Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dmvlite


  • This topic is locked This topic is locked
11 replies to this topic

#1 theweener

theweener

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 29 April 2007 - 07:34 PM

I am cleaning up a PC that my brother abused and neglected for a long time. I have removed a lot of garbage, upgraded the memory, and followed the suggestions in the Preparation Guide. I need help removing DMVlite and anything else I may have missed.

Logfile of HijackThis v1.99.1
Scan saved at 6:25:29 PM, on 4/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6A7BA69F-4D5D-4334-B677-57F5E4DD1125} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {965F41B6-D942-4389-9C54-8AE83335CA56} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {97ADAF6A-12F5-6D0D-8B2C-39E6788B59C6} - C:\WINDOWS\System32\ntzpqxi.dll (file missing)
O2 - BHO: (no name) - {B240C514-1776-4109-89A1-E5C5D21A6204} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {BE76FCA3-BA25-4C27-B976-FB1651FEB381} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {CCF35A01-EDA0-4311-98E4-C591A2D274EE} - C:\Program Files\CSBB\CSBB.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176930127562
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe


Thank you!

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 30 April 2007 - 05:20 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum theweener :thumbsup:

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {6A7BA69F-4D5D-4334-B677-57F5E4DD1125} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {965F41B6-D942-4389-9C54-8AE83335CA56} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {97ADAF6A-12F5-6D0D-8B2C-39E6788B59C6} - C:\WINDOWS\System32\ntzpqxi.dll (file missing)
O2 - BHO: (no name) - {B240C514-1776-4109-89A1-E5C5D21A6204} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {BE76FCA3-BA25-4C27-B976-FB1651FEB381} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {CCF35A01-EDA0-4311-98E4-C591A2D274EE} - C:\Program Files\CSBB\CSBB.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Exit Hijackthis.

Find and delete if present:
C:\Program Files\CSBB

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

********************************

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 theweener

theweener
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 01 May 2007 - 07:28 AM

Thanks again!


=============================================================================
Dr.Web® Scanner for Windows v4.33.2 (4.33.2.10067)
Copyright © Igor Daniloff, 1992-2006
Log generated on: 2007-04-30, 19:11:17 [Administrator]
Command-line: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\cureit.exe" /lng /ini:cureit_XP.ini
Operating system:Windows XP Home Edition x86 (Build 2600), Service Pack 2
=============================================================================
Engine version: 4.33 (4.33.5.10110)
Engine API version: 2.01
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crwtoday.cdb - 290 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43385.cdb - 1405 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43384.cdb - 2530 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43383.cdb - 3927 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43382.cdb - 1811 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43381.cdb - 1262 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43380.cdb - 906 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43379.cdb - 1485 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43378.cdb - 2545 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43377.cdb - 1031 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43376.cdb - 1390 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43375.cdb - 1633 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43374.cdb - 2090 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43373.cdb - 1252 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43372.cdb - 1289 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43371.cdb - 2370 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43370.cdb - 2022 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43369.cdb - 687 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43368.cdb - 1099 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43367.cdb - 1834 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43366.cdb - 4015 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43365.cdb - 1342 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43364.cdb - 1335 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43363.cdb - 1152 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43362.cdb - 1006 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43361.cdb - 878 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43360.cdb - 988 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43359.cdb - 1205 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43358.cdb - 1139 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43357.cdb - 1302 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43356.cdb - 1332 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43355.cdb - 2456 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43354.cdb - 1283 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43353.cdb - 795 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43352.cdb - 2016 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43351.cdb - 941 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43350.cdb - 1020 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43349.cdb - 1008 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43348.cdb - 1096 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43347.cdb - 707 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43346.cdb - 1428 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43345.cdb - 1358 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43344.cdb - 694 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43343.cdb - 1186 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43342.cdb - 744 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43341.cdb - 841 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43340.cdb - 822 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43339.cdb - 1071 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43338.cdb - 989 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43337.cdb - 855 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43336.cdb - 1297 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43335.cdb - 1195 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43334.cdb - 900 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43333.cdb - 1381 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43332.cdb - 1340 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43331.cdb - 2735 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43330.cdb - 2078 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43329.cdb - 2490 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43328.cdb - 743 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43327.cdb - 958 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43326.cdb - 793 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43325.cdb - 713 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43324.cdb - 655 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43323.cdb - 655 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43322.cdb - 778 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43321.cdb - 846 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43320.cdb - 808 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43319.cdb - 764 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43318.cdb - 838 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43317.cdb - 363 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43316.cdb - 730 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43315.cdb - 627 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43314.cdb - 824 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43313.cdb - 842 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43312.cdb - 830 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43311.cdb - 862 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43310.cdb - 853 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43309.cdb - 733 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43308.cdb - 708 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43307.cdb - 839 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43306.cdb - 930 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43305.cdb - 759 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43304.cdb - 721 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43303.cdb - 638 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43302.cdb - 806 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43301.cdb - 504 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crw43300.cdb - 24 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crwebase.cdb - 78674 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\cwrtoday.cdb - 542 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\cwr43301.cdb - 697 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crwrisky.cdb - 1271 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\cwntoday.cdb - 531 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\cwn43308.cdb - 838 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\cwn43307.cdb - 854 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\cwn43306.cdb - 781 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\cwn43305.cdb - 752 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\cwn43304.cdb - 793 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\cwn43303.cdb - 766 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\cwn43302.cdb - 850 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\cwn43301.cdb - 772 virus records
[Virus base] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\crwnasty.cdb - 4867 virus records
Total virus records: 197410
Key file: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\cureit.key
License key number: 0010092936
Registered to: Dr.Web CureIt Project
License key activates: 2007-02-05
License key expires: 2010-02-11

