deleted.;
A0001170.old;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP12;Trojan.DownLoader.18510;Deleted.;
A0001800.old;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP13;Trojan.DownLoader.18510;Deleted.;
A0001818.old;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP14;Trojan.DownLoader.18510;Deleted.;
A0001844.exe;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP14;Trojan.DownLoader.4995;Deleted.;
A0001845.dll;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP14;Trojan.EmailSpy;Deleted.;
A0001846.sys;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP14;Trojan.Spambot;Deleted.;
A0001872.old;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP15;Trojan.DownLoader.18510;Deleted.;
A0001882.old;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP16;Trojan.DownLoader.18510;Deleted.;
A0001889.old;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP17;Trojan.DownLoader.18510;Deleted.;
A0001913.old;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP18;Trojan.DownLoader.18510;Deleted.;
A0001948.old;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP19;Trojan.DownLoader.18510;Deleted.;
A0001974.exe;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP19;Trojan.DownLoader.18475;Deleted.;
A0001976.sys;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP19;Trojan.NtRootKit.206;Deleted.;
A0001977.dll;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP19;Trojan.Spambot;Deleted.;
A0001978.exe;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP19;Trojan.DownLoader.18510;Deleted.;
A0001979.exe;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP19;Trojan.DownLoader.18474;Deleted.;
A0001980.exe;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP19;Trojan.DownLoader.18510;Deleted.;
A0001982.exe;C:\System Volume Information\_restore{1368902D-6A36-4B35-812D-DDC763090AC0}\RP19;Trojan.DownLoader.18510;Deleted.;
cel90xbe.sys;C:\WINDOWS\temp;Trojan.NtRootKit.206;Will be cured after reboot.;
Dc13.exe;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.DownLoader.18510;Deleted.;
Dc21.exe;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.DownLoader.18510;Deleted.;
Dc240.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc241.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc242.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc29.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1010;Trojan.NtRootKit.206;Deleted.;
Dc31.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc32.dll;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1010;Trojan.Spambot;Deleted.;
Dc32.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc33.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc34.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc35.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc36.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc37.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc38.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc39.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc40.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc41.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc42.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc43.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc44.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc45.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc46.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc47.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc48.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc49.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc50.exe;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1010;Trojan.DownLoader.18510;Deleted.;
Dc50.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc51.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc52.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc53.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc54.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc55.sys;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1012;Trojan.NtRootKit.206;Deleted.;
Dc7.exe;C:\RECYCLER\S-1-5-21-2038532784-927657075-1614036323-1010;Trojan.DownLoader.18474;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
services.exe.q_5701600_q;C:\Documents and Settings\All Users\Application Data\SecTaskMan;Trojan.DownLoader.18510;Deleted.;
wsys.dll;C:\WINDOWS\system32;Trojan.MulDrop.5450;Will be cured after reboot.;
wuauclt.exe.q_5701600_q;C:\Documents and Settings\All Users\Application Data\SecTaskMan;Trojan.DownLoader.18510;Deleted.;
wuauclt.exe.q_5701600_q.old;C:\Documents and Settings\All Users\Application Data\SecTaskMan;Trojan.DownLoader.18510;Deleted.;
zvZoCrypt.dll.q_8042710_q;C:\Documents and Settings\All Users\Application Data\SecTaskMan;Trojan.DownLoader.18476;Deleted.;



Computer working fine now in all discernable respects. Anything linger or to check? :thumbsup:
:) :huh: :flowers:

Edited by nectarN, 10 March 2007 - 04:39 PM.


#12 nectarN

nectarN
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 10 March 2007 - 04:35 PM

I had really begun to :huh: hate :huh: windows :thumbsup: there for hiding all that crap so well.
It's left me on the verge of regarding :huh: windows itself :flowers: as a mild form of malware.

:huh: READY for the next now.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:04 PM

Posted 10 March 2007 - 04:53 PM

Hi,

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{8A5849C4-93F3-429D-FF34-660A2068897C}"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"System Registry Hook"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Make sure everything is deleted from the C:\Windows\temp folder.

Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 nectarN

nectarN
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 10 March 2007 - 07:45 PM

ooh, these are registry-key repairs?

thanx


:huh: here's the new:

"user1" - 07-03-10 19:02:52 Service Pack 2
ComboFix 07-03-09.3 - Running from: "C:\Documents and Settings\user1\Desktop"



:thumbsup: and new:

Logfile of HijackThis v1.99.1
Scan saved at 19:18, on 07-03-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [WheresJames Startup Manager] C:\Program Files\WheresJames\StartupMgr\StartupMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: Vongo Service - Unknown owner - C:\Program Files\Vongo\VongoService.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



:huh: :huh: :flowers: :huh: :huh:

#15 nectarN

nectarN
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 10 March 2007 - 08:58 PM

(did steps

notepad
fix.reg
temp clear
combofix)
forgot to mention
:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users