Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware, Spyware, Mostly Chinese Origin, Refuses To Be Deleted


  • Please log in to reply
17 replies to this topic

#1 wcbc

wcbc

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 27 February 2007 - 11:03 AM

hi, I've been infected by some Chinese adware and trojan (mostly Chinese I think) and I ran Ad-aware, Spybot, TrendMicro's anti-virus, I also researched all lines on my HijackThis log and fixed all baddies. But many of them continues to come back when I reboot the computer.

Also, there's a ad-ware folder called gentad that's in my C:\ folder and I couldn't remove it. Everytime I try to delete it, it would say gentad.dll, which is one of the items in this gentad folder, is in use and can not be removed.

One problem I've been experiencing is that I CAN' BOOT INTO SAFE MODE. I would hit F8, select Safe Mode, but the computer would then boot up in normal mode no matter which Safe Mode choice I select.

I have IE windows pop up every so often and I get IE pages on my desktop too. Now I'm afraid to even use my computer. I also don't have a XP recovery cd, is there anyway to clean my system without doing a complete reinstall?

Anyway, below is my HijackThis log.
Thanks very much for your help!


Logfile of HijackThis v1.99.1
Scan saved at 7:52:39 AM, on 2/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE
C:\Windows\eHome\ehRecvr.exe
C:\Windows\eHome\ehSched.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\nvsvc32.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Windows\ehome\mcrdsvc.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\ALCWZRD.EXE
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Windows\System32\alg.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Windows\system32\hpoipm07.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\regsvr32.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
c:\windows\system32\wbem\lsass.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\ntvdm.exe
C:\Documents and Settings\User\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: TeachingHandler - {31EBA2E2-58B2-4980-9C41-F12F5F1422C5} - C:\Program Files\Common Files\Collegesoft\Share Components\TPHANDLE.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Advance Helper - {8E25AC4A-B129-451B-BEE2-3B510BB751DA} - C:\Windows\system32\NTDLL32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IE Browser Helper - {D0903A3B-F0EA-434a-9742-98C5335C7946} - C:\Windows\system32\IEHelper.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Desktop] "C:\Windows\system32\internet.exe"
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 15
O4 - HKLM\..\Run: [sysExp] C:\WINDOWS\system32\SysExp.exe
O4 - HKLM\..\Run: [Internet] "C:\Windows\system32\internet.exe"
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2005121819596_mcinfo.exe /insfin
O4 - HKLM\..\Run: [IEBarUp] RunDll32 "C:\WINDOWS\system32\NTUP1.dll",Run
O4 - HKLM\..\Run: [C:\WINDOWS\system32\drivers\ttp.exe] C:\WINDOWS\system32\drivers\ttp.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_0
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = %SystemRoot%\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - AppInit_DLLs: C:\Windows\system32\NTDLL32.dll
O23 - Service: 1466EAB0 - Unknown owner - C:\Windows\system32\1466EAB0.EXE (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Internet Connection Manager - Unknown owner - C:\Windows\system32\internet.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:00 AM

Posted 28 February 2007 - 05:31 AM

Hi wcbc, :flowers:

We're studying your log and will be back to you a.s.a.p.

Thanks for your patience. :thumbsup:

#3 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:00 AM

Posted 01 March 2007 - 06:20 AM

Hi wcbc, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

1. Sorry to have bad news for you but your log shows a very dangerous trojan is present on your computer: Troj/PWS-CS which is a backdoor and password stealing Trojan for the Windows platform!

This worm also has backdoor functionalities. It processes the commands on the local machine giving remote users virtual control over the infected system.
It is possible that the remote attacker has added multiple backdoors and/or accounts or even rooted the computer.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Visit the following sites for more information on internet theftand when to reformat!

If you have any questions before to come to a final decision, please feel free to ask.

Should you choose not to reformat, please follow my instructions below!

2. Are you using a firewall? I see nothing in your log that would indicate that you have one installed and active.

If not I urge you to install one since it's your first defense against malware. There are several good but for free programmes available like:

Sygate
Kerio
Zone alarm

For a tutorial on Firewalls click: Understanding and Using Firewalls!

3. Run HijackThis, click the Config... button, then go to the Misc Tools section and click Open Uninstall Manager. You'll see a list of programs; click on Save List...

The file "uninstall_list.txt" will be created. Copy and paste the contents of this file to your next reply.

4. You have this process running on your computer: C:\Windows\system32\conime.exe

As you can see here conime.exe may be legitimate and it may not.

Please have it scanned at VirusTotal and post back the results in here.

Note: Please print these instructions since I will ask you to reboot in Safe mode later. You explained you couldn't do that but let's see what happens. Please follow my instructions in order to reboot into Safe mode.
If you don't succeed getting into safe mode when instructed, continue in normal mode but let me know how step 12 went.

5. Please disable Ad-Watch, as it may hinder the removal of some HijackThis entries. You can re-enable it after your computer is clean; I will let you know.
  • Right click on the Ad-Watch icon in the system tray and select "Restore Ad-Watch".
  • At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
    • Active: Switches Monitoring On or Off without closing
      Automatic: Switches Automatic Blocking On or Off
  • Uncheck (red X) both items.
6. Download ATF Cleaner by Atribune. Do not run it yet.

7. Download, install, and update AVG Anti-Spyware 7.5

1. Save the installer to desktop
2. Double click the installer, select your language, and then select OK
3. Click NEXT>>Do or don't read the "User License Agreement"
Select I Agree>>>NEXT>>>INSTALL
4. AVG will now install and afterwards click FINISH
5. AVG Anti-Spyware 7.5 should now Load
6. Click the Update tab at the top. Under Manual Update click Start update.
7. After the update finishes (the status bar at the bottom will display "Update successful")
8. Close AVG Anti-Spyware 7.5. Do not run it yet.

8. Run HijackThis, click Scan and checkmark the following entries:

O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: Advance Helper - {8E25AC4A-B129-451B-BEE2-3B510BB751DA} - C:\Windows\system32\NTDLL32.dll
O2 - BHO: IE Browser Helper - {D0903A3B-F0EA-434a-9742-98C5335C7946} - C:\Windows\system32\IEHelper.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Desktop] "C:\Windows\system32\internet.exe"
O4 - HKLM\..\Run: [sysExp] C:\WINDOWS\system32\SysExp.exe
O4 - HKLM\..\Run: [Internet] "C:\Windows\system32\internet.exe"
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2005121819596_mcinfo.exe /insfin
O4 - HKLM\..\Run: [IEBarUp] RunDll32 "C:\WINDOWS\system32\NTUP1.dll",Run
O4 - HKLM\..\Run: [C:\WINDOWS\system32\drivers\ttp.exe] C:\WINDOWS\system32\drivers\ttp.exe
O20 - AppInit_DLLs: C:\Windows\system32\NTDLL32.dll
O23 - Service: 1466EAB0 - Unknown owner - C:\Windows\system32\1466EAB0.EXE (file missing)
O23 - Service: Internet Connection Manager - Unknown owner - C:\Windows\system32\internet.exe


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

Note: You may receive an error message from HijackThis relating to the 020: ignore it and click Okay to continue.

9. Bring the computer to a command prompt:

Go to Start->Run, type CMD and click Ok.

Alternatively, Press Ctrl+Alt+Delete to bring the Task Manager. While holding down the Ctrl key, click on New Task. Once the MSDOS Window comes up, minimize the Task Manager.
At the prompt type the following and press Enter after each line:

SC Stop 1466EAB0
SC Delete 1466EAB0
SC Stop "Internet Connection Manager"
SC Delete "Internet Connection Manager"
Exit

10. Make sure you can view all files. Click Start >My Computer > Tools > Folder Options >View. Check "Show hidden files and folders", uncheck "Hide protected operating system files" and "Hide extensions for known file types". Click "Apply to all folders" >Apply then OK.

11. Reboot into Safe Mode:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
12. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the following folder in bold if it exists:

C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools

.......... and files in bold if they exist:

C:\Windows\system32\NTDLL32.dll
C:\Windows\system32\IEHelper.dll
C:\Windows\system32\ALCMTR.EXE
C:\Windows\system32\internet.exe
C:\WINDOWS\system32\SysExp.exe
C:\WINDOWS\system32\NTUP1.dll
C:\WINDOWS\system32\drivers\ttp.exe
C:\Windows\system32\1466EAB0.EXE
C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE

Let me know if you had problems with this step.

13. Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

14. Then run AVG Anti-Spyware 7.5 and click on the Scanner tab at the top
  • Click the "Settings" tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected and uncheck "Only if Threats are found"
  • Click back to the "Scan" tab and then click on Complete System Scan.
    This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware 7.5 will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware 7.5 will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
15. Reboot to go back into Normal Mode.