-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Objects scanned: 0
Infected objects found: 0
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 0 Kb/s
Scan time: 00:00:00
-----------------------------------------------------------------------------

[Scan path] c:\documents and settings\administrator\local settings\temp\rarsfx0\_start.exe
[Scan path] c:\documents and settings\administrator\local settings\temp\rarsfx0\cureit.exe
[Scan path] c:\documents and settings\administrator\start menu\programs\startup\autoplay.exe
[Scan path] c:\documents and settings\administrator\start menu\programs\startup\desktop.ini
[Scan path] c:\documents and settings\all users\start menu\programs\startup\desktop.ini
[Scan path] c:\documents and settings\owner\desktop\drweb-cureit.exe
[Scan path] c:\program files\adobe\acrobat 5.0\reader\activex\acroiehelper.ocx
[Scan path] c:\program files\common files\system\ole db\oledb32.dll
[Scan path] c:\program files\comodo\firewall\cmdagent.exe
[Scan path] c:\program files\comodo\firewall\cpf.exe
[Scan path] c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe
[Scan path] c:\program files\grisoft\avg anti-spyware 7.5\guard.exe
[Scan path] c:\program files\grisoft\avg anti-spyware 7.5\guard.sys
[Scan path] c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
[Scan path] c:\program files\grisoft\avg7\avgamsvr.exe
[Scan path] c:\program files\grisoft\avg7\avgcc.exe
[Scan path] c:\program files\grisoft\avg7\avgemc.exe
[Scan path] c:\program files\grisoft\avg7\avgse.dll
[Scan path] c:\program files\grisoft\avg7\avgupsvc.exe
[Scan path] c:\program files\grisoft\avg7\avgw.exe
[Scan path] c:\program files\messenger\msmsgs.exe
[Scan path] c:\program files\microsoft money\system\money startup.exe
[Scan path] c:\program files\outlook express\setup50.exe
[Scan path] c:\program files\outlook express\wabfind.dll
[Scan path] c:\windows\explorer.exe
[Scan path] c:\windows\inf\unregmp2.exe
[Scan path] c:\windows\msagent\agentpsh.dll
[Scan path] c:\windows\network diagnostic\xpnetdiag.exe
[Scan path] c:\windows\system32\advapi32.dll
[Scan path] c:\windows\system32\advpack.dll
[Scan path] c:\windows\system32\alg.exe
[Scan path] c:\windows\system32\appwiz.cpl
[Scan path] c:\windows\system32\autochk.exe
[Scan path] c:\windows\system32\browseui.dll
[Scan path] c:\windows\system32\cabview.dll
[Scan path] c:\windows\system32\cisvc.exe
[Scan path] c:\windows\system32\clipsrv.exe
[Scan path] c:\windows\system32\cnbjmon.dll
[Scan path] c:\windows\system32\comdlg32.dll
[Scan path] c:\windows\system32\crypt32.dll
[Scan path] c:\windows\system32\cryptext.dll
[Scan path] c:\windows\system32\cryptnet.dll
[Scan path] c:\windows\system32\cscdll.dll
[Scan path] c:\windows\system32\cscui.dll
[Scan path] c:\windows\system32\csrss.exe
[Scan path] c:\windows\system32\deskadp.dll
[Scan path] c:\windows\system32\deskmon.dll
[Scan path] c:\windows\system32\deskperf.dll
[Scan path] c:\windows\system32\dfsshlex.dll
[Scan path] c:\windows\system32\diskcopy.dll
[Scan path] c:\windows\system32\dllhost.exe
[Scan path] c:\windows\system32\dmadmin.exe
[Scan path] c:\windows\system32\docprop.dll
[Scan path] c:\windows\system32\docprop2.dll
[Scan path] c:\windows\system32\drivers\ac97via.sys
[Scan path] c:\windows\system32\drivers\acpi.sys
[Scan path] c:\windows\system32\drivers\aec.sys
[Scan path] c:\windows\system32\drivers\afd.sys
[Scan path] c:\windows\system32\drivers\agp440.sys
[Scan path] c:\windows\system32\drivers\amdagp.sys
[Scan path] c:\windows\system32\drivers\asyncmac.sys
[Scan path] c:\windows\system32\drivers\atapi.sys
[Scan path] c:\windows\system32\drivers\atmarpc.sys
[Scan path] c:\windows\system32\drivers\audstub.sys
[Scan path] c:\windows\system32\drivers\avg7core.sys
[Scan path] c:\windows\system32\drivers\avg7rsw.sys
[Scan path] c:\windows\system32\drivers\avg7rsxp.sys
[Scan path] c:\windows\system32\drivers\avgascln.sys
[Scan path] c:\windows\system32\drivers\avgclean.sys
[Scan path] c:\windows\system32\drivers\avgtdi.sys
[Scan path] c:\windows\system32\drivers\cdrom.sys
[Scan path] c:\windows\system32\drivers\cmdmon.sys
[Scan path] c:\windows\system32\drivers\disk.sys
[Scan path] c:\windows\system32\drivers\dmboot.sys
[Scan path] c:\windows\system32\drivers\dmio.sys
[Scan path] c:\windows\system32\drivers\dmload.sys
[Scan path] c:\windows\system32\drivers\dmusic.sys
[Scan path] c:\windows\system32\drivers\drmkaud.sys
[Scan path] c:\windows\system32\drivers\fdc.sys
[Scan path] c:\windows\system32\drivers\flpydisk.sys
[Scan path] c:\windows\system32\drivers\fltmgr.sys
[Scan path] c:\windows\system32\drivers\ftdisk.sys
[Scan path] c:\windows\system32\drivers\gameenum.sys
[Scan path] c:\windows\system32\drivers\hidusb.sys
[Scan path] c:\windows\system32\drivers\hpzid412.sys
