Initially I was unable to get spybot or any antispyware software to run. The system comes up to a blank desktop (no start button, no icons, no taskbar).
I have to bring up task manager to get a run command to initiate any program. After spybot has run I then initiate Explorer that executes numerous (15-20)
command windows. At that point the desktop appears with all functions available. However, I can't run Windows update, IE7 states that it is doing the
ActiveX check and then returns Error number: 0x8007000B. The reason that I am attaching the word documents is that they are screen shots of the Spybot main
screen showing the problems identified. However the situation is not resoved by having Spybot fix them. They still exist when I reboot. It seems that they
are loaded in wininit.ini. I have done a search search for all files containing uac*.* these seem to be the culprits identified by Spybot as components of
win32.TDSS.rtk. I also have been infected by win32.Agent.pz as identified by Spybot. I am going to go ahead and boot into a bart pe session and delete the
ime directory and then reboot and see what happens.
Any ideas that you can provide I would be most appreciative.
Logfile of HijackThis v1.97.7
Scan saved at 11:34:18 AM, on 3/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Running processes:
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
E:\Program Files\CD_DVD\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\CD_DVD\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
E:\Program Files\Adobe Acrobat 7\Distillr\Acrotray.exe
E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
O:\Download\Web Tools\SpyWare Removal\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe Acrobat 7\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\Internet\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe Acrobat 7\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [AlcoholAutomount] "E:\Program Files\CD_DVD\Alcohol 120\axcmd.exe" /automount
O4 - Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\M$O2K3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RoboForm Toolbar (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration (HKLM)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4835282234
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3ED04504-AC75-4F5D-8E7A-4CA0966E95D1}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{B50EFE1C-5452-46E4-B9E3-713D7DAE39D2}: NameServer = 192.168.2.1
StartupList report, 3/15/2009, 11:43:43 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16791)
* Using default options
==================================================
Running processes:
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
E:\Program Files\CD_DVD\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\CD_DVD\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\taskmgr.exe
E:\Program Files\Internet\Spybot - Search & Destroy\FRED.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
E:\Program Files\Adobe Acrobat 7\Distillr\Acrotray.exe
E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\perhansa\Start Menu\Programs\Startup]
Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Acrobat Speed Launcher.lnk = ?
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\sdra64.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
IntelliPoint = "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
SoundMan = SOUNDMAN.EXE
AlcWzrd = