Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Partnershipreg Problem


  • Please log in to reply
5 replies to this topic

#1 chriscfi

chriscfi

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 26 May 2007 - 11:33 PM

Computer was infected by various viruses and bugs. Have elliminated most but cannot get rid of partnershipreg problem.
HJT log reads as follows:
Logfile of HijackThis v1.99.1
Scan saved at 3:02:53 PM, on 5/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1180206568000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179945581625
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B5EB26D-5CF2-438C-B497-EA2DAC9278F4}: NameServer = 69.27.200.15,69.27.200.16
O20 - Winlogon Notify: partnershipreg - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: Winmsc - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Removed the020 with HJT but it returns with each reboot. Windows update reboots the computer with no warning, no BSD just restarts.
Help please.

BC AdBot (Login to Remove)

 


#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 PM

Posted 27 May 2007 - 07:05 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Step #2

Scan again with HijackThis and check the following items:
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O20 - Winlogon Notify: partnershipreg - C:\WINDOWS\
O20 - Winlogon Notify: Winmsc - C:\WINDOWS\

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Reboot your computer after that.

Step #3

Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

#3 chriscfi

chriscfi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 27 May 2007 - 03:52 PM

"Ashley" - 2007-05-27 12:24:27 Service Pack 2 [SAFE MODE]
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Ashley\Desktop\"

Rootkit driver pe386 is present. A rootkit scan is required

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\system32\0_exception.nls"
"C:\WINDOWS\system32\monterreyg_unknown.exe"
"C:\WINDOWS\monterreyg_unknown.exe"
"C:\WINDOWS\system32\RunOnce3.tm_"
"C:\WINDOWS\system32\RunOnce3.t__"
"C:\WINDOWS\system32\aspi262343.exe"
"C:\WINDOWS\system32\driverg.dll"
"C:\WINDOWS\system32\driverg.exe"
"C:\Documents and Settings\All Users.\documents\settings\desktop.ini"
"C:\DOCUME~1\Ashley\Desktop\internet.lnk"
"C:\WINDOWS\system32\ldinfo.ldr"
"C:\WINDOWS\system32\svchosts.lzma"
"C:\WINDOWS\g32.txt"
"C:\WINDOWS\gs32.txt"
"C:\WINDOWS\stat"
"C:\Documents and Settings\All Users.\documents\settings"
"C:\WINDOWS\trace"
"C:\WINDOWS\DOWNLO~1.\ODCTOOLS"

Purity Folders:

C:\WINDOWS\system32\YMBOLS~1
C:\WINDOWS\system32\DOBE~1
C:\WINDOWS\system32\SEMBLY~1
C:\WINDOWS\system32\CROSOF~1
C:\WINDOWS\system32\ASKS~1
C:\Program Files\Common Files\ASEMBL~1
C:\Program Files\Common Files\MANTEC~1



((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ASPI113210
-------\LEGACY_CLIENT_IP-IPX


((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 ))))))))))))))))))))))))))))))))))