[Scan path] c:\windows\system32\drivers\hpzipr12.sys
[Scan path] c:\windows\system32\drivers\hpzius12.sys
[Scan path] c:\windows\system32\drivers\http.sys
[Scan path] c:\windows\system32\drivers\i8042prt.sys
[Scan path] c:\windows\system32\drivers\i81xnt5.sys
[Scan path] c:\windows\system32\drivers\inspect.sys
[Scan path] c:\windows\system32\drivers\intelide.sys
[Scan path] c:\windows\system32\drivers\intelppm.sys
[Scan path] c:\windows\system32\drivers\ip6fw.sys
[Scan path] c:\windows\system32\drivers\ipfltdrv.sys
[Scan path] c:\windows\system32\drivers\ipinip.sys
[Scan path] c:\windows\system32\drivers\ipnat.sys
[Scan path] c:\windows\system32\drivers\ipsec.sys
[Scan path] c:\windows\system32\drivers\irenum.sys
[Scan path] c:\windows\system32\drivers\isapnp.sys
[Scan path] c:\windows\system32\drivers\kbdclass.sys
[Scan path] c:\windows\system32\drivers\kmixer.sys
[Scan path] c:\windows\system32\drivers\ltmdmnt.sys
[Scan path] c:\windows\system32\drivers\mouclass.sys
[Scan path] c:\windows\system32\drivers\mouhid.sys
[Scan path] c:\windows\system32\drivers\mrxdav.sys
[Scan path] c:\windows\system32\drivers\mrxsmb.sys
[Scan path] c:\windows\system32\drivers\msgpc.sys
[Scan path] c:\windows\system32\drivers\mskssrv.sys
[Scan path] c:\windows\system32\drivers\mspclock.sys
[Scan path] c:\windows\system32\drivers\mspqm.sys
[Scan path] c:\windows\system32\drivers\mssmbios.sys
[Scan path] c:\windows\system32\drivers\ndistapi.sys
[Scan path] c:\windows\system32\drivers\ndisuio.sys
[Scan path] c:\windows\system32\drivers\ndiswan.sys
[Scan path] c:\windows\system32\drivers\netbios.sys
[Scan path] c:\windows\system32\drivers\netbt.sys
[Scan path] c:\windows\system32\drivers\nv4_mini.sys
[Scan path] c:\windows\system32\drivers\nwlnkflt.sys
[Scan path] c:\windows\system32\drivers\nwlnkfwd.sys
[Scan path] c:\windows\system32\drivers\p3.sys
[Scan path] c:\windows\system32\drivers\parport.sys
[Scan path] c:\windows\system32\drivers\pci.sys
[Scan path] c:\windows\system32\drivers\processr.sys
[Scan path] c:\windows\system32\drivers\ps2.sys
[Scan path] c:\windows\system32\drivers\psched.sys
[Scan path] c:\windows\system32\drivers\ptilink.sys
[Scan path] c:\windows\system32\drivers\pxhelp20.sys
[Scan path] c:\windows\system32\drivers\rasacd.sys
[Scan path] c:\windows\system32\drivers\rasl2tp.sys
[Scan path] c:\windows\system32\drivers\raspppoe.sys
[Scan path] c:\windows\system32\drivers\raspptp.sys
[Scan path] c:\windows\system32\drivers\raspti.sys
[Scan path] c:\windows\system32\drivers\rdbss.sys
[Scan path] c:\windows\system32\drivers\rdpcdd.sys
[Scan path] c:\windows\system32\drivers\redbook.sys
[Scan path] c:\windows\system32\drivers\rtl8139.sys
[Scan path] c:\windows\system32\drivers\s3gnbm.sys
[Scan path] c:\windows\system32\drivers\scsiport.sys
[Scan path] c:\windows\system32\drivers\secdrv.sys
[Scan path] c:\windows\system32\drivers\serenum.sys
[Scan path] c:\windows\system32\drivers\serial.sys
[Scan path] c:\windows\system32\drivers\splitter.sys
[Scan path] c:\windows\system32\drivers\sr.sys
[Scan path] c:\windows\system32\drivers\srv.sys
[Scan path] c:\windows\system32\drivers\swenum.sys
[Scan path] c:\windows\system32\drivers\swmidi.sys
[Scan path] c:\windows\system32\drivers\sysaudio.sys
[Scan path] c:\windows\system32\drivers\tcpip.sys
[Scan path] c:\windows\system32\drivers\termdd.sys
[Scan path] c:\windows\system32\drivers\update.sys
[Scan path] c:\windows\system32\drivers\usbccgp.sys
[Scan path] c:\windows\system32\drivers\usbhub.sys
[Scan path] c:\windows\system32\drivers\usbprint.sys
[Scan path] c:\windows\system32\drivers\usbscan.sys
[Scan path] c:\windows\system32\drivers\usbstor.sys
[Scan path] c:\windows\system32\drivers\usbuhci.sys
[Scan path] c:\windows\system32\drivers\vga.sys
[Scan path] c:\windows\system32\drivers\viaagp.sys
[Scan path] c:\windows\system32\drivers\viaide.sys
[Scan path] c:\windows\system32\drivers\wadv01nt.sys
[Scan path] c:\windows\system32\drivers\wadv02nt.sys
[Scan path] c:\windows\system32\drivers\wadv05nt.sys
[Scan path] c:\windows\system32\drivers\wanarp.sys
[Scan path] c:\windows\system32\drivers\wandrv.sys
[Scan path] c:\windows\system32\drivers\watv01nt.sys
[Scan path] c:\windows\system32\drivers\watv02nt.sys
[Scan path] c:\windows\system32\drivers\watv04nt.sys
[Scan path] c:\windows\system32\drivers\wch7xxnt.sys
[Scan path] c:\windows\system32\drivers\wdmaud.sys
[Scan path] c:\windows\system32\drivers\wsiintxx.sys
[Scan path] c:\windows\system32\drivers\wvchntxx.sys
[Scan path] c:\windows\system32\dskquoui.dll
[Scan path] c:\windows\system32\dsquery.dll
[Scan path] c:\windows\system32\dssec.dll
[Scan path] c:\windows\system32\dsuiext.dll
[Scan path] c:\windows\system32\extmgr.dll
[Scan path] c:\windows\system32\fontext.dll