16. You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 6.0). Older versions have vulnerabilities that malware can use to infect your system. Please update and remove the older versions. Do the following:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:

    Java Runtime Environment (JRE) 6.0
Please post the AVG report together with the Virus Toal report, the uninstall_list.txt and a fresh HijackThis log for review!

#4 wcbc

wcbc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 01 March 2007 - 05:15 PM

hi Falu:
Thanks so much for the quick and very detailed response. :thumbsup: I had lots of programs and files installed on the computer, which is the main reason I've been hesitant to reformat the drive. But I didn't know that this particular Trojan is so dangerous. I do all my banking and tax forms online, so I'll definitely investigate all options for reformatting. But it might take a little time for me to get the boot disk, I'll follow all your instructions and clean up the computer as much as I can in the meantime, notify all my financial institution and limit my online presence as much as possible.

I have a couple of questions though, which I'll really appreciate it if you could answer them for me.

REFORMAT THE DRIVE:

1. I bought this Gateway computer from an online reseller about 2 years ago, and the computer arrived without any disk at all, no reboot disk, recovery disk, XP cd, nada. And both Gateway and the online reseller have terrible customer service (NO Gateways or that online reseller for me ever again), so I'm not having any faith on obtaining my boot cd from them. I've read online that you can create a boot cd from your i386 folder. Now my currently infected computer has windows XP media center edition. If I create a boot cd from the i386 folder in this computer, my boot cd is no good because the computer is already infected, right?

But if I create my boot cd from my Dell computer at work, which has XP professional installed and is a clean computer, would it work on my Gateway? I don't care for the Media Center edition and have no use for it whatsoever, but I don't know if this approach will work.

If this approach will work, is what this article outlined the correct approach to create the boot disk for reformatting? http://ask-leo.com/i_have_no_cd_how_do_i_g...s_xp_setup.html
If not, what's the procedure I should follow to create a valid boot cd from my i386 folder?

2. If creating a boot disk from i386 folder isn't a good idea or won't work when I need to reformat the drive and reinstall Windows, what's the best way for me to obtain a cd? Like I said, I didn't receive any cds at all from the online reseller when I bought my computer and both them and Gateway basically kick the balls back and forth when I called before. Of course, free is always nice, but I'm willing to pay for a disk if necessary as long as it's not $500 or some really high number since I bought my computer for $550 two years ago.

3 Or should I just go ahead and buy a new computer that comes w/recovery cd hopefully and just wipe my hard drive clean, use the recovery cd from the new computer to re-install windows? Is that legal? My current windows installation is valid and I do have the key # on the case itself. Once the old computer is clean, then I can decide what to do with it.

FIREWALL:
Regarding the firewall. I used to have ZoneAlarm Security Suite on my computer. Now I didn't even know I had Adware and Trojan on my computer until I took my computer in to a tech support guy that I knew because my computer has been running very slow. He's the one who uninstalled ZoneAlarm and put in TrendMicro's Anti-Virus for me. Apparently ZoneAlarm has blocked all the IE popups before (but the Adware and all the Trojans got installed for whatever reason even when I chose Deny for all suspicious behaviors when ZoneAlarm asks me and I thought my Virus and Spyware definitions were up-to-date, I also Scan my computer regularly using ZoneAlarm and nothing was ever found), which is why I didn't suspect that I had infection problems.

So basically right after the tech guy uninstalled ZoneAlarm, all sorts of random IE pop-up would appear. That's when he told me of all the infections I've been having for awhile. Right now my roommate's Netgear router has firewall built in, so I'm not going to install ZoneAlarm on my computer anytime soon.

My Next Course of Action:
I will download the necessary files you've mentioned in the posting using a clean computer and transport it to the infected computer using a thumbdrive. I will do the steps you've outlined and report back when I'm done. I apologize for writing such a long email, but I would really appreciate it if you could answer my questions regarding reformatting my hard drive as I've never have to reformat a hard drive before. Also, I've partitioned my c: drive into 4 drives. So I don't know if that'll complicate matters further. Currently I have C, D, E, F, G partitions from one SATA drive.

Anyway, thanks so so much for reading my very long email and for all your help! I'll report back ASAP. :flowers:

#5 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:00 AM

Posted 03 March 2007 - 05:36 AM

Hi wcbc, :thumbsup:

If I create a boot cd from the i386 folder in this computer, my boot cd is no good because the computer is already infected, right?


Yes so that's no option.

But if I create my boot cd from my Dell computer at work, which has XP professional installed and is a clean computer, would it work on my Gateway? I don't care for the Media Center edition and have no use for it whatsoever, but I don't know if this approach will work.


I don't think this will work since XP is protected. Furthermore you have to activate XP and that probably will fail because you're using a Media Center key to activate XP Pro.
The link is a dead link by the way.

what's the best way for me to obtain a cd?


Buy one; use Google or online market places.

3 Or should I just go ahead and buy a new computer that comes w/recovery cd hopefully and just wipe my hard drive clean, use the recovery cd from the new computer to re-install windows? Is that legal? My current windows installation is valid and I do have the key # on the case itself. Once the old computer is clean, then I can decide what to do with it.


I bought a new labtop two weeks ago and no disk whatsoever came with it. I was advised to backup/mirror the computer before going on the internet. You need an external harddisk or an alternative storage system (USB stick, CD's) large enough to copy your entire disk so you can be sure that you don't lose anything (bookmarks, e-mail, passwords, IP dadresses, usernames etc.)? There are some free programmes to help you do the job like: WinBackup 1.86.
Coming back to your question: I don't think it will work since the recovery cd relates to the computer in question and cann't be used on another computer.

Also, I've partitioned my c: drive into 4 drives. So I don't know if that'll complicate matters further. Currently I have C, D, E, F, G partitions from one SATA drive.


If you reformat E the other patitions will not be gone because partitions are at a lower level than that of the logical disc where the format takes place.

Anyway, thanks so so much for reading my very long email and for all your help!



You're very welcome.

#6 wcbc

wcbc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 05 March 2007 - 10:23 PM

hi Falu:
I've followed your advice. The following is a list of reports that I've generated according to your instructions.

Hijack This Uninstall List:
Ad-Aware SE Professional
Adobe Acrobat 7.0.7 Professional
Adobe After Effects 6.5
Adobe Common File Installer
Adobe Download Manager 2.0 (Remove Only)
Adobe Help Center 1.0
Adobe Illustrator CS2
Adobe Photoshop CS2
Adobe SVG Viewer 3.0
AirPlus XtremeG
Alias DirectConnect 2.0
Amadis DVD Ripper Professional V1.0.5
ANIO Service
ANIWZCS2 Service
Audacity 1.3.0
BigFix
Calligra
Color Finesse
Creative Driver
Cycore Effects 1.0
del.icio.us Buttons for Internet Explorer
Digital Media Reader
DivX Codec 3.1alpha release
Final Draft 7
GWCares
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
hp officejet v series
InCD EasyWrite Reader
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2
jetAudio Basic
Keylight (1.0v4) for Adobe After Effects
KODAK Picture Transfer Software
M4a/Flac/Ogg/Ape/Mpc Tag Support Plugin for Media Player v 1.1
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks MX 2004
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Macromedia Shockwave Player
Maya 7.0
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Mozilla Firefox (2.0.0.2)
MSXML 4.0 SP2 (KB927978)
MSXML 6.0 Parser (KB927977)
Nero BurnRights
Nero OEM
Norton PartitionMagic 8.0
NVIDIA Drivers
Ougishi 4.00 Lite betaoo?ˉ?
QuarkXPress 7.0
QuickTime
Rand McNally SGDE Engine V6
Rand McNally SGDE Search Databases
Rand McNally Street Guide Los Angeles & Orange Counties 2006
RealPlayer
Realtek High Definition Audio Driver
ScenicPlayer
Security Task Manager 1.7
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Sentinel System Driver 5.41.0 (32-bit)
SoftV92 Data Fax Modem with SmartCP
Sonic Encoders
Spybot - Search & Destroy 1.4
Storm Codec
Swift 3D v4.50
Trend Micro AntiVirus
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB931836)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
WebLog Expert Lite 3.6
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format Runtime
Windows Media Player 10
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Media Center Edition 2005 KB908250
WinRAR archiver
Wise-FTP
XviD MPEG-4 Video Codec

Virus Total Report:
Complete scanning result of "conime.exe", received in VirusTotal at 03.04.2007, 19:52:20 (CET).