2007-05-26 11:40 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2007-05-26 11:23 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-05-26 11:06 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-05-26 11:06 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-05-25 20:59 <DIR> d-------- C:\2e523c2358a0fbf2f5dec78e040c82
2007-05-25 16:48 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-25 16:14 12,286,925 --------- C:\AVG7QT.DAT
2007-05-25 10:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-24 22:47 <DIR> d-------- C:\Documents and Settings\Ashley\DoctorWeb
2007-05-24 22:47 <DIR> d-------- C:\DOCUME~1\Ashley\DoctorWeb
2007-05-24 22:45 <DIR> d-------- C:\Program Files\CCleaner
2007-05-24 22:27 <DIR> d-------- C:\VundoFix Backups
2007-05-24 15:37 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-05-24 15:06 <DIR> d-------- C:\WINDOWS\Prefetch
2007-05-24 14:45 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-05-24 14:45 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-05-24 10:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-05-23 21:01 <DIR> d-------- C:\WINDOWS\LastGood
2007-05-23 16:48 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-05-23 16:29 9,728 --a------ C:\WINDOWS\system32\comsdupd.exe
2007-05-23 16:28 95,424 --a------ C:\WINDOWS\system32\drivers\slnthal.sys
2007-05-23 16:28 86,016 --a------ C:\WINDOWS\system32\mdmxsdk.dll
2007-05-23 16:28 78,464 --a------ C:\WINDOWS\system32\drivers\usbvideo.sys
2007-05-23 16:28 73,832 --a------ C:\WINDOWS\system32\slcoinst.dll
2007-05-23 16:28 73,796 --a------ C:\WINDOWS\system32\slserv.exe
2007-05-23 16:28 685,056 --a------ C:\WINDOWS\system32\drivers\hsfcxts2.sys
2007-05-23 16:28 63,663 --a------ C:\WINDOWS\system32\drivers\ati1rvxx.sys
2007-05-23 16:28 56,623 --a------ C:\WINDOWS\system32\drivers\ati1btxx.sys
2007-05-23 16:28 516,768 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-05-23 16:28 46,464 --a------ C:\WINDOWS\system32\drivers\gagp30kx.sys
2007-05-23 16:28 452,736 --a------ C:\WINDOWS\system32\drivers\mtxparhm.sys
2007-05-23 16:28 44,928 --a------ C:\WINDOWS\system32\drivers\agpcpq.sys
2007-05-23 16:28 44,672 --a------ C:\WINDOWS\system32\drivers\uagp35.sys
2007-05-23 16:28 43,008 --a------ C:\WINDOWS\system32\drivers\amdagp.sys
2007-05-23 16:28 42,752 --a------ C:\WINDOWS\system32\drivers\alim1541.sys
2007-05-23 16:28 42,240 --a------ C:\WINDOWS\system32\drivers\viaagp.sys
2007-05-23 16:28 41,088 --a------ C:\WINDOWS\system32\drivers\sisagp.sys
2007-05-23 16:28 404,990 --a------ C:\WINDOWS\system32\drivers\slntamr.sys
2007-05-23 16:28 4,255 --a------ C:\WINDOWS\system32\drivers\adv01nt5.dll
2007-05-23 16:28 397,056 --a------ C:\WINDOWS\system32\s3gnb.dll
2007-05-23 16:28 36,463 --a------ C:\WINDOWS\system32\drivers\ati1tuxx.sys
2007-05-23 16:28 34,735 --a------ C:\WINDOWS\system32\drivers\ati1xsxx.sys
2007-05-23 16:28 32,866 --a------ C:\WINDOWS\system32\slrundll.exe
2007-05-23 16:28 32,866 --a------ C:\WINDOWS\slrundll.exe
2007-05-23 16:28 32,768 --a------ C:\WINDOWS\system32\ativtmxx.dll
2007-05-23 16:28 32,285 --a------ C:\WINDOWS\system32\hsfcisp2.dll
2007-05-23 16:28 30,671 --a------ C:\WINDOWS\system32\drivers\ati1raxx.sys
2007-05-23 16:28 30,080 --a------ C:\WINDOWS\system32\drivers\rndismpx.sys
2007-05-23 16:28 3,967 --a------ C:\WINDOWS\system32\drivers\adv02nt5.dll
2007-05-23 16:28 3,901 --a------ C:\WINDOWS\system32\drivers\siint5.dll
2007-05-23 16:28 3,775 --a------ C:\WINDOWS\system32\drivers\adv11nt5.dll
2007-05-23 16:28 3,711 --a------ C:\WINDOWS\system32\drivers\adv09nt5.dll
2007-05-23 16:28 3,647 --a------ C:\WINDOWS\system32\drivers\adv07nt5.dll
2007-05-23 16:28 3,615 --a------ C:\WINDOWS\system32\drivers\adv05nt5.dll
2007-05-23 16:28 3,135 --a------ C:\WINDOWS\system32\drivers\adv08nt5.dll
2007-05-23 16:28 29,455 --a------ C:\WINDOWS\system32\drivers\ati1xbxx.sys
2007-05-23 16:28 286,792 --a------ C:\WINDOWS\system32\slextspk.dll
2007-05-23 16:28 26,367 --a------ C:\WINDOWS\system32\drivers\ati1snxx.sys
2007-05-23 16:28 25,471 --a------ C:\WINDOWS\system32\drivers\watv10nt.sys
2007-05-23 16:28 25,471 --a------ C:\WINDOWS\system32\drivers\atv04nt5.dll
2007-05-23 16:28 229,376 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-05-23 16:28 220,032 --a------ C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2007-05-23 16:28 22,528 --a------ C:\WINDOWS\system32\fltmc.exe
2007-05-23 16:28 22,271 --a------ C:\WINDOWS\system32\drivers\watv06nt.sys
2007-05-23 16:28 21,343 --a------ C:\WINDOWS\system32\drivers\ati1ttxx.sys
2007-05-23 16:28 21,183 --a------ C:\WINDOWS\system32\drivers\atv01nt5.dll
2007-05-23 16:28 188,508 --a------ C:\WINDOWS\system32\slgen.dll
2007-05-23 16:28 180,360 --a------ C:\WINDOWS\system32\drivers\ntmtlfax.sys
2007-05-23 16:28 17,279 --a------ C:\WINDOWS\system32\drivers\atv10nt5.dll
2007-05-23 16:28 166,912 --a------ C:\WINDOWS\system32\drivers\s3gnbm.sys
2007-05-23 16:28 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2007-05-23 16:28 15,423 --a------ C:\WINDOWS\system32\drivers\ch7xxnt5.dll
2007-05-23 16:28 14,143 --a------ C:\WINDOWS\system32\drivers\atv06nt5.dll
2007-05-23 16:28 13,776 --a------ C:\WINDOWS\system32\drivers\recagent.sys
2007-05-23 16:28 13,240 --a------ C:\WINDOWS\system32\drivers\slwdmsup.sys
2007-05-23 16:28 129,535 --a------ C:\WINDOWS\system32\drivers\slnt7554.sys
2007-05-23 16:28 126,686 --a------ C:\WINDOWS\system32\drivers\mtlmnt5.sys
2007-05-23 16:28 124,800 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2007-05-23 16:28 12,672 --a------ C:\WINDOWS\system32\drivers\usb8023x.sys
2007-05-23 16:28 12,047 --a------ C:\WINDOWS\system32\drivers\ati1pdxx.sys
2007-05-23 16:28 11,935 --a------ C:\WINDOWS\system32\drivers\wadv11nt.sys
2007-05-23 16:28 11,871 --a------ C:\WINDOWS\system32\drivers\wadv09nt.sys
2007-05-23 16:28 11,868 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys
2007-05-23 16:28 11,807 --a------ C:\WINDOWS\system32\drivers\wadv07nt.sys
2007-05-23 16:28 11,615 --a------ C:\WINDOWS\system32\drivers\ati1mdxx.sys
2007-05-23 16:28 11,359 --a------ C:\WINDOWS\system32\drivers\atv02nt5.dll
2007-05-23 16:28 11,325 --a------ C:\WINDOWS\system32\drivers\vchnt5.dll
2007-05-23 16:28 11,295 --a------ C:\WINDOWS\system32\drivers\wadv08nt.sys
2007-05-23 16:28 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-05-23 16:28 1,737,856 --a------ C:\WINDOWS\system32\mtxparhd.dll
2007-05-23 16:28 1,309,184 --a------ C:\WINDOWS\system32\drivers\mtlstrm.sys
2007-05-23 16:28 1,041,536 --a------ C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2007-05-23 16:28 <DIR> d-------- C:\WINDOWS\provisioning
2007-05-23 16:28 <DIR> d-------- C:\WINDOWS\peernet
2007-05-23 13:12 679,424 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-23 13:12 48,128 --a------ C:\WINDOWS\system32\inetres.dll