[Scan path] c:\windows\system32\gdi32.dll
[Scan path] c:\windows\system32\hpzipm12.exe
[Scan path] c:\windows\system32\hpzlnt04.dll
[Scan path] c:\windows\system32\hpzsnt07.dll
[Scan path] c:\windows\system32\hticons.dll
[Scan path] c:\windows\system32\icmui.dll
[Scan path] c:\windows\system32\ie4uinit.exe
[Scan path] c:\windows\system32\iedkcs32.dll
[Scan path] c:\windows\system32\ieframe.dll
[Scan path] c:\windows\system32\ieudinit.exe
[Scan path] c:\windows\system32\imagehlp.dll
[Scan path] c:\windows\system32\imapi.exe
[Scan path] c:\windows\system32\inetcomm.dll
[Scan path] c:\windows\system32\itss.dll
[Scan path] c:\windows\system32\kerberos.dll
[Scan path] c:\windows\system32\kernel32.dll
[Scan path] c:\windows\system32\localspl.dll
[Scan path] c:\windows\system32\locator.exe
[Scan path] c:\windows\system32\logon.scr
[Scan path] c:\windows\system32\logonui.exe
[Scan path] c:\windows\system32\lsass.exe
[Scan path] c:\windows\system32\lz32.dll
[Scan path] c:\windows\system32\mmcshext.dll
[Scan path] c:\windows\system32\mmsys.cpl
[Scan path] c:\windows\system32\mnmsrvc.exe
[Scan path] c:\windows\system32\msdtc.exe
[Scan path] c:\windows\system32\mshtml.dll
[Scan path] c:\windows\system32\msieftp.dll
[Scan path] c:\windows\system32\msiexec.exe
[Scan path] c:\windows\system32\mstask.dll
[Scan path] c:\windows\system32\msv1_0.dll
[Scan path] c:\windows\system32\msvidctl.dll
[Scan path] c:\windows\system32\mswsock.dll
[Scan path] c:\windows\system32\mydocs.dll
[Scan path] c:\windows\system32\netdde.exe
[Scan path] c:\windows\system32\netplwiz.dll
[Scan path] c:\windows\system32\netshell.dll
[Scan path] c:\windows\system32\ntlanui2.dll
[Scan path] c:\windows\system32\ntsd.exe
[Scan path] c:\windows\system32\ntshrui.dll
[Scan path] c:\windows\system32\occache.dll
[Scan path] c:\windows\system32\ole32.dll
[Scan path] c:\windows\system32\oleaut32.dll
[Scan path] c:\windows\system32\olecli32.dll
[Scan path] c:\windows\system32\olecnv32.dll
[Scan path] c:\windows\system32\olesvr32.dll
[Scan path] c:\windows\system32\olethk32.dll
[Scan path] c:\windows\system32\photowiz.dll
[Scan path] c:\windows\system32\pjlmon.dll
[Scan path] c:\windows\system32\printui.dll
[Scan path] c:\windows\system32\regsvr32.exe
[Scan path] c:\windows\system32\remotepg.dll
[Scan path] c:\windows\system32\rpcrt4.dll
[Scan path] c:\windows\system32\rpcss.dll
[Scan path] c:\windows\system32\rshx32.dll
[Scan path] c:\windows\system32\rsvp.exe
[Scan path] c:\windows\system32\rsvpsp.dll
[Scan path] c:\windows\system32\rundll32.exe
[Scan path] c:\windows\system32\scardsvr.exe
[Scan path] c:\windows\system32\scecli.dll
[Scan path] c:\windows\system32\schannel.dll
[Scan path] c:\windows\system32\sclgntfy.dll
[Scan path] c:\windows\system32\sendmail.dll
[Scan path] c:\windows\system32\services.exe
[Scan path] c:\windows\system32\sessmgr.exe
[Scan path] c:\windows\system32\setup\fxsocm.dll
[Scan path] c:\windows\system32\shdocvw.dll
[Scan path] c:\windows\system32\shell32.dll
[Scan path] c:\windows\system32\shimgvw.dll
[Scan path] c:\windows\system32\shmedia.dll
[Scan path] c:\windows\system32\shmgrate.exe
[Scan path] c:\windows\system32\shscrap.dll
[Scan path] c:\windows\system32\slayerxp.dll
[Scan path] c:\windows\system32\smlogsvc.exe
[Scan path] c:\windows\system32\smss.exe
[Scan path] c:\windows\system32\spoolsv.exe
[Scan path] c:\windows\system32\stobject.dll
[Scan path] c:\windows\system32\svchost.exe
[Scan path] c:\windows\system32\syncui.dll
[Scan path] c:\windows\system32\tcpmon.dll
[Scan path] c:\windows\system32\themeui.dll
[Scan path] c:\windows\system32\twext.dll
[Scan path] c:\windows\system32\ups.exe
[Scan path] c:\windows\system32\url.dll
[Scan path] c:\windows\system32\urlmon.dll
[Scan path] c:\windows\system32\usbmon.dll
[Scan path] c:\windows\system32\user32.dll
[Scan path] c:\windows\system32\version.dll
[Scan path] c:\windows\system32\vssvc.exe
[Scan path] c:\windows\system32\wbem\wmiapsrv.exe
[Scan path] c:\windows\system32\wdigest.dll
[Scan path] c:\windows\system32\webcheck.dll
[Scan path] c:\windows\system32\wgalogon.dll
[Scan path] c:\windows\system32\wiascr.dll
[Scan path] c:\windows\system32\wiashext.dll
[Scan path] c:\windows\system32\wininet.dll
[Scan path] c:\windows\system32\winlogon.exe
[Scan path] c:\windows\system32\wldap32.dll
[Scan path] c:\windows\system32\wlnotify.dll
[Scan path] c:\windows\system32\wmpshell.dll
[Scan path] c:\windows\system32\wshext.dll
[Scan path] c:\windows\system32\wuaucpl.cpl
[Scan path] c:\windows\system32\zipfldr.dll
-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Objects scanned: 284
Infected objects found: 0
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 1399 Kb/s
Scan time: 00:00:57
-----------------------------------------------------------------------------