Antivirus Version Update Result
AntiVir 7.3.1.38 03.04.2007 no virus found
Authentium 4.93.8 03.04.2007 no virus found
Avast 4.7.936.0 03.03.2007 no virus found
AVG 7.5.0.447 03.04.2007 no virus found
BitDefender 7.2 03.04.2007 no virus found
CAT-QuickHeal 9.00 03.02.2007 no virus found
ClamAV devel-20060426 03.04.2007 no virus found
DrWeb 4.33 03.04.2007 no virus found
eSafe 7.0.14.0 03.04.2007 no virus found
eTrust-Vet 30.6.3449 03.03.2007 no virus found
Ewido 4.0 03.04.2007 no virus found
FileAdvisor 1 03.04.2007 No threat detected
Fortinet 2.85.0.0 03.04.2007 no virus found
F-Prot 4.3.1.45 03.04.2007 no virus found
F-Secure 6.70.13030.0 03.03.2007 no virus found
Ikarus T3.1.1.3 03.04.2007 no virus found
Kaspersky 4.0.2.24 03.04.2007 no virus found
McAfee 4975 03.02.2007 no virus found
Microsoft 1.2204 03.04.2007 no virus found
NOD32v2 2094 03.04.2007 no virus found
Norman 5.80.02 03.02.2007 no virus found
Panda 9.0.0.4 03.04.2007 no virus found
Prevx1 V2 03.04.2007 no virus found
Sophos 4.14.0 03.03.2007 no virus found
Sunbelt 2.2.907.0 03.01.2007 no virus found
Symantec 10 03.04.2007 no virus found
TheHacker 6.1.6.067 03.01.2007 no virus found
UNA 1.83 03.02.2007 no virus found
VBA32 3.11.2 03.03.2007 no virus found
VirusBuster 4.3.19:9 03.04.2007 no virus found

Aditional Information
File size: 27648 bytes
MD5: 054df8f752497c6b74dd7b65cca61132
SHA1: f4dfd45a4e08f385277a1fde27878fa11eb6cc46
Bit9 info: http://fileadvisor.bit9.com/services/extin...4dd7b65cca61132

AVG Report:
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:45:13 PM 3/5/2007

+ Scan result:



C:\Documents and Settings\User\Desktop\hijackthis\backups\backup-20070224-212756-361.dll -> Adware.Agent : No action taken.
C:\Documents and Settings\User\Desktop\hijackthis\backups\backup-20070224-212757-391.dll -> Adware.Agent : No action taken.
C:\Documents and Settings\User\Desktop\hijackthis\backups\backup-20070224-225305-332.dll -> Adware.Agent : No action taken.
C:\Documents and Settings\User\Desktop\hijackthis\backups\backup-20070224-225305-835.dll -> Adware.Agent : No action taken.
C:\Documents and Settings\User\Desktop\hijackthis\backups\backup-20070224-230029-337.dll -> Adware.Agent : No action taken.
C:\Documents and Settings\User\Desktop\hijackthis\backups\backup-20070228-213140-393.dll -> Adware.Agent : No action taken.
C:\Documents and Settings\User\Desktop\hijackthis\backups\backup-20070304-111728-251.dll -> Adware.Agent : No action taken.
C:\Documents and Settings\User\Desktop\hijackthis\backups\backup-20070304-111728-661.dll -> Adware.Agent : No action taken.
C:\WINDOWS\Downloaded Program Files\904730\NTDLL32.dll -> Adware.Agent : No action taken.
C:\WINDOWS\system32\IEHelper.dll -> Adware.Agent : No action taken.
C:\WINDOWS\system32\NTDLL32.dll -> Adware.Agent : No action taken.
C:\WINDOWS\system32\NTDLL32.dll.txtmp -> Adware.Agent : No action taken.
C:\Program Files\Common Files\yssv\ljcf.dll -> Adware.Boran : No action taken.
C:\Program Files\Common Files\yssv\omfi.dll -> Adware.Boran : No action taken.
C:\Program Files\Common Files\yssv\qohk.dll -> Adware.Boran : No action taken.
C:\Program Files\Common Files\yssv\trkn.dll -> Adware.Boran : No action taken.
[1552] C:\PROGRA~1\COMMON~1\yssv\ljcf.dll -> Adware.Boran : No action taken.
C:\WINDOWS\system32\drivers\acpidisk.sys -> Adware.Cinmus : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838} -> Adware.Generic : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838} -> Adware.Generic : No action taken.
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : No action taken.
C:\WINDOWS\system32\drivers\Reg.exe -> Downloader.Zlob : No action taken.
C:\WINDOWS\g3.exe -> Hijacker.StartPage.amd : No action taken.
C:\WINDOWS\system32\drivers\msqmx.sys -> Hijacker.StartPage.amd : No action taken.
C:\WINDOWS\system32\winsys16_070221.dll -> Logger.Agent.pn : No action taken.
D:\mplay.com -> Logger.Agent.pn : No action taken.
C:\WINDOWS\system32\drivers\000058ee.SYS -> Trojan.Agent.abc : No action taken.


::Report end

Fresh Hijack This Log:
Logfile of HijackThis v1.99.1
Scan saved at 7:11:24 PM, on 3/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE
C:\Windows\eHome\ehRecvr.exe
C:\Windows\eHome\ehSched.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\nvsvc32.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Windows\System32\svchost.exe
C:\Windows\ehome\mcrdsvc.exe
C:\Windows\ALCWZRD.EXE
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\dllhost.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
c:\windows\system32\wbem\lsass.exe
C:\Windows\System32\alg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\msiexec.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\User\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: TeachingHandler - {31EBA2E2-58B2-4980-9C41-F12F5F1422C5} - C:\Program Files\Common Files\Collegesoft\Share Components\TPHANDLE.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Advance Helper - {8E25AC4A-B129-451B-BEE2-3B510BB751DA} - C:\Windows\system32\NTDLL32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IE Browser Helper - {D0903A3B-F0EA-434a-9742-98C5335C7946} - C:\Windows\system32\IEHelper.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 15
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Internet] "C:\Windows\system32\internet.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_0
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = %SystemRoot%\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - AppInit_DLLs: C:\Windows\system32\NTDLL32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Internet Connection Manager - Unknown owner - C:\Windows\system32\internet.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe

On Step 12 When I tried to delete the following entries you've highlighted in the post:
C:\Windows\system32\NTDLL32.dll - Can't delete, access denied. Make sure the file is not in use or the disk is not protected.
C:\Windows\system32\IEHelper.dll - Can't delete, access denied message.
C:\Windows\system32\ALCMTR.exe - didn't find file.
C:\Windows\system32\internet.exe - Can't Delete, access denied message.
C:\Windows\system32\SysExp.exe - file deleted.
C:\Windows\system32\NTUP1.dll - didn't find file.
C:\Windows\system32\drivers\ttp.exe - didn't find file.
C:\Windows\system32\1466EAB0.exe - didn't find file. Deleted 1466EAB0.DAT instead
C:\Windows\system32\RUNDLLFROMWIN2000.exe - can't delete, access denied message.

When I tried to boot into Safe mode, I would see on the screen that windows is booting lots of DLL from windows/system32 folder, then the system would reboot itself into Normal mode. Meaning I would see the Gateway logo again and then normal mode.

I also notice a potential conflict? AVG has with Ad-Watch. now Everytime I reboot my computer, AVG Anti-spyware would popup a msg saying it found Adware Agent and it would be files like C:\windows\system32\NTDLL32.dll and C:\windows\system32\IEHelper.dll, and I would chose Clean and Quarantine, but it doesn't seem to work. Because when I reboot my computer, the whole process would start all over again. So I would see the same popup msg everytime I reboot now. Also, sometimes AVG thinks Ad-watch is spyware and vice versa. Ad-watch would ask me that it found some suspicious events and now I don't even know if it's caused by AVG's scan or not.

The following Ad-watch alarm now pops up everytime I reboot the computer.
The window says:
Warning! An attempt to alter a protected object has been detected. (Attempt to change a registry value)
Root: HKEY_CURRENT_USER
Key: Software\Microsoft\Internet Explorer\Main
Value: Start Page
Data: http://www.google.com/
New Data: www.7255.com
Please choose how to proceed.

I choose Block at this window.

Please let me know what I should do next. I've already started backing up everything and looking for a XP cd, but I still need to use the computer in the meantime. Thanks very much for your help!

Edited by wcbc, 06 March 2007 - 12:40 AM.