2007-05-23 13:12 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2007-05-23 13:12 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2007-05-23 13:12 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2007-05-23 13:10 97,792 --a------ C:\WINDOWS\system32\comrepl.dll
2007-05-23 13:10 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2007-05-23 13:10 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll
2007-05-23 13:10 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2007-05-23 13:10 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2007-05-23 13:10 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2007-05-23 13:10 498,688 --a------ C:\WINDOWS\system32\clbcatq.dll
2007-05-23 13:10 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2007-05-23 13:10 225,792 --a------ C:\WINDOWS\system32\catsrv.dll
2007-05-23 13:10 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2007-05-23 13:10 139,528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2007-05-23 13:10 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2007-05-23 13:10 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
2007-05-23 13:10 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll
2007-05-23 01:53 347,136 --a------ C:\WINDOWS\system32\hypertrm.dll
2007-05-23 01:52 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-05-23 01:52 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-05-23 01:52 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-05-23 01:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-23 00:57 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-05-23 00:57 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-05-23 00:57 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-05-23 00:57 <DIR> d-------- C:\WINDOWS\system32\bits
2007-05-23 00:56 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2007-05-23 00:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-05-23 00:54 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2007-05-23 00:54 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2007-05-23 00:50 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2007-05-23 00:50 41,240 --a------ C:\WINDOWS\system32\wups.dll
2007-05-23 00:50 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-05-23 00:50 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-05-23 00:50 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-05-23 00:50 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2007-05-23 00:50 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-05-23 00:50 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-05-23 00:48 <DIR> d-------- C:\WINDOWS\sdold
2007-05-22 23:15 <DIR> d-------- C:\WINDOWS\pss
2007-05-22 17:52 <DIR> d--hs---- C:\WINDOWS\CSC
2007-05-22 17:28 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-05-22 16:40 870,784 --a------ C:\WINDOWS\system32\ati3d1ag.dll
2007-05-22 16:40 73,216 --a------ C:\WINDOWS\system32\drivers\atintuxx.sys
2007-05-22 16:40 701,440 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-05-22 16:40 63,488 --a------ C:\WINDOWS\system32\drivers\atinxsxx.sys
2007-05-22 16:40 57,856 --a------ C:\WINDOWS\system32\drivers\atinbtxx.sys
2007-05-22 16:40 52,224 --a------ C:\WINDOWS\system32\drivers\atinraxx.sys
2007-05-22 16:40 40,832 --a------ C:\WINDOWS\system32\drivers\irbus.sys
2007-05-22 16:40 377,984 --a------ C:\WINDOWS\system32\ati2dvaa.dll
2007-05-22 16:40 327,040 --a------ C:\WINDOWS\system32\drivers\ati2mtaa.sys
2007-05-22 16:40 31,744 --a------ C:\WINDOWS\system32\drivers\atinxbxx.sys
2007-05-22 16:40 28,672 --a------ C:\WINDOWS\system32\drivers\atinsnxx.sys
2007-05-22 16:40 201,728 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-05-22 16:40 20,992 --a------ C:\WINDOWS\system32\faxpatch.exe
2007-05-22 16:40 15,104 --a------ C:\WINDOWS\system32\drivers\hidir.sys
2007-05-22 16:40 14,336 --a------ C:\WINDOWS\system32\drivers\atinpdxx.sys
2007-05-22 16:40 13,824 --a------ C:\WINDOWS\system32\drivers\atinttxx.sys
2007-05-22 16:40 13,824 --a------ C:\WINDOWS\system32\drivers\atinmdxx.sys
2007-05-22 16:40 13,568 --a------ C:\WINDOWS\system32\drivers\wacompen.sys
2007-05-22 16:40 12,672 --a------ C:\WINDOWS\system32\drivers\mutohpen.sys
2007-05-22 16:40 104,960 --a------ C:\WINDOWS\system32\drivers\atinrvxx.sys
2007-05-22 16:40 1,057,760 --a------ C:\WINDOWS\system32\ati3d2ag.dll
2007-05-22 16:40 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-05-22 16:40 <DIR> d-------- C:\WINDOWS\ehome
2007-05-22 16:12 <DIR> d-------- C:\hosts
2007-05-22 16:03 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-05-22 16:03 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-05-22 15:53 <DIR> d-------- C:\DOCUME~1\Ashley\APPLIC~1\Lavasoft
2007-05-22 15:52 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-22 15:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-22 15:39 3 --a------ C:\WINDOWS\unq32.dat
2007-05-22 15:12 <DIR> d-------- C:\hijackthis
2007-05-22 14:41 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-24 23:05:14 -------- d-----w C:\Program Files\Messenger
2007-05-24 21:32:23 -------- d-----w C:\Program Files\Gateway
2007-05-24 19:54:48 22,760 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-05-23 21:44:20 1,562,135 --sha-w C:\WINDOWS\system32\xyadd.ini2
2007-05-23 21:28:28 -------- d-----w C:\Program Files\Movie Maker
2007-05-23 21:23:04 -------- d-----w C:\Program Files\Windows NT
2007-05-23 19:25:25 -------- d-----w C:\Program Files\QuickTime
2007-05-23 19:25:25 -------- d-----w C:\Program Files\iTunes
2007-05-23 19:25:24 -------- d-----w C:\Program Files\Gateway Utilities
2007-05-23 18:44:24 -------- d--h--w C:\Program Files\WindowsUpdate
2007-05-23 18:30:57 1,502,311 --sha-w C:\WINDOWS\system32\xyadd.bak1
2007-05-23 18:30:53 1,511,350 --sha-w C:\WINDOWS\system32\xyadd.bak2
2007-05-22 23:06:40 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-09 21:23:09 1,460 ----a-w C:\WINDOWS\system32\hkt91c1f.sys
2007-03-26 22:25:34 10 ----a-w C:\WINDOWS\smdat32m.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 13:02]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMMSG"="GWMDMMSG.exe" []
"nwiz"="nwiz.exe" [2003-07-28 14:19 C:\WINDOWS\system32\nwiz.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-05-25 16:13]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 07:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"qiafw"=C:\WINDOWS\System32\vtomvo.exe reg_run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundService]
rundll32.exe "C:\WINDOWS\System32\eermefyh.dll",setvm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"winsock32.exe"=2 (0x2)
"Microsoft IEUpdater22"=2 (0x2)
"IDriverT"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"WZCSVC"=2 (0x2)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"W32Time"=2 (0x2)
"UPS"=3 (0x3)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"SSDPSRV"=3 (0x3)
"mnmsrvc"=3 (0x3)



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070527-120803-789
O20 - Winlogon Notify: Winmsc - C:\WINDOWS\

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Winmsc]



backup-20070527-120802-821
O20 - Winlogon Notify: partnershipreg - C:\WINDOWS\

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\partnershipreg]



backup-20070527-120802-832
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

backup-20070527-120802-852
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

backup-20070527-120802-611
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

backup-20070526-113040-441
O20 - Winlogon Notify: partnershipreg - C:\WINDOWS\

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\partnershipreg]



backup-20070525-222028-703
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070525-222028-179
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1180038942156

????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????`?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070525-222028-386
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

backup-20070525-155011-398
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

???????????????????????????????????????????4????????????????????????????????????????????????????????????????????????4???=??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070525-155010-489
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

???????????????????????????????????????????4????????????????????????????????????????????????????????????????????????4???=??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070525-155010-772
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

backup-20070525-155010-914
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

backup-20070525-152202-683
O20 - Winlogon Notify: Winmsc - C:\WINDOWS\

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Winmsc]



backup-20070525-151904-693
O20 - Winlogon Notify: partnershipreg - C:\WINDOWS\

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\partnershipreg]



backup-20070525-111645-584
O20 - Winlogon Notify: Winmsc - C:\WINDOWS\

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Winmsc]



backup-20070525-111645-545
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000000
"EulaAccepted"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,07,ec,ae,3e,b5,40,37,4f,b7,05,3c,78,db,fa,79,7c,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,9c,75,66,8e,42,42,d2,10,\
41,f4,ce,11,33,a4,79,47,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,0e,\
c4,cf,ff,63,d0,d1,e3,3c,34,16,63,80,56,c6,d0,b0,01,00,00,aa,a1,4e,45,21,07,\
7f,62,68,9f,b8,da,56,43,bc,9c,67,89,a7,8f,45,0a,bd,c4,c3,e0,83,1c,c1,02,2f,\
4a,df,8d,82,f5,f5,1d,5f,5e,47,a5,bd,7f,05,6b,f6,30,22,7c,f2,7c,9f,ed,d7,42,\
0a,6a,d6,ec,94,4d,77,66,cd,63,be,5c,80,e4,a8,0a,c7,c4,19,08,2a,a5,e9,6d,12,\
23,f9,89,d5,eb,fd,7a,6d,e4,e6,c4,05,89,8e,eb,b2,35,cf,81,be,a6,71,b0,fd,32,\
53,d4,0e,91,ea,9c,ea,9d,96,7e,bf,ab,50,43,76,b5,50,cc,70,1c,45,c1,dc,4d,02,\
9f,6d,c9,15,12,36,26,8e,ac,bb,3e,94,12,f7,11,cd,27,87,a1,73,48,6c,8d,24,0b,\
a5,f5,9b,ce,c2,83,cd,31,8d,ae,dc,67,c5,2c,d1,39,8f,5f,d4,88,c6,03,07,ce,70,\
f4,de,3a,36,50,39,df,4b,07,1c,ed,c5,1a,8f,9e,28,03,d3,32,a9,6e,c7,dc,1e,03,\
9c,8b,09,28,b0,e4,84,26,8d,6f,1c,7e,b5,3b,24,bb,90,9d,b9,0e,32,e0,e9,ac,22,\
aa,39,1c,86,d7,3e,86,fb,88,2a,08,e1,39,b9,54,c3,13,cf,d9,6a,c5,56,43,1a,78,\
7f,48,50,1a,88,14,d3,c7,52,3c,1e,99,e1,60,52,20,94,0d,4a,f3,89,db,f1,7c,71,\
4e,b9,fc,fa,03,30,75,d7,2d,14,bf,e4,57,77,64,2f,10,1b,f6,01,df,27,b6,ea,84,\
04,f4,6d,f8,86,58,0c,22,7c,28,85,c0,39,92,1b,98,e1,49,c1,ab,f1,68,5d,38,46,\
38,ae,98,11,2f,d9,2b,8f,a9,e2,53,bf,a4,59,80,05,86,c2,94,0d,3b,11,45,75,dc,\
26,16,6a,79,2a,ef,be,d6,cc,d4,30,d9,83,74,a5,d0,44,69,26,03,5d,09,59,95,6d,\
10,7e,93,b8,f7,d2,41,31,79,c7,97,f0,18,b9,00,14,c9,49,69,3e,b7,62,fb,3d,60,\
26,19,b8,68,a2,1a,f8,76,b8,ea,5a,85,e9,9e,67,0c,f6,4c,9c,2a,2c,24,dd,bb,52,\
f1,14,00,00,00,65,9c,d2,74,e4,92,fd,b6,4e,24,28,b1,24,c6,a6,7e,10,7e,9c,e5



backup-20070524-190501-634
O20 - Winlogon Notify: Winmsc - C:\WINDOWS\

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Winmsc]



backup-20070524-190501-730
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,07,ec,ae,3e,b5,40,37,4f,b7,05,3c,78,db,fa,79,7c,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,26,86,6a,50,4e,8f,50,37,\
49,55,fa,c9,fc,a6,4f,f0,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,5b,\
e4,01,55,29,c5,86,b4,90,af,e0,6f,78,45,f4,f7,b0,01,00,00,dd,5d,3b,3f,fa,3c,\
37,3e,ce,1c,64,54,71,27,c7,1e,63,3d,17,44,0d,62,c9,cf,32,f1,2e,48,bc,1b,67,\
7a,bb,92,35,d4,c8,41,70,83,1e,4d,ce,98,de,a1,3b,46,44,81,fa,d4,0a,58,8f,3e,\
14,b0,d9,e9,80,b7,3e,82,79,bb,ae,d7,5a,d3,08,fa,3b,01,87,2e,a7,99,90,6c,e9,\
53,07,aa,49,77,e5,df,42,b4,28,25,7b,3b,78,94,e9,b8,28,d4,28,08,94,47,b4,ea,\
45,a9,a1,a1,d7,14,ee,20,a0,1b,72,63,86,67,73,c8,35,2c,b1,1e,96,1c,39,47,5f,\
4c,5e,49,c3,8d,85,35,96,4a,e0,57,34,df,bc,7a,a5,ce,af,ea,e3,6f,42,f8,63,50,\
7c,03,b8,f7,d1,28,9e,51,b1,84,cb,4c,89,26,fb,8e,58,1d,c3,2f,52,5a,90,26,b3,\
f5,bf,cc,64,61,9f,5d,33,f1,c5,50,e5,05,e2,a3,24,9a,ac,2e,8c,bc,6a,36,50,37,\
c6,ba,25,fe,17,20,2e,53,37,e5,80,c8,8a,25,f9,bb,fc,7f,c0,2f,05,9a,d8,27,01,\
44,18,d4,04,6d,94,e2,ad,c0,a1,8e,76,27,b4,22,7c,ea,04,4b,f3,6f,56,a4,0b,7d,\
e9,c5,d9,d2,b2,eb,c8,b4,0b,4e,e6,5c,1e,2d,05,62,8f,2c,3d,09,33,fa,33,d2,8d,\
2e,6b,fa,f6,5e,21,ca,87,19,b1,25,08,bc,02,d5,ab,8f,d2,82,e7,be,cb,a7,3f,46,\
32,a9,8d,d9,dd,a5,97,c6,cf,85,06,c2,a8,58,ce,f4,36,9b,ed,a0,06,87,66,de,97,\
4f,9b,41,c4,7b,54,9d,af,77,bb,a1,de,59,64,03,3c,e8,94,cd,67,a6,2b,0d,cc,26,\
39,ce,e5,86,27,b6,0b,be,3e,35,e1,e1,ba,0b,a4,d7,eb,93,84,96,f6,4e,a0,1d,96,\
45,88,c9,0a,f5,27,36,74,c0,6e,f6,4d,f2,5b,ce,70,67,80,36,cf,2a,bc,c6,b4,4e,\
02,ee,3d,e3,bf,37,28,14,5c,47,ae,14,60,9e,18,dd,fb,19,f7,ee,cc,6a,20,92,65,\
97,14,00,00,00,13,de,3a,60,cb,3e,77,ca,c6,96,4d,7f,04,0e,cd,93,20,ab,3b,63



backup-20070524-190501-189
O20 - Winlogon Notify: partnershipreg - C:\WINDOWS\

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\partnershipreg]



backup-20070524-152701-301
O20 - Winlogon Notify: Winmsc - C:\WINDOWS\

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Winmsc]



backup-20070524-152701-668
O20 - Winlogon Notify: partnershipreg - C:\WINDOWS\

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\partnershipreg]



backup-20070524-133121-986
O20 - Winlogon Notify: Winmsc - C:\WINDOWS\

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Winmsc]



backup-20070524-133105-250
O20 - Winlogon Notify: partnershipreg - C:\WINDOWS\

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\partnershipreg]



backup-20070524-132406-940
O20 - Winlogon Notify: Winmsc - C:\WINDOWS\SYSTEM32\ms3d2a43d1.dll