[Scan path] C:\
C:\Documents and Settings\Administrator\NTUSER.DAT - read error
C:\Documents and Settings\Administrator\NTUSER~1.LOG - read error
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - read error
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\USRCLA~1.LOG - read error
C:\Documents and Settings\NetworkService\NTUSER.DAT - read error
C:\Documents and Settings\NetworkService\NTUSER~1.LOG - read error
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - read error
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\USRCLA~1.LOG - read error
>C:\Documents and Settings\Owner\Application Data\wtta.exe infected with Trojan.PurityAd - deleted
C:\hp\bin\KillWind.exe is hacktool program Tool.ProcessKill
C:\Program Files\HPSelect\frontend\thirdparty\qt5\rebootnt.exe is hacktool program Tool.Reboot
C:\Program Files\Microsoft AntiSpyware\Quarantine\001E85A5-258A-4A96-996F-659723\33BA2B85-0801-4C23-AECD-588D76 is adware program Adware.ClearSearch
C:\Program Files\Microsoft AntiSpyware\Quarantine\001E85A5-258A-4A96-996F-659723\A158317C-EBE7-44E4-8FAD-CE967F is adware program Adware.ClearSearch
C:\Program Files\Microsoft AntiSpyware\Quarantine\BE8E264A-C631-46EF-9010-F3F418\0BF025E0-1C76-4FD3-B24F-E7D1CD is adware program Adware.VirtualBouncer
C:\Program Files\Microsoft AntiSpyware\Quarantine\BE8E264A-C631-46EF-9010-F3F418\DBB92442-36ED-4CC1-A7DC-35A009 is adware program Adware.VirtualBouncer
>C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP34\A0006967.exe infected with Trojan.PurityAd - deleted
>C:\temporary\install201.exe infected with Trojan.DownLoader.1719 - deleted
C:\WINDOWS\SYSTEM32\config\default - read error
C:\WINDOWS\SYSTEM32\config\default.LOG - read error
C:\WINDOWS\SYSTEM32\config\SAM - read error
C:\WINDOWS\SYSTEM32\config\SAM.LOG - read error
C:\WINDOWS\SYSTEM32\config\SECURITY - read error
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG - read error
C:\WINDOWS\SYSTEM32\config\software - read error
C:\WINDOWS\SYSTEM32\config\software.LOG - read error
C:\WINDOWS\SYSTEM32\config\system - read error
C:\WINDOWS\SYSTEM32\config\system.LOG - read error