#7 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:00 AM

Posted 07 March 2007 - 07:06 AM

Hi wcbc,

1. Please disable realtime protection from AVG and Ad-Aware:

> Ad-Watch:
  • Right click on the Ad-Watch icon in the system tray and select "Restore Ad-Watch".
  • At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
    • Active: Switches Monitoring On or Off without closing
      Automatic: Switches Automatic Blocking On or Off
  • Uncheck (red X) both items.
> AVG Anti-Spyware:

* Launch AVG Anti-Spyware.
* From the "Status" menu, select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
* Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
* Next, go to Start > Run and type: services.msc
* Press "OK".
* Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
* When you find the guard service, double-click on it.
* In the Properties Window > General Tab that opens, click the "Stop" button.
* From the drop-down menu next to "Startup Type", click on "Manual".
* Now click "Apply", then "OK" and close the Services window.

2. Click on Start, Settings, Control Panel and double-click on Add or Remove Programs. From within Add or Remove Programs uninstall the following programs:

J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2


> Do you know what this is? If not remove it as well.

Ougishi 4.00 Lite betaoo???

> Viewpoint is classed as Foistware and a Potentially unwanted program as its sometimes installed without the users consent, There maybe some indications that they will move into tracking users at some stage which you can read more about Here. If you value the service they provide then it can be left on the system but if not then it can be removed using the Add/Remove screen. More info.

Viewpoint Media Player

3. Open Notepad and copy and paste the following text in the quotebox into it:

Windows Registry Editor Version 5.00

[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}]

[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

4. Please reboot!

5. Run HijackThis, click Scan and checkmark the following entries:

O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: Advance Helper - {8E25AC4A-B129-451B-BEE2-3B510BB751DA} - C:\Windows\system32\NTDLL32.dll
O2 - BHO: IE Browser Helper - {D0903A3B-F0EA-434a-9742-98C5335C7946} - C:\Windows\system32\IEHelper.dll
O4 - HKLM\..\Run: [Internet] "C:\Windows\system32\internet.exe"
O20 - AppInit_DLLs: C:\Windows\system32\NTDLL32.dll
O23 - Service: Internet Connection Manager - Unknown owner - C:\Windows\system32\internet.exe (file missing)


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

6. Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\Downloaded Program Files\904730
    C:\Program Files\Common Files\yssv
    C:\Program Files\Common Files\Real\WeatherBug
    C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools
    C:\WINDOWS\system32\IEHelper.dll
    C:\WINDOWS\system32\NTDLL32.dll
    C:\WINDOWS\system32\NTDLL32.dll.txtmp
    C:\WINDOWS\system32\drivers\acpidisk.sys
    C:\WINDOWS\system32\drivers\Reg.exe
    C:\WINDOWS\g3.exe
    C:\WINDOWS\system32\drivers\msqmx.sys
    C:\WINDOWS\system32\winsys16_070221.dll
    D:\mplay.com
    C:\WINDOWS\system32\drivers\000058ee.SYS
    C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE
    C:\Windows\system32\internet.exe


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

7. Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

8. You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 6.0). Older versions have vulnerabilities that malware can use to infect your system. Please update and remove the older versions. Do the following:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:

    Java Runtime Environment (JRE) 6.0
If you didn't already reboot after step 6 please do it now and post the F-secure report together with OTMoveIt report and a fresh HijackThis log!

#8 wcbc

wcbc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 08 March 2007 - 02:59 AM

hi Falu:
Thanks again for the quick response. I followed your instructions and below are the steps I've taken in the order in which I've taken them.

1. I disabled Ad-watch according to your instructions. However, I notice that the Ad-watch popup window still appear everytime I reboot the computer and the Red X item would return to Green. So I went to Setting and disabled Ad-watch Automatically Load when Windows Start option. That seems to make the pop-up window go away.

2. Disabled AVG Antispyware as you've instructed. Now the AVG icon in taskbar is gray.

3. Old Java program has been removed. The only JAVA program under Add/Remove Programs right now is: JAVA ™ SE Runtime Environment 6.

4. Ougishi is a program that automatically turns your scribble into calligraphy. However, I uninstalled Ougishi and Viewpoint Media Player as instructed just to be on the safe side.

5. Merged fix.reg into Registry as instructed.

6. Rebooted computer, ran Hijack This. When I click on Fix Checked Button, an error message poped up.
"An unexpected error has occurred at procedure: ModBackup_MakeBackup (Item:O2O_AppInit_DLLS:C:\Windows\System32\NTDLL32.dll
Error #5 invalid call procedure or argument)
After I click OK button on the error message window, then the rest of fix it went fine.

7. Downloaded and ran OTMoveIt. The computer asked me to reboot the machine to finish the process and I clicked yes. After reboot, however, OTMoveIt didn't reappear automatically, so I'm not sure whether the rest of the items were completed successfully. So I ran OTMoveIt again and copy and save the log first this time. Then rebooted the computer manually.

Here's the OTMoveIt log:
Folder move failed. C:\WINDOWS\Downloaded Program Files\904730\_uninstall scheduled to be moved on reboot.
Folder cleanup failed. C:\WINDOWS\Downloaded Program Files\904730\config scheduled to be deleted on reboot.
Folder cleanup failed. C:\WINDOWS\Downloaded Program Files\904730\CodeConvert scheduled to be deleted on reboot.
Folder cleanup failed. C:\WINDOWS\Downloaded Program Files\904730\bk scheduled to be deleted on reboot.
Folder cleanup failed. C:\WINDOWS\Downloaded Program Files\904730 scheduled to be deleted on reboot.
File/Folder C:\Program Files\Common Files\yssv not found.
File/Folder C:\Program Files\Common Files\Real\WeatherBug not found.
File/Folder C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\IEHelper.dll
C:\WINDOWS\system32\IEHelper.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\IEHelper.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\NTDLL32.dll
C:\WINDOWS\system32\NTDLL32.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\NTDLL32.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\NTDLL32.dll.txtmp scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\drivers\acpidisk.sys not found.
File/Folder C:\WINDOWS\system32\drivers\Reg.exe not found.
File/Folder C:\WINDOWS\g3.exe not found.
File/Folder C:\WINDOWS\system32\drivers\msqmx.sys not found.
File/Folder C:\WINDOWS\system32\winsys16_070221.dll not found.
File/Folder D:\mplay.com not found.
C:\WINDOWS\system32\drivers\000058ee.SYS moved successfully.
File/Folder C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE not found.
File/Folder C:\Windows\system32\internet.exe not found.

Created on 03/07/2007 22:06:45


8. Ran F-Secure Online Scanner as instructed. I didn't disable TrendMicro's Anti-Virus program while the F-Secure scanner is running, however, I did disable TrendMicro's Anti-virus right before I clicked the Automatic Cleaning button.

Here's the report from F-Secure Online Scanner:
Scanning Report
Wednesday, March 07, 2007 22:18:59 - 23:16:33

Computer name: YAD
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ G:\ H:\ I:\
Result: 8 malware found
Adware.BHO(generic) (spyware)

* System (Disinfected)

Adware.MMSAssist (spyware)

* System (Disinfected)

Trojan-Downloader.Win32.Agent.aww (virus)

* C:\WINDOWS\SYSTEM32\MSGSVC.DLL (Renamed & Submitted)
* C:\WINDOWS\SYSTEM32\NTWORKSTAN.DLL (Renamed & Submitted)
* C:\WINDOWS\SYSTEM32\DLLCACHE\MSGSVC.DLL (Renamed & Submitted)

Trojan.Win32.StartPage.amd (virus)

* C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\DRIVERS\MSQMX.SYS (Renamed & Submitted)

W32/Malware.LJA (virus)

* C:\WINDOWS\SYSTEM32\ADVWHES.DLL (Submitted)

W32/Smalldoor.ADBH (virus)

* C:\WINDOWS\SYSTEM32\KRESW.DLL (Submitted)

Statistics
Scanned:

* Files: 47687
* System: 4530
* Not scanned: 7

Actions:

* Disinfected: 2
* Renamed: 4
* Deleted: 0
* None: 2
* Submitted: 6

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\TEMP\HSPERFDATA_SYSTEM\576
* C:\WINDOWS\SYSTEM32\PYHMZ.DLL
* C:\WINDOWS\SYSTEM32\DRIVERS\FFZNE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{1B3A424E-D8E8-42BC-9E0B-B8C65F790CC1}.BIN
* C:\WINDOWS\DOWNLOADED PROGRAM FILES\904730\SHLWAPI32.DLL

Options
Scanning engines:

* F-Secure Libra: 2.4.2, 2007-03-07
* F-Secure AVP: 7.0.171, 2007-03-07
* F-Secure Orion: 1.2.37, 2007-03-08
* F-Secure Blacklight: 1.0.53, 0000-00-00
* F-Secure Draco: 1.0.35, 0260-02-44
* F-Secure Pegasus: 1.19.0, 2007-02-05

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics

9. Java program is now the latest version. Please see step 3 above.

10. After I finishes with F-Secure online scanner, I rebooted the computer. I got the infamous blue screen of death and the error message Multiple_IRP_Complete_Requests. I got the message once before after I discovered my infection. When I searched online, it seems to be my HP All-in-one Inkjet v40 software automatically load itself in startup is causing the problem (although I never experienced this problem before I discovered my infection), but I removed the an HP related printer software.exe from my startup and I haven't experienced the screen again til today. I got the error screen after I entered my Windows login name and password at the prompt.