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Winmsc]
"DllName"="ms3d2a43d1.dll"
"Logon"="StartProcessAtWinLogon"



backup-20070524-132406-846
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\partnershipreg]
"DllName"="C:\\Documents and Settings\\All Users\\Documents\\Settings\\partnership.dll"
"Startup"="partnershipreg"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001



backup-20070524-132406-929
R3 - Default URLSearchHook is missing

backup-20070523-220343-256
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,07,ec,ae,3e,b5,40,37,4f,b7,05,3c,78,db,fa,79,7c,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,60,99,31,f4,d4,10,8f,33,\
5a,08,df,10,91,cf,34,e0,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,1a,\
04,c5,f4,82,88,25,1c,2d,01,0b,6d,ac,3c,17,fe,b0,01,00,00,e3,29,56,2c,2f,4e,\
79,72,f6,63,bc,c2,f2,77,5d,62,38,f8,5b,86,87,af,c3,9f,9d,7a,5e,c4,48,28,56,\
9a,bb,b4,bb,37,4f,31,1a,9a,e4,37,45,cc,0f,98,b1,a5,a1,91,cf,23,b0,db,4d,b5,\
b5,ae,50,a1,ec,f3,b5,05,3d,df,2d,92,12,b9,0a,65,f0,6c,52,02,72,2c,d6,8b,8f,\
15,fa,5c,38,4c,80,90,ac,ca,8a,ba,c5,45,15,d4,81,9d,d5,c8,c9,68,13,e6,11,62,\
75,2d,d4,aa,9f,85,2c,96,ff,46,67,6a,07,d0,f8,73,13,23,03,9f,19,f6,75,a2,37,\
23,54,36,92,b8,23,e4,47,87,e5,18,d9,90,f3,59,16,44,e3,b9,d7,c5,3c,02,e8,2a,\
82,a9,e2,12,8b,c2,35,36,89,ca,44,5f,76,ac,1c,12,df,78,91,e7,83,98,44,a8,2e,\
65,a6,16,25,7a,b0,a0,a6,be,1f,31,c6,8a,ad,7e,fe,7e,74,81,ab,1c,cb,7a,0c,df,\
24,79,2c,db,0e,62,46,d5,55,a6,96,ec,02,0d,42,52,ae,89,b5,b6,b4,67,a0,2a,63,\
5d,b5,24,49,15,93,45,24,5d,cb,8c,c1,2d,a7,97,b3,1f,4f,52,8c,ac,f0,1c,7e,de,\
6b,95,1e,e0,55,be,d8,d6,d2,7d,74,e9,fc,ca,cb,49,7e,72,9d,1a,89,51,fc,1e,2c,\
51,a6,a5,c4,ba,8b,f1,02,44,89,7d,2b,2a,27,26,c8,c6,19,62,1f,42,d7,ba,a3,eb,\
ee,90,12,b0,d6,71,98,d8,95,3a,52,c2,3c,02,0a,3a,13,aa,21,fe,74,ef,ac,3b,07,\
e1,d3,9e,d9,22,93,de,bb,31,d7,b1,6a,06,1b,65,91,e5,71,ab,a7,0f,dd,7c,01,4d,\
99,3b,71,80,e6,dc,fb,53,e4,22,4f,e4,26,83,e1,c3,42,e7,de,1a,09,10,04,c3,75,\
2e,bb,65,ef,18,7d,06,e4,87,e4,d0,3f,21,1a,4a,3f,e3,b8,94,9b,e7,2a,38,2b,c8,\
c5,b5,ac,62,7a,20,3d,cc,05,d1,c9,5e,bf,3a,40,a5,88,9b,56,3f,ba,3f,e4,d1,98,\
89,14,00,00,00,d4,ca,c3,ff,d3,85,af,0c,88,3b,10,be,b9,aa,2e,9d,0b,ba,63,f1



backup-20070523-220343-943
O20 - Winlogon Notify: ddayx - C:\WINDOWS\System32\ddayx.dll (file missing)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddayx]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\System32\\ddayx.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"



backup-20070523-220343-299
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

backup-20070523-220343-782
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

backup-20070523-220343-539
O2 - BHO: (no name) - {C8D730FF-78AB-4DC7-B744-A208FAF94AAE} - C:\WINDOWS\system32\driverg.dll

backup-20070523-220343-748
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

backup-20070523-220343-521
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

backup-20070523-220343-994
O2 - BHO: (no name) - {95935FC3-8978-4D50-BBDC-B6D715F9026D} - C:\WINDOWS\System32\ddayx.dll (file missing)

backup-20070523-220343-322
O2 - BHO: (no name) - {73685D92-D2A2-49E7-90D5-5961EFFCF1D9} - C:\WINDOWS\System32\nynnredd.dll (file missing)

backup-20070523-220343-462
O2 - BHO: (no name) - {6B37973B-2859-6675-C53A-05EACF9B6FE1} - C:\WINDOWS\System32\ofuwvmc.dll

backup-20070523-220343-356
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\System32\rcmyalde.dll (file missing)

backup-20070523-220343-639
O2 - BHO: (no name) - {65970F11-E082-C172-D3FC-C66942F9DBC8} - C:\WINDOWS\System32\vpmfi.dll (file missing)

backup-20070523-220343-264
O2 - BHO: (no name) - {3AC4AC13-1786-3F20-F24D-1BE34FEDAABC} - C:\WINDOWS\System32\gsukctmp.dll (file missing)