-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Objects scanned: 88670
Infected objects found: 3
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 4
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 2
Objects cured: 0
Objects deleted: 3
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 114 Kb/s
Scan time: 02:04:32
-----------------------------------------------------------------------------

C:\hp\bin\KillWind.exe - incurable - moved
C:\Program Files\HPSelect\frontend\thirdparty\qt5\rebootnt.exe - incurable - moved
C:\Program Files\Microsoft AntiSpyware\Quarantine\001E85A5-258A-4A96-996F-659723\33BA2B85-0801-4C23-AECD-588D76 - incurable - moved
C:\Program Files\Microsoft AntiSpyware\Quarantine\001E85A5-258A-4A96-996F-659723\A158317C-EBE7-44E4-8FAD-CE967F - incurable - moved
C:\Program Files\Microsoft AntiSpyware\Quarantine\BE8E264A-C631-46EF-9010-F3F418\0BF025E0-1C76-4FD3-B24F-E7D1CD - incurable - moved
C:\Program Files\Microsoft AntiSpyware\Quarantine\BE8E264A-C631-46EF-9010-F3F418\DBB92442-36ED-4CC1-A7DC-35A009 - incurable - moved

=============================================================================
Total session statistics
=============================================================================
Objects scanned: 88954
Infected objects found: 3
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 4
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 2
Objects cured: 0
Objects deleted: 3
Objects renamed: 0
Objects moved: 6
Objects ignored: 0
Scan speed: 124 Kb/s
Scan time: 02:05:29
=============================================================================


"Owner" - 07-04-30 21:26:39 Service Pack 2
ComboFix 07-04-28.V - Running from: "C:\Documents and Settings\Owner\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\install.log
C:\WINDOWS\system32\vmss


((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-30 ))))))))))))))))))))))))))))))))))


2007-04-30 19:11 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-04-30 19:05 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-30 19:05 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-04-30 19:05 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-04-28 16:39 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-04-28 16:02 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Comodo
2007-04-28 16:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-04-28 16:00 <DIR> d-------- C:\Program Files\Comodo
2007-04-28 11:19 2,243,260 --ah----- C:\WINDOWS\SYSTEM32\spython.bin
2007-04-28 10:05 <DIR> d-------- C:\Program Files\iolo
2007-04-18 21:29 262,144 --a------ C:\DOCUME~1\ALLUSE~1\ntuser.dat
2007-04-18 18:43 <DIR> d-------- C:\WINDOWS\provisioning
2007-04-18 18:43 <DIR> d-------- C:\WINDOWS\peernet
2007-04-18 17:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-18 17:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall
2007-04-18 17:20 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-04-18 17:08 18,200 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-04-18 17:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\SoftwareDistribution
2007-04-17 19:54 198,424 --a------ C:\WINDOWS\SYSTEM32\iuengine.dll
2007-04-15 18:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-15 17:26 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-04-15 17:00 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
2007-04-15 14:43 23,040 --a------ C:\WINDOWS\SYSTEM32\drivers\mouclass.sys
2007-04-15 14:43 12,160 --a------ C:\WINDOWS\SYSTEM32\drivers\mouhid.sys
2007-04-15 14:21 9,600 --a------ C:\WINDOWS\SYSTEM32\drivers\hidusb.sys
2007-04-15 14:21 36,224 --a------ C:\WINDOWS\SYSTEM32\drivers\hidclass.sys
2007-04-15 14:20 24,960 --a------ C:\WINDOWS\SYSTEM32\drivers\hidparse.sys
2007-04-14 17:03 3,968 --a------ C:\WINDOWS\SYSTEM32\drivers\AvgAsCln.sys
2007-04-14 15:56 499,712 --a------ C:\WINDOWS\SYSTEM32\msvcp71.dll
2007-04-14 15:56 348,160 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-04-14 15:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-04-14 15:20 20,992 --a------ C:\WINDOWS\SYSTEM32\hid.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-28 12:40 -------- d-------- C:\Program Files\microsoft works
2007-04-18 21:27 -------- d-------- C:\Program Files\messenger
2007-04-18 18:43 -------- d-------- C:\Program Files\movie maker
2007-04-18 18:37 -------- d-------- C:\Program Files\windows nt
2007-04-17 16:33 -------- d-------- C:\Program Files\hp deskjet 960c series
2007-04-17 16:33 -------- d-------- C:\Program Files\google
2007-04-17 15:46 -------- d-------- C:\Program Files\hewlett-packard
2007-04-17 15:28 -------- d--h----- C:\Program Files\installshield installation information
2007-03-17 09:43 292864 --a------ C:\WINDOWS\SYSTEM32\winsrv.dll
2007-03-08 11:36 577536 --a------ C:\WINDOWS\SYSTEM32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\SYSTEM32\win32k.sys
2007-02-05 16:17 185344 --a------ C:\WINDOWS\SYSTEM32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Defender Pro Firewall Help.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Defender Pro Firewall Help.lnk"
"backup"="C:\\WINDOWS\\pss\\Defender Pro Firewall Help.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Defender\\DEFEND~1\\kavpf.chm "
"item"="Defender Pro Firewall Help"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Defender Pro Firewall Uninstall.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Defender Pro Firewall Uninstall.lnk"
"backup"="C:\\WINDOWS\\pss\\Defender Pro Firewall Uninstall.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\Driver\\7\\INTEL3~1\\IDriver.exe /M{75D46594-4DE1-4A90-AE74-38637D301EF2} "
"item"="Defender Pro Firewall Uninstall"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Defender Pro Firewall.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Defender Pro Firewall.lnk"
"backup"="C:\\WINDOWS\\pss\\Defender Pro Firewall.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{75D46594-4DE1-4A90-AE74-38637D301EF2}\\StartUpShortcut.exe /silence"
"item"="Defender Pro Firewall"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Defender Pro Web Site.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Defender Pro Web Site.lnk"
"backup"="C:\\WINDOWS\\pss\\Defender Pro Web Site.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Defender\\DEFEND~1\\kpfw.url "
"item"="Defender Pro Web Site"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\hp center UI.lnk"
"backup"="C:\\WINDOWS\\pss\\hp center UI.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HPCENT~1\\137903\\Shadow\\SHADOW~1.EXE -STARTUP"
"item"="hp center UI"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\hp center.lnk"
"backup"="C:\\WINDOWS\\pss\\hp center.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HPCENT~1\\137903\\Program\\BACKWE~1.EXE -startup"
"item"="hp center"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerPanel.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\PowerPanel.lnk"
"backup"="C:\\WINDOWS\\pss\\PowerPanel.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\CYBERP~1\\POWERP~1\\PowPanel.exe "
"item"="PowerPanel"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\AIM95\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antispy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dpas"
"hkey"="HKLM"
"command"="C:\\Program Files\\Defender Pro\\AntiSpy\\Dpas.exe startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoaderuwra1IWlVOLP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pow3prt"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\System32\\pow3prt.exe\" "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\evqtuywjlxe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bcqkgs"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\farmmext]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="farmmext"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gcasServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb07"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpsysdrv"
"hkey"="HKLM"
"command"="c:\\windows\\system\\hpsysdrv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lxuyfeh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="w?nspool"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\w?nspool.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcagent"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcupdate"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Memcelerator]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="memcelerator"
"hkey"="HKLM"
"command"="C:\\Program Files\\Memcelerator\\memcelerator.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKCU"
"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Money Express"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wtta"
"hkey"="HKCU"
"command"="C:\\Documents and Settings\\Owner\\Application Data\\wtta.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ps2"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RECGUARD"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\u38Q36j]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pow3prt"
"hkey"="HKLM"
"command"="pow3prt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmss]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vmss"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wupdt"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=dword:00000002
"MCVSRte"=dword:00000002
"mcupdmgr.exe"=dword:00000003
"McShield"=dword:00000003
"WZCSVC"=dword:00000002
"wuauserv"=dword:00000002
"WebCl