Also, I don't know if this matters. It seems that now whenever I have a Windows loading problem it would occur after I choose restart option instead of shut down. For some reason, the restart option would cause me problems login/loading into Windows whereas if I choose Shut Down and then manually press the Power button it would work fine for me.

Last time when I received the Blue Screen of Death with Multiple IRP error message, if I choose the Restart option, I would face the same error message again after I typing in login and password info at the prompt, but when I chose to just manually shut down and restart computer, I would be able to log into Windows okay. This is also what I did this time when I receive the error message. I just Manually shut down Windows and press the Power button, and then I was able to log into Windows.

Also, I didn't experiencing any issues with the Restart option until after I discovered my infection. That include the time I was infected but didn't know it due to ZoneAlarm being installed on my computer.

I suspect it's because of some corrupted file in Windows, but you probably have a better idea than I do. I've never faced Blue Screen of Death before, not even with my Windows Me sloooowww laptop.

11. so after I was able to log into Windows again, I ran Hijack This again.
Here's the fresh Hijack This Log:

Scan saved at 11:23:25 PM, on 3/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\savedump.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\eHome\ehRecvr.exe
C:\Windows\eHome\ehSched.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Windows\ALCWZRD.EXE
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Windows\System32\svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Windows\SOUNDMAN.EXE
C:\Windows\system32\nvsvc32.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\WINDOWS\system32\dllhost.exe
c:\windows\system32\wbem\lsass.exe
C:\Windows\System32\svchost.exe
C:\Documents and Settings\User\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: TeachingHandler - {31EBA2E2-58B2-4980-9C41-F12F5F1422C5} - C:\Program Files\Common Files\Collegesoft\Share Components\TPHANDLE.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Advance Helper - {8E25AC4A-B129-451B-BEE2-3B510BB751DA} - C:\Windows\system32\NTDLL32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IE Browser Helper - {D0903A3B-F0EA-434a-9742-98C5335C7946} - C:\Windows\system32\IEHelper.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 15
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\drivers\ttp.exe] C:\WINDOWS\system32\drivers\ttp.exe
O4 - HKLM\..\Run: [Internet] "C:\Windows\system32\internet.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_0
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = %SystemRoot%\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - AppInit_DLLs: C:\Windows\system32\NTDLL32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Indexing Data (BKMARKS) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Internet Connection Manager - Unknown owner - C:\Windows\system32\internet.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe

It seems like some of the files has been deleted, however, I'm not sure why the Hijack This Entry is there when the file is missing. Some of the entry are still there though. They are stubborn as hell.

12. Also, everytime I log into windows, I see this popup window that's called RUNDLL.
It's says: "Error loading C:\PROGRA~1\COMMON~1\yssv\jcf.dll
The specified module could not be found."
The window disppears by itself after a couple of seconds. It seems that jcf.dll is one of the files from one of of the malwares present, but not every file from that malware has been deleted, which is why this msg keeps poping up. Once we've eliminated all files from the malware that's associated w/jcf.dll, that msg will go away, is this correct?

Thanks so much for all your help! I look forrward to the next set of the instructions.

Edited by wcbc, 08 March 2007 - 03:10 AM.


#9 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:00 AM

Posted 09 March 2007 - 05:26 AM

Hi wcbc, :thumbsup:

Thanks again for the quick response. I followed your instructions and below are the steps I've taken in the order in which I've taken them.


You're very welcome and you're doing very well.

Ougishi is a program that automatically turns your scribble into calligraphy.


If you chose to have it there's no need to remove it. I just ran into Japanese or Chinese sites so couldn't find any 'understandable' info.

It seems like some of the files has been deleted, however, I'm not sure why the Hijack This Entry is there when the file is missing.


In some cases that means that the is actually missing (e.g. O2 and 03 entries) but the file may also still be there e.g. 023-entry.

1.

After I finishes with F-Secure online scanner, I rebooted the computer. I got the infamous blue screen of death and the error message Multiple_IRP_Complete_Requests. I got the message once before after I discovered my infection. When I searched online, it seems to be my HP All-in-one Inkjet v40 software automatically load itself in startup is causing the problem


Next time when you get a Blue Screen Of death (BSOD), please post all the error messages as specific as possible because we need that information to find accurate info.
What infection do you think you have/had at that time?

2.

Also, everytime I log into windows, I see this popup window that's called RUNDLL.
It's says: "Error loading C:\PROGRA~1\COMMON~1\yssv\jcf.dll The specified module could not be found."


It could be caused by malware e.g. C:\PROGRA~1\COMMON~1\yssv\jcf.dll which we tried to remove earlier.
Another possibility is that something has been removed, or uninstalled incorrectly, but has left the Run command in place e.g. C:\PROGRA~1\COMMON~1\yssv\jcf.dll
In conclusion: we're not ready yet.

3. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear.

4. Run HijackThis, click Scan and checkmark the following entries:

O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll (file missing)
O2 - BHO: Advance Helper - {8E25AC4A-B129-451B-BEE2-3B510BB751DA} - C:\Windows\system32\NTDLL32.dll
O2 - BHO: IE Browser Helper - {D0903A3B-F0EA-434a-9742-98C5335C7946} - C:\Windows\system32\IEHelper.dll
O4 - HKLM\..\Run: [C:\WINDOWS\system32\drivers\ttp.exe] C:\WINDOWS\system32\drivers\ttp.exe
O4 - HKLM\..\Run: [Internet] "C:\Windows\system32\internet.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O20 - AppInit_DLLs: C:\Windows\system32\NTDLL32.dll
O23 - Service: Indexing Data (BKMARKS) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE (file missing)
O23 - Service: Internet Connection Manager - Unknown owner - C:\Windows\system32\internet.exe (file missing)


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

5. Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Click the "Delete Cookies" button
* Next to it, Click the "Delete Files" button
* When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu on the left side of the Options window.
* Click the Clear button located to the right of each option (History, Cookies, Cache).
* Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

6. Run OTMoveIT again:

* Please double-click OTMoveIt.exe to run it.
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools
C:\WINDOWS\system32\IEHelper.dll
C:\WINDOWS\system32\NTDLL32.dll
C:\WINDOWS\system32\drivers\ttp.exe
C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE
C:\Windows\system32\internet.exe
C:\WINDOWS\SYSTEM32\PYHMZ.DLL
C:\WINDOWS\SYSTEM32\DRIVERS\FFZNE.SYS

* Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
* Click the red Moveit! button.
* Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
* Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

7. If you didn't reboot after OTMoveIT please do it now.

8. Let's do some more digging:

Download reglooks from here and save it to your desktop.
Doubleclick reglooks.exe and wait until a logfile appears.
The log will be called result.txt.
Copy and paste the contents of this log in your next reply.

Please post the reglooks report together with a fresh HijackThis log!

#10 wcbc

wcbc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 10 March 2007 - 04:23 PM

hi Falu:
Thanks again :thumbsup: I've followed your advice and have taken the following steps (in the order in which they've been taken).

1. Boot into Safe Mode:
I rebooted computer, choose Safe Mode. But still can't boot into Safe Mode. Like before, when I choose Safe Mode, I see a bunch of messages on black screen indicates that Windows is loading lots of processes, when that's over, the computer simply reboots itself into normal mode.

The reason for this is that in my overzealousy pursuing the spyware and adware (before my posting here but after I discovered my infection) I found some spyware.exe files in C:\ folder, so I simply deleted all the files in my C:\ folder (not the subfolders, only the files), which totally messed up my boot file and I had to download a boot file off the internet. As a result, that's probably why my Boot Into Safe Mode files are missing and I can't boot into Safe Mode now.