backup-20070523-220343-961
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\System32\fcunpcgj.dll (file missing)

backup-20070523-220343-181
O2 - BHO: (no name) - {55BA3F60-CDC4-F744-FECB-F44407C9F6F8} - C:\WINDOWS\System32\vpmfi.dll (file missing)

backup-20070523-004802-443
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

backup-20070523-004802-826
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

backup-20070522-184035-974
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

backup-20070522-184035-771
O23 - Service: winsock32 (winsock32.exe) - Unknown owner - C:\WINDOWS\winsock32.exe

backup-20070522-184035-710
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

backup-20070522-184035-447
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

backup-20070522-184035-560
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Ashley\Start Menu\Programs\Startup\MSWin-912185139.exe (file missing)

backup-20070522-184035-554
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

backup-20070522-184035-486
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

backup-20070522-184035-580
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\System32\aspi94844.exe

backup-20070522-184035-522
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

backup-20070522-184035-154
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\bak\kwinkpeb.exe

backup-20070522-184035-312
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\System32\suuaufkr.dll",realset

backup-20070522-184035-270
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30B91D40-0958-1033-0328-030627020001}\MyToolBar.dll (file missing)

backup-20070522-175154-220
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30B91D40-0958-1033-0328-030627020001}\MyToolBar.dll

backup-20070522-175146-598
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30B91D40-0958-1033-0328-030627020001}\MyToolBar.dll

backup-20070522-174728-865
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Ashley\Start Menu\Programs\Startup\MSWin-912185139.exe (file missing)

backup-20070522-174728-773
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30B91D40-0958-1033-0328-030627020001}\MyToolBar.dll

backup-20070522-174728-690
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\System32\aspi94844.exe

backup-20070522-174728-680
O23 - Service: winsock32 (winsock32.exe) - Unknown owner - C:\WINDOWS\winsock32.exe

backup-20070522-174728-470
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

backup-20070522-174424-903
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Ashley\Start Menu\Programs\Startup\MSWin-912185139.exe (file missing)

backup-20070522-174424-702
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

backup-20070522-174424-226
O23 - Service: winsock32 (winsock32.exe) - Unknown owner - C:\WINDOWS\winsock32.exe

backup-20070522-174424-149
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

backup-20070522-174424-155
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\System32\aspi94844.exe

backup-20070522-174419-603
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

???????????????????????????????????????????4??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=???????????????????????????????????????????????????:??

backup-20070522-174418-755
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

???????????????????????????????????????????4??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=???????????????????????????????????????????????????:??

backup-20070522-174418-932
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

backup-20070522-174418-943
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

backup-20070522-174418-723
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime

backup-20070522-174418-213
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30B91D40-0958-1033-0328-030627020001}\MyToolBar.dll

backup-20070522-174418-118
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

backup-20070522-153325-290
O23 - Service: winsock32 (winsock32.exe) - Unknown owner - C:\WINDOWS\winsock32.exe

backup-20070522-153325-942
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

backup-20070522-153325-459
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Ashley\Start Menu\Programs\Startup\MSWin-912185139.exe (file missing)

backup-20070522-153325-726
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\System32\aspi94844.exe

backup-20070522-153315-451
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30B91D40-0958-1033-0328-030627020001}\MyToolBar.dll

backup-20070522-153239-189
O23 - Service: winsock32 (winsock32.exe) - Unknown owner - C:\WINDOWS\winsock32.exe

backup-20070522-153239-599
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Ashley\Start Menu\Programs\Startup\MSWin-912185139.exe (file missing)

backup-20070522-153239-546
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

backup-20070522-153239-529
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

backup-20070522-153239-271
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

backup-20070522-153239-774
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\System32\aspi94844.exe

backup-20070522-153223-241
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30B91D40-0958-1033-0328-030627020001}\MyToolBar.dll

backup-20070522-153223-513
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

backup-20070522-153223-698
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll

backup-20070522-153223-461
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,wymugtv.exe

backup-20070522-153223-668
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\ldfqv.exe

backup-20070522-152044-608
O23 - Service: winsock32 (winsock32.exe) - Unknown owner - C:\WINDOWS\winsock32.exe

backup-20070522-152044-124
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

backup-20070522-152044-512
O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Ashley\Start Menu\Programs\Startup\MSWin-912185139.exe (file missing)

backup-20070522-152044-351
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

backup-20070522-152044-333
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

backup-20070522-152044-832
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

backup-20070522-152044-263
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

backup-20070522-152044-953
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\System32\aspi94844.exe

backup-20070522-152036-568
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll

backup-20070522-152035-953
O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\helpspot\XPLControl.CAB

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070522-152036-985
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

backup-20070522-152035-764
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

???????????????????????????????????????????4??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=???????????????????????????????????????????????????:??

backup-20070522-152035-694
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

???????????????????????????????????????????4??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=???????????????????????????????????????????????????:??

backup-20070522-152035-155
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

???????????????????????????????????????????4?????????????????????????????????????????????????????????????????????????????????????????????????????4???=???????????????????????????????????????????????????????????