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 01 May 2007 - 07:53 AM

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\evqtuywjlxe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\farmmext]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lxuyfeh]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Memcelerator]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\u38Q36j]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmss]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]


Double click on combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#5 theweener

theweener
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 01 May 2007 - 09:32 AM

"Owner" - 07-05-01 10:14:10 Service Pack 2
ComboFix 07-04-28.V - Running from: "C:\Documents and Settings\Owner\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-01 to 2007-05-01 ))))))))))))))))))))))))))))))))))


2007-04-30 21:30 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-30 19:11 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-04-30 19:05 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-30 19:05 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-04-30 19:05 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-04-28 16:39 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-04-28 16:02 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Comodo
2007-04-28 16:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-04-28 16:00 <DIR> d-------- C:\Program Files\Comodo
2007-04-28 11:19 2,243,260 --ah----- C:\WINDOWS\SYSTEM32\spython.bin
2007-04-28 10:05 <DIR> d-------- C:\Program Files\iolo
2007-04-18 21:29 262,144 --a------ C:\DOCUME~1\ALLUSE~1\ntuser.dat
2007-04-18 18:43 <DIR> d-------- C:\WINDOWS\provisioning
2007-04-18 18:43 <DIR> d-------- C:\WINDOWS\peernet
2007-04-18 17:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-18 17:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall
2007-04-18 17:20 22,752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2007-04-18 17:08 18,200 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-04-18 17:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\SoftwareDistribution
2007-04-17 19:54 198,424 --a------ C:\WINDOWS\SYSTEM32\iuengine.dll
2007-04-15 18:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-15 17:26 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-04-15 17:00 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Google
2007-04-15 14:43 23,040 --a------ C:\WINDOWS\SYSTEM32\drivers\mouclass.sys
2007-04-15 14:43 12,160 --a------ C:\WINDOWS\SYSTEM32\drivers\mouhid.sys
2007-04-15 14:21 9,600 --a------ C:\WINDOWS\SYSTEM32\drivers\hidusb.sys
2007-04-15 14:21 36,224 --a------ C:\WINDOWS\SYSTEM32\drivers\hidclass.sys
2007-04-15 14:20 24,960 --a------ C:\WINDOWS\SYSTEM32\drivers\hidparse.sys
2007-04-14 17:03 3,968 --a------ C:\WINDOWS\SYSTEM32\drivers\AvgAsCln.sys
2007-04-14 15:56 499,712 --a------ C:\WINDOWS\SYSTEM32\msvcp71.dll
2007-04-14 15:56 348,160 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-04-14 15:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-04-14 15:20 20,992 --a------ C:\WINDOWS\SYSTEM32\hid.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-28 12:40 -------- d-------- C:\Program Files\microsoft works
2007-04-18 21:27 -------- d-------- C:\Program Files\messenger
2007-04-18 18:43 -------- d-------- C:\Program Files\movie maker
2007-04-18 18:37 -------- d-------- C:\Program Files\windows nt
2007-04-17 16:33 -------- d-------- C:\Program Files\hp deskjet 960c series
2007-04-17 16:33 -------- d-------- C:\Program Files\google
2007-04-17 15:46 -------- d-------- C:\Program Files\hewlett-packard
2007-04-17 15:28 -------- d--h----- C:\Program Files\installshield installation information
2007-03-17 09:43 292864 --a------ C:\WINDOWS\SYSTEM32\winsrv.dll
2007-03-08 11:36 577536 --a------ C:\WINDOWS\SYSTEM32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\SYSTEM32\win32k.sys
2007-02-05 16:17 185344 --a------ C:\WINDOWS\SYSTEM32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Defender Pro Firewall Help.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Defender Pro Firewall Help.lnk"
"backup"="C:\\WINDOWS\\pss\\Defender Pro Firewall Help.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Defender\\DEFEND~1\\kavpf.chm "
"item"="Defender Pro Firewall Help"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Defender Pro Firewall Uninstall.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Defender Pro Firewall Uninstall.lnk"
"backup"="C:\\WINDOWS\\pss\\Defender Pro Firewall Uninstall.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\Driver\\7\\INTEL3~1\\IDriver.exe /M{75D46594-4DE1-4A90-AE74-38637D301EF2} "
"item"="Defender Pro Firewall Uninstall"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Defender Pro Firewall.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Defender Pro Firewall.lnk"
"backup"="C:\\WINDOWS\\pss\\Defender Pro Firewall.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{75D46594-4DE1-4A90-AE74-38637D301EF2}\\StartUpShortcut.exe /silence"
"item"="Defender Pro Firewall"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Defender Pro Web Site.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Defender Pro Web Site.lnk"
"backup"="C:\\WINDOWS\\pss\\Defender Pro Web Site.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Defender\\DEFEND~1\\kpfw.url "
"item"="Defender Pro Web Site"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\hp center UI.lnk"
"backup"="C:\\WINDOWS\\pss\\hp center UI.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HPCENT~1\\137903\\Shadow\\SHADOW~1.EXE -STARTUP"
"item"="hp center UI"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\hp center.lnk"
"backup"="C:\\WINDOWS\\pss\\hp center.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HPCENT~1\\137903\\Program\\BACKWE~1.EXE -startup"
"item"="hp center"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerPanel.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\PowerPanel.lnk"
"backup"="C:\\WINDOWS\\pss\\PowerPanel.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\CYBERP~1\\POWERP~1\\PowPanel.exe "
"item"="PowerPanel"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\AIM95\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antispy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dpas"
"hkey"="HKLM"
"command"="C:\\Program Files\\Defender Pro\\AntiSpy\\Dpas.exe startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoaderuwra1IWlVOLP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pow3prt"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\System32\\pow3prt.exe\" "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gcasServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb07"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpsysdrv"
"hkey"="HKLM"
"command"="c:\\windows\\system\\hpsysdrv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcagent"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcupdate"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKCU"
"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Money Express"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ps2"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RECGUARD"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=dword:00000002
"MCVSRte"=dword:00000002
"mcupdmgr.exe"=dword:00000003
"McShield"=dword:00000003
"WZCSVC"=dword:00000002
"wuauserv"=dword:00000002
"WebClient"=dword:00000002
"Spooler"=dword:00000002
"ShellHWDetection"=dword:00000002
"SharedAccess"=dword:00000003
"SENS"=dword:00000002
"seclogon"=dword:00000002
"Nla"=dword:00000003
"Netman"=dword:00000003
"lanmanserver"=dword:00000002
"helpsvc"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-01 10:17:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-01 10:17:44
C:\ComboFix-quarantined-files.txt ... 07-05-01 10:17
C:\ComboFix2.txt ... 07-04-30 21:30