My current Boot.ini file looks like the following:
[Boot Loader]
timeout=10
Default=multi(0)disk(0)rdisk(0)partition(1)\Windows
[Operating Systems]
multi(0)disk(0)rdisk(0)partition(1)\Windows="1ST TRY THIS " /fastdetect
multi(0)disk(0)rdisk(1)partition(1)\Windows="2ND TRY THIS " /fastdetect
multi(0)disk(0)rdisk(0)partition(5)\Windows="test drive" /fastdetect

and I currently have the following files and folders in my C:\folder.
I have the following folders:
C:\_OTMoveIt
C:\cabs
C:\CMPNENTS
C:\Documents and Settings
C:\Downloads
C:\Drivers
C:\DVD-Slideshow
C:\e6862359b9384e1439dc0abf28693b
C:\FLEXLM
C:\info
C:\Kodak Pictures
C:\My Music
C:\NVIDIA
C:\Program Files
C:\rays
C:\RECYCLER
C:\Slideshow
C:\System Volume Information
C:\temp
C:\WINDOWS

And I have the following files in my C:\folder.
C:\-1259860328
C:\AUTOEXEC.BAT
C:\boot.ini
C:\BootErr.log
C:\CONFIG.SYS
C:\dmg2iso.exe
C:\IO.SYS
C:\MSDOS.SYS
C:\NTDETECT.COM
C:\NTLDR
C:\pagefile.sys
C:\rapport.txt

The above information may or may not help, but I figure that more information is better than less :flowers:

2. I ran Hijack This and checked the entries you've marked in the post. However, I still get the same error pop up window as before.
Hijack This Error Window:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: C:\Windows\system32\NTDLL32.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 7.0.5730.11
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

I don't know if this is because I'm not doing this in Safe Mode. After I clicked OK, everything went smoothly.

3. I rebooted my computer after I ran Hijack This. I cleaned all my temp files in IE as instructed. I also cleaned my cookies and private data in Firefox. However, I don't know where to clean out my cache. I don't see a Clean History button. My History is currently set up to keep itself for 1 day and I use Firefox 2.0.0.2.

I also noticed that one of the adware has hijacked my IE homepage, instead of google, now I get www.7255.com as my homepage. I did correct this after I discovered my infection, but it somehow hijacked my homepage again. I corrected it again this time and put in google as my homepage.

4. I also cleaned my Temp Files, Recycle Bin, and Temp Internet Files as instructed. And although I didn't checked these entries, I did notice that I have the following entries taken up space:
Setup Log Files 2,530kb
WebClient/Publisher Temp files 32kb
Compress Old Files 13,004,83

I don't know if it's normal for a computer to have files in Setup Log Files especially because I remember that when I cleaned computers before, I don't have anything under Setup Log Files

5. I ran OTMOveIt as suggested, however, I was unable to get a log this time, because OTMoveIt just close itself after I click on Move It. I did this several times, each with the same result. It didn't happen last time though, so I don't know what may be causing this. Also, since the program just close itself right after I click on Move It, I also don't see the Pop-up window saying that I need to reboot the machine to finish the move process, which I saw last time.

6. After I ran OTMoveIt, I rebooted my machine and got a blank screen that says:
The firmware has detected that the system date/time has not been set. Press <ESC> to Boot or <F2> to run BIOS setup.

I pressed F2 and I saw that my System Date is now: [01/01/2004], my System Time now reads: [00:00:20], so I changed my System Date to: [03/10/2007] and my System Time to [00:39:51]

After I saved and exited, the System booted into Windows fine.

7. Then I ran reglooks as instructed.
Here's the reglooks log:
REGLOOKS logfile

version 0.950
03/10/2007 Sat 0:41:13.84
running from: "C:\Documents and Settings\User\Desktop"

--- SSODL regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}" FILE ="C:\\WINDOWS\\system32\\upnpui.dll"


--- STS regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
only standard or legit regkeys found


--- USERINIT regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Userinit"="C:\\Windows\\SYSTEM32\\Userinit.exe,"


--- SHELL regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"="Explorer.exe"


--- SYSTEM regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"System"=""


--- APPINIT_DLLS regkey ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs"="C:\\Windows\\system32\\NTDLL32.dll"


--- NOTIFY regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
only standard or legit regkeys found


--- RUN / LOAD regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
"load"=""


--- BOOTEXECUTE regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
BootExecute= autocheck autochk *\0\0


--- SHELLEXECUTEHOOKS regkey ---

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"


--- AUTORUN regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
"AutoRun"="d:\\mplay.com"


--- HKLM\Run regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"AlcWzrd"="ALCWZRD.EXE"
"D-Link AirPlus XtremeG"="C:\\Program Files\\D-Link\\AirPlus XtremeG\\AirPlusCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"SoundMan"="SOUNDMAN.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"StormCodec_Helper"="\"C:\\Program Files\\Ringz Studio\\Storm Codec\\StormSet.exe\" /S /opti"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
@=""
"Trend Micro AntiVirus 2007"="C:\\Program Files\\Trend Micro\\AntiVirus 2007\\tavui.exe -1 --delay 15"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"Internet"="\"C:\\Windows\\system32\\internet.exe\""
[Run\OptionalComponents]
[Run\OptionalComponents\IMAIL]
"Installed"="1"
[Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[Run\OptionalComponents\MSFS]
"Installed"="1"


--- HKLM\RunOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
no HKLM RunOnce keys found


--- HKLM\RunOnceEx regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
no HKLM RunOnceEx keys found


--- HKLM\RunServices regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
no HKLM RunServices keys found


--- HKLM\RunServicesOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
no HKLM RunServicesOnce keys found


--- HKCU\Run regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\AdobeUpdateManager.exe AcPro7_0_0"
"ctfmon.exe"="C:\\Windows\\system32\\ctfmon.exe"


--- HKCU\RunOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
no HKCU RunOnce keys found


--- HKCU\RunOnceEx regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
no HKCU RunOnceEx keys found


--- HKCU\RunServices regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
no HKCU RunServices keys found


--- HKCU\RunServicesOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
no HKCU RunServicesOnce keys found


--- HKLM\Explorer\Run regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
no HKLM Explorer\Run keys found


--- HKCU\Explorer\Run regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
regkey does not exist


--- Image File Execution regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
wmplayer.exe: "Debugger"="D:\\Program Files\\Microsoft Visual Studio\\Common\\MSCREATE32.exe"


--- BROWSER HELPER OBJECTS regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" FILE ="C:\\Program Files\\Adobe\\Acrobat 7.0\\ActiveX\\AcroIEHelper.dll"
"{31EBA2E2-58B2-4980-9C41-F12F5F1422C5}" FILE ="C:\\Program Files\\Common Files\\Collegesoft\\Share Components\\TPHANDLE.dll"
"{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}" regkey not found (ERROR)
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" FILE ="C:\\Program Files\\Java\\jre1.6.0\\bin\\ssv.dll"
"{7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6}" FILE ="C:\\Program Files\\del.icio.us\\Internet Explorer Buttons\\dlcsIE.dll"
"{8E25AC4A-B129-451B-BEE2-3B510BB751DA}" FILE ="C:\\Windows\\system32\\NTDLL32.dll"
"{AE7CD045-E861-484f-8273-0445EE161910}" FILE ="C:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\AcroIEFavClient.dll"
"{D0903A3B-F0EA-434a-9742-98C5335C7946}" FILE ="C:\\Windows\\system32\\IEHelper.dll"


--- TOOLBAR regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
"{981FE6A8-260C-4930-960F-C3BC82746CB0}" FILE ="C:\\Program Files\\del.icio.us\\Internet Explorer Buttons\\dlcsIE.dll"
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" FILE ="C:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\AcroIEFavClient.dll"


--- URLSEARCHHOOKS regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
only standard regkeys found


--- SRCEENSAVER regkey ---

HKEY_CURRENT_USER\Control Panel\Desktop
"SCRNSAVE.EXE"="C:\\Windows\\system32\\ssstars.scr"


--- CONTEXTMENUHANDLERS regkeys ---

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
"Adobe.Acrobat.ContextMenu" CLSID ={D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} FILE ="C:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat Elements\\ContextMenu.dll"
"AVG Anti-Spyware" CLSID ={8934FCEF-F5B8-468f-951F-78A921CD3920} FILE ="C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\context.dll"
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll
"Open With" CLSID ={09799AFB-AD67-11d1-ABCD-00C04FC30936} FILE =%SystemRoot%\system32\SHELL32.dll
"Open With EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll
"WinRAR" CLSID ={B41DB860-8EE4-11D2-9906-E49FADC173CA} FILE ="C:\\Program Files\\WinRAR\\rarext.dll"
"{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" Start Menu Pin FILE =%SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers
"AVG Anti-Spyware" CLSID ={8934FCEF-F5B8-468f-951F-78A921CD3920} FILE ="C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\context.dll"
"EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll
"jetAudio" CLSID ={8D1636FD-CA49-4B4E-90E4-0A20E03A15E8} FILE ="C:\\Program Files\\JetAudio\\JetFlExt.dll"
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll
"Sharing" CLSID ={f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} FILE ="ntshrui.dll"
"WinRAR" CLSID ={B41DB860-8EE4-11D2-9906-E49FADC173CA} FILE ="C:\\Program Files\\WinRAR\\rarext.dll"