backup-20070522-152035-272
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

backup-20070522-152035-550
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

backup-20070522-152035-322
O4 - HKCU\..\Run: [winsock32] winsock32

backup-20070522-152035-786
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

backup-20070522-152035-785
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

backup-20070522-152035-866
O4 - HKLM\..\RunServices: [winsock32] winsock32

backup-20070522-152035-141
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

backup-20070522-152034-921
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe

backup-20070522-152034-968
O4 - HKLM\..\Run: [{B0B91D40-0958-1033-0328-030627020001}] "C:\Program Files\Common Files\{B0B91D40-0958-1033-0328-030627020001}\Update.exe" te-110-12-0000132

backup-20070522-152034-293
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

backup-20070522-152034-491
O4 - HKLM\..\Run: [winsock32] winsock32

backup-20070522-152034-877
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

backup-20070522-152034-411
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll

backup-20070522-152034-678
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB58.dll

backup-20070522-152034-464
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30B91D40-0958-1033-0328-030627020001}\MyToolBar.dll

backup-20070522-152034-546
O4 - HKLM\..\Run: [seekmo] "c:\program files\seekmo\seekmo.exe"

backup-20070522-152034-539
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

backup-20070522-152034-961
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,wymugtv.exe

backup-20070522-152034-786
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com

backup-20070522-152034-869
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com

backup-20070522-152034-566
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

backup-20070522-151332-707
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,wymugtv.exe

backup-20070522-151332-790
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\ldfqv.exe
Contents of the 'Scheduled Tasks' folder
2007-01-09 00:24:43 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-27 12:27:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32:lzx32.sys 65568 bytes executable

********************************************************************

Completion time: 2007-05-27 12:31:09 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-27 12:30

--- E O F ---
and HJT

Logfile of HijackThis v1.99.1
Scan saved at 12:40:52 PM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1180206568000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179945581625
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B5EB26D-5CF2-438C-B497-EA2DAC9278F4}: NameServer = 69.27.200.15,69.27.200.16
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#4 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 PM

Posted 27 May 2007 - 05:04 PM

Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

Many experts in the security community believe that once infected with these types of infections, the best course of action would be a reformat and reinstall of the OS.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Download Rustbfix from one of these locations:
http://www.uploads.ejvindh.net/rustbfix.exe
http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). You can close the text files.

Step #2

Please download Qoofix by Rubber Ducky to your desktop.
  • Right click on the Qoofix folder, and choose "Extract All". Extract Qoofix to your C: drive
  • Close all windows and programs, including internet windows.
  • Go to C:\Qoofix and open the folder, then double click on Qoofix.exe
  • Click Begin Removal and wait for the scan to finish
  • If Qoofix finds an infection, select yes to restart your computer
Step #3

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Step #4

Click Start> Run> type in CMD tap enter. Type the following into command prompt:

sc stop winsock32.exe

Hit 'enter' and type the following:

sc delete winsock32.exe

Type the following into command prompt:

sc stop "Microsoft IEUpdater22" (including quotes)

Hit 'enter' and type the following:

sc delete "Microsoft IEUpdater22"

Type the following into command prompt:

sc stop TrkWks

Hit 'enter' and type the following:

sc delete TrkWks

At the command prompt: type exit.

Reboot your computer after that.

Step #5

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

File::
C:\WINDOWS\SYSTEM32\wymugtv.exe
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\xyadd.ini2
C:\WINDOWS\system32\xyadd.bak1
C:\WINDOWS\system32\xyadd.bak2
C:\WINDOWS\unq32.dat
C:\WINDOWS\System32\eermefyh.dll
C:\WINDOWS\System32\vtomvo.exe
C:\WINDOWS\System32\WinNB58.dll
C:\WINDOWS\web\related.htm
C:\WINDOWS\winsock32.exe
C:\Documents and Settings\Ashley\Start Menu\Programs\Startup\MSWin-912185139.exe


Folder::
C:\Program Files\VSAdd-in
C:\Program Files\Kazaa
c:\program files\seekmo
C:\Program Files\Common Files\{30B91D40-0958-1033-0328-030627020001}
C:\Program Files\RXToolBar

Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"qiafw"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundService]


Save this as ComboFix-Do.txt and change the "Save as type" to "All Files" and place it on your desktop.


Posted Image



Referring to the screenshot above, drag ComboFix-Do.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Step #6
Step #7

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Post the content of the Rustbfix logfiles (%root%\avenger.txt & %root%\rustbfix\pelog.txt), the content of C:\Qoofix\Qoofix Logfile.txt, the contents of C:\vundofix.txt, the combofix log, the Jotti results and the Dr.Web CureIt log along with a new [b]HijackThis log[/b[.

#5 chriscfi

chriscfi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 27 May 2007 - 07:02 PM

Followed your instructions and fortunately none of the new scanners found anything. Dr.Web Cure all did not provide a chance to save the log, but it found nothing. So I am including all the log files that were collected. The cmd prompt sc delete did remove some files, but none were running. Will upload the files.

Attached Files



#6 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 PM

Posted 28 May 2007 - 05:42 AM

You forgot Step 6 ?

---------------------------

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 1 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
Step #2

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Folder::
C:\2e523c2358a0fbf2f5dec78e040c82

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"winsock32.exe"=-
"Microsoft IEUpdater22"=-
"TrkWks"=-


Save this as ComboFix-Do.txt and change the "Save as type" to "All Files" and place it on your desktop.


Posted Image



Referring to the screenshot above, drag ComboFix-Do.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When Combofix didn't reboot itself, please reboot.

Step #3
Step #4

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
2. Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

Step #5

Open HijackThis.
  • Click Open the Misc Tools section.
  • Click Open Uninstall Manager.
  • Click Save list (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.
Use the Add Reply button to post your new logs back here along with as details of any problems you encountered performing the above steps and I will review it when it comes in.

Logs:
1. The ComboFix scan located at C:\ComboFix.txt.
2. The Jotti results
3. The online scanners results.
4. The uninstall list




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users