Logfile of HijackThis v1.99.1
Scan saved at 10:20:31 AM, on 5/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176930127562
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 01 May 2007 - 09:50 AM

Download Registry Search Tool:
http://billsway.com/vbspage/
Unzip the contents of RegSrch.zip to a convenient location.
Double-click on RegSrch.vbs.
If you have an anti-virus installed it might prompt you about a running script.
Please ignore this warning and allow the script to run.
In the "Enter search string (case insensitive) and click OK..." box, paste in the following:

Dmvlite

Click "OK" to search the registry for that string.
Wait for a few minutes while it completes the search.
Click "OK" to open the results in WordPad.
Copy and paste the entire results into your next reply.
Posted Image
Posted Image

#7 theweener

theweener
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 01 May 2007 - 02:48 PM

I downloaded and unzipped RegSrch.vbs, but when I try to run the unzipped file it opens in NotePad and does not prompt me to allow the script. Under Properties it said that the file was blocked to protect my computer. I clicked Unblock, but it still just opens in NotePad, and I don't get a prompt to allow the script or enter the search string. What am I doing wrong?

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 01 May 2007 - 03:12 PM

Download RegSeeker 1.52.zip
Right click on a blank area of your desktop,click 'New'>'Folder',rename it 'RegSeeker'.
Unzip/extract RegSeeker.zip to that new folder.
Launch RegSeeker.
Click on 'Find in Registry' at the top.
In the 'Search for:' space,copy and paste:
Dmvlite
Then press 'Search!'.
Once the search has finished,highlight any one entry with a single left click.
Then click on 'Select' at the bottom.
In the menu that pops up click on 'Select all'.
Now right click anywhere on the yellow highlighted area 'Delete selected items'.
Once they've all been deleted,search again.
Keep searching and deleting until all the Dmvlite entries are gone.
Close the program when it's finished.

Once you've done the above restart your pc.
Let me know how your pc is running,also are there any signs of Dmvlite now.
Posted Image
Posted Image

#9 theweener

theweener
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 01 May 2007 - 03:41 PM

Everything seems to be running fine, and I don't see Dmvlite anywhere.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 01 May 2007 - 04:14 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
C:\QooBox

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#11 theweener

theweener
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 01 May 2007 - 05:57 PM

All is well...

I had already found the page 'How to prevent malware' and sent it to my brother's email, so that when I give back his PC it will be the first thing he sees. :thumbsup: He's also had a nice lecture.

You've been awesome! Thanks so much!

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 01 May 2007 - 07:35 PM

You're welcome :thumbsup:

Since your problem appears to be resolved, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users