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers
"jetAudio" CLSID ={8D1636FD-CA49-4B4E-90E4-0A20E03A15E8} FILE ="C:\\Program Files\\JetAudio\\JetFlExt.dll"
"WinRAR" CLSID ={B41DB860-8EE4-11D2-9906-E49FADC173CA} FILE ="C:\\Program Files\\WinRAR\\rarext.dll"


--- ALTERNATESHELL regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
"AlternateShell"="cmd.exe"


--- SAFEBOOT MINIMAL SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
no unknown services found


--- SAFEBOOT NETWORK SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
no unknown services found


--- SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\000058ee
"DisplayName"="000058ee"
system32\drivers\000058ee.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\a347bus
system32\DRIVERS\a347bus.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\a347scsi
System32\Drivers\a347scsi.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\A5AGU
"DisplayName"="D-Link USB Wireless Network Adapter Service"
system32\DRIVERS\A5AGU.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Adobe LM Service
"DisplayName"="Adobe LM Service"
"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Albus
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ANIO
"DisplayName"="ANIO Service"
\??\C:\WINDOWS\system32\ANIO.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ATHFMWDL
"DisplayName"="D-Link predator Bootloader driver"
System32\Drivers\ATHFMWDL.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVG Anti-Spyware Driver
"DisplayName"="AVG Anti-Spyware Driver"
\??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVG Anti-Spyware Guard
"DisplayName"="AVG Anti-Spyware Guard"
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AvgAsCln
"DisplayName"="AVG Anti-Spyware Clean Driver"
System32\DRIVERS\AvgAsCln.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BKMARKS
"DisplayName"="Indexing Data"
C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE C:\WINDOWS\SYSTEM32\WBEM\SWQWS.DLL,Export 1087

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ctac32k
"DisplayName"="Creative AC3 Software Decoder"
System32\drivers\ctac32k.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ctdvda2k
"DisplayName"="Creative DVD-Audio Device Driver"
System32\drivers\ctdvda2k.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ctprxy2k
"DisplayName"="Creative Proxy Driver"
System32\drivers\ctprxy2k.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ctsfm2k
"DisplayName"="Creative SoundFont Management Device Driver"
System32\drivers\ctsfm2k.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dot4
"DisplayName"="MS IEEE-1284.4 Driver"
system32\DRIVERS\Dot4.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dot4Print
"DisplayName"="Print Class Driver for IEEE-1284.4"
system32\DRIVERS\Dot4Prt.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dot4Scan
"DisplayName"="Scan Class Driver for IEEE-1284.4"
system32\DRIVERS\Dot4Scan.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dot4usb
"DisplayName"="Dot4USB Filter Dot4USB Filter"
system32\DRIVERS\dot4usb.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DS1410D
"DisplayName"="DS1410D"
SYSTEM32\drivers\DS1410D.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ehRecvr
"DisplayName"="Media Center Receiver Service"
C:\Windows\eHome\ehRecvr.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ehSched
"DisplayName"="Media Center Scheduler Service"
C:\Windows\eHome\ehSched.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\emupia
"DisplayName"="E-mu Plug-in Architecture Driver"
System32\drivers\emupia2k.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ffzne
"DisplayName"="ffzne"
System32\DRIVERS\ffzne.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache3.0.0.0
"DisplayName"="Windows Presentation Foundation Font Cache 3.0.0.0"
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FsVga
system32\DRIVERS\fsvga.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gexa
"DisplayName"="Std gexa Service"
C:\Windows\system32\rundll32.exe C:\PROGRA~1\COMMON~1\yssv\ljcf.dll,Service -s

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ha10kx2k
"DisplayName"="Creative Hardware Abstract Layer Driver"
System32\drivers\ha10kx2k.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hap16v2k
"DisplayName"="Creative P16V HAL Driver"
System32\drivers\hap16v2k.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Hardware
"DisplayName"="Network Security"
%SystemRoot%\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HdAudAddService
"DisplayName"="Microsoft UAA Function Driver for High Definition Audio Service"
system32\drivers\HdAudio.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HDAudBus
"DisplayName"="Microsoft UAA Bus Driver for High Definition Audio"
system32\DRIVERS\HDAudBus.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidUsb
"DisplayName"="Microsoft HID Class Driver"
system32\DRIVERS\hidusb.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HSFHWBS2
system32\DRIVERS\HSFHWBS2.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HSF_DP
system32\DRIVERS\HSF_DP.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IDriverT
"DisplayName"="InstallDriver Table Manager"
"C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idsvc
"DisplayName"="Windows CardSpace"
"C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\incdrm
"DisplayName"="InCD EasyWrite Reader"
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IntcAzAudAddService
"DisplayName"="Service for Realtek HD Audio (WDM)"
system32\drivers\RtkHDAud.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\intelppm
"DisplayName"="Intel Processor Driver"
system32\DRIVERS\intelppm.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Internet Connection Manager
"DisplayName"="Internet Connection Manager"
"C:\Windows\system32\internet.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid
"DisplayName"="Keyboard HID Driver"
system32\DRIVERS\kbdhid.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Macromedia Licensing Service
"DisplayName"="Macromedia Licensing Service"
"C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\maya70docserver
"DisplayName"="Maya 7.0 Documentation Server"
"C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McrdSvc
"DisplayName"="Media Center Extender Service"
C:\Windows\ehome\mcrdsvc.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MHN
"DisplayName"="MHN"
%SystemRoot%\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MHNDRV
"DisplayName"="MHN driver"
system32\DRIVERS\mhndrv.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouhid
"DisplayName"="Mouse HID Driver"
system32\DRIVERS\mouhid.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspath
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mspcidrv
"DisplayName"="mspcidrv"
system32\DRIVERS\mspcidrv.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqmx
"DisplayName"="msqmx"
system32\drivers\msqmx.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mxnic
"DisplayName"="Macronix MX987xx Family Fast Ethernet NT Driver"
system32\DRIVERS\mxnic.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTWorkStan
"DisplayName"="WindowsNt Workstation"
%SystemRoot%\System32\svchost.exe -k NTWorkStan

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\P3
"DisplayName"="Intel PentiumIII Processor Driver"
system32\DRIVERS\p3.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ptssvc
"DisplayName"="ptssvc"
C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PxHelp20
"DisplayName"="PxHelp20"
System32\Drivers\PxHelp20.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
"DisplayName"="Remote Registry"
%SystemRoot%\system32\svchost.exe -k LocalService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sentinel
"DisplayName"="Sentinel"
\SystemRoot\System32\Drivers\SENTINEL.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\serenum
"DisplayName"="Serenum Filter Driver"
system32\DRIVERS\serenum.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServiceModelEndpoint 3.0.0.0
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServiceModelOperation 3.0.0.0
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServiceModelService 3.0.0.0
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMSvcHost 3.0.0.0
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sqlservech
"DisplayName"="sqlserver support for winnt"
%SystemRoot%\System32\svchost.exe -k sqlservech

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stdupnet
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SunkFilt
"DisplayName"="Alcor Micro Corp Reader"
\??\C:\WINDOWS\System32\Drivers\sunkfilt.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tavsvc
"DisplayName"="Trend Micro AntiVirus Protection Service"
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmcomm
"DisplayName"="tmcomm"
\??\C:\Windows\system32\drivers\tmcomm.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmpreflt
"DisplayName"="tmpreflt"
system32\DRIVERS\tmpreflt.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmproxy
"DisplayName"="Trend Micro Proxy Service"
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmxpflt
"DisplayName"="tmxpflt"
system32\DRIVERS\tmxpflt.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UMWdf
"DisplayName"="Windows User Mode Driver Framework"
C:\WINDOWS\system32\wdfmgr.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USB
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbccgp
"DisplayName"="Microsoft USB Generic Parent Driver"
system32\DRIVERS\usbccgp.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbprint
"DisplayName"="Microsoft USB PRINTER Class"
system32\DRIVERS\usbprint.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbscan
"DisplayName"="USB Scanner Driver"
system32\DRIVERS\usbscan.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vcddev
"DisplayName"="VCD VNC Virtual Network Adapter"
system32\DRIVERS\vcdvnic.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsapint
"DisplayName"="vsapint"
system32\DRIVERS\vsapint.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wanatw
"DisplayName"="WAN Miniport (ATW)"
system32\DRIVERS\wanatw4.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winachsf
system32\DRIVERS\HSF_CNXT.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Workflow Foundation 3.0.0.0
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi
"DisplayName"="Windows Management Instrumentation Driver Extensions"
%SystemRoot%\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wnttech
"DisplayName"="WindowsNt Network Engine"
%SystemRoot%\System32\svchost.exe -k wnttech

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpdUsb
"DisplayName"="WpdUsb"
System32\Drivers\wpdusb.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yukonwxp
"DisplayName"="NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller"
system32\DRIVERS\yk51x86.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{4224A12B-BDF8-439D-9CCF-021486D4F660}
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{4A67B8E0-67AE-4314-BA8D-815DAED95120}
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{BD608C97-5DCE-4430-A1C3-3B1478FD5F87}
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{F1E32419-6106-45E4-B497-54E66E109917}
no imagepath value found


--- SECURITYPROVIDERS regkey ---

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


--- SVCHOST regkey ---

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost
HTTPFilter: HTTPFilter\0\0
LocalService: Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService: DnsCache\0\0
netsvcs: 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Hardware\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0MHN\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN\0Gentad\0\0
DcomLaunch: DcomLaunch\0TermService\0Messenger\0\0
rpcss: RpcSs\0\0
imgsvc: StiSvc\0\0
termsvcs: TermService\0\0
NTWorkStan: NTWorkStan\0\0
wnttech: wnttech\0\0
sqlservech: sqlservech\0\0


--- WOW-CMDLINE regkeys ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
"cmdline" = %SystemRoot%\system32\ntvdm.exe
"wowcmdline" = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386


--- STARTUP FOLDERS ---

C:\Documents and Settings\User\Start Menu\Programs\Startup\Adobe Gamma.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk


--- TASK SCHEDULER JOBS ---

no .job files found


--- File associations ---

.BAT files: ("%1" %*)
.COM files: ("%1" %*)
.EXE files: ("%1" %*)
.HLP files: (%SystemRoot%\System32\winhlp32.exe %1)
.INF files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.INI files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.JS files: (%SystemRoot%\System32\WScript.exe "%1" %*)
.PIF files: ("%1" %*)
.REG files: (regedit.exe "%1")
.SCR files: ("%1" /S)
.TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*)


FINISHED

I noticed that as reglooks is running there're messages on the reglooks screen saying some files related to Safe Boot couldn't be found, which I think is why I couldn't log into Safe Mode.

8. After I ran reglooks, I ran Hijack This again and this is the fresh Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:49:00 AM, on 3/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Windows\eHome\ehRecvr.exe
C:\Windows\eHome\ehSched.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\ALCWZRD.EXE
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\nvsvc32.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Windows\System32\svchost.exe
C:\Windows\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Windows\system32\conime.exe
C:\Windows\System32\alg.exe
c:\windows\system32\wbem\lsass.exe
C:\Documents and Settings\User\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: TeachingHandler - {31EBA2E2-58B2-4980-9C41-F12F5F1422C5} - C:\Program Files\Common Files\Collegesoft\Share Components\TPHANDLE.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Advance Helper - {8E25AC4A-B129-451B-BEE2-3B510BB751DA} - C:\Windows\system32\NTDLL32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: IE Browser Helper - {D0903A3B-F0EA-434a-9742-98C5335C7946} - C:\Windows\system32\IEHelper.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 15
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Internet] "C:\Windows\system32\internet.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_0
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = %SystemRoot%\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - AppInit_DLLs: C:\Windows\system32\NTDLL32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Indexing Data (BKMARKS) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLLFROMWIN2000.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Internet Connection Manager - Unknown owner - C:\Windows\system32\internet.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe

Also, when I ran Hijack This in Step 2 above, I disabled Trend Micro's anti-virus. My computer was also disconnected from the internet when I was doing all this cleaning and disinfecting.

Again, thanks so MUCH for your help! I've learned a lot just by following your instructions here.

#11 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:00 AM

Posted 12 March 2007 - 05:48 AM

Hi wcbc, :flowers:

While I am analyzing all the information you have sent me, could you try to do a system restore and check if you can reboot in safe mode then.

Click Start > All Programs > Accessories > System Tools, and then click System Restore.* On the Welcome screen, click Restore my computer to an earlier time, and then click Next.
* On the Select a Restore Point page, select the date from the calendar that shows the point you'd like to restore to : click Next.
* On the Confirm Restore Point Selection page, verify that the correct restore point is chosen, and then close any open programs.
* Click Next if you are ready to proceed or click Back to change the restore point.
Please let me know how this went.

P.S. This is a rather complicated problem so it would help if you keep to my instructions and not try and find solutions for yourself. :thumbsup:

#12 wcbc

wcbc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 14 March 2007 - 01:53 AM

hi Falu:
It seems like my System Restore is not working. I went to Start -> Programs -> Accessories -> System Tools -> System Restore as instructed, but when I click on System Restore, nothing happens.
I see an hourglass appear briefly then it disappeared, the computer makes some noise, and nothing happens.
All the other functions at System Tools appear to work fine. I got the other options at System Tools to work like Disk Defragmenter and System Information. So I don't know whether the current infection has sth to do w/this.

I also waited a day and restarted the system, same thing. System Restore didn't appear when I select it.
Please let me know what to do next. :thumbsup:
Hailu

Edited by wcbc, 14 March 2007 - 01:56 AM.


#13 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:00 AM

Posted 14 March 2007 - 04:29 PM

Hi wcbc, :flowers:

Like I explained earlier this is a very complicated thread. I need time to come up with appropriate and relevant suggestions for a solution.

I will will post back for sure and a.s.a.p of course.

Thanks for your patience. :thumbsup:

#14 wcbc

wcbc
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 15 March 2007 - 01:33 AM

hi Falu:
Thanks very much for your help. I understand that this problem isn't easy to solve and computers can be fussy.
I'm not going to remove anything or visit suspicious sites and try to limit my computer usage til I get this fixed.

Thanks again and I'll wait for your reply. :thumbsup:

Edited by wcbc, 15 March 2007 - 01:33 AM.


#15 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:00 AM

Posted 16 March 2007 - 06:52 AM

Hi wcbc, :thumbsup:

First some anwsers to your questions, next instructions.

1.

I found some spyware.exe files in C:\ folder, so I simply deleted all the files in my C:\ folder (not the subfolders, only the files),


Could you be more specific on what you deleted exactly. Which files did you delete?

2.

I ran Hijack This and checked the entries you've marked in the post. However, I still get the same error pop up window as before.
Hijack This Error Window:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: C:\Windows\system32\NTDLL32.dll)
Error #5 - Invalid procedure call or argument


You did well by ignoring it and continue. It has nothing to do with Safe Mode but with the fact that you want HijackThis to fix a 020-entry.

3. I cleaned all my temp files in IE as instructed. I also cleaned my cookies and private data in Firefox. However, I don't know where to clean out my cache. I don't see a Clean History button.

When you ask FireFox to clean your Private Data you cleaned your Cache and History as well. Click Tools > Options > Privacy > Private Data Settings (near the bottom), a window opens and you'll see Cache and History checked.

4.

I don't know if it's normal for a computer to have files in Setup Log Files especially because I remember that when I cleaned computers before, I don't have anything under Setup Log Files


Look here for more info on SetUp Log files.

5. Okay I want you to edit your boot.ini. If anything goes wrong please let me know as specific as possible what went wrong and when in the process!
  • Click Start > My Computer.
  • Double-click the drive letter where Windows XP is installed.
  • On the Tools menu, click Folder Options.
  • Click the View tab.
  • Click the Show hidden files and folders button.
  • Click to clear the Hide protected operating system files (Recommended) check box.
  • Click OK.
  • In My Computer, double-click the Boot.ini file to open the file in Notepad.
  • Under [operating systems], replace the line that refers to Windows XP Setup with:
    multi(0)disk(0)rdisk(0)partition(1)\Windows="Safe Mode" /fastdetect /SAFEBOOT:MINIMAL
  • On the File menu, click Save.
  • Restart the computer.
You will see a menu and can choose Safe Mode.

6.While in Safe mode:

Click Start > Run and type the following line in the text box:

%systemroot%\system32\restore\rstrui.exe

Hit Enter, this will open the system restore wizard and you can restore the system to a date before you had the problems.

7. When done reboot to go back into Normal mode.

Please post a fresh HijackThis log and let me know how this went!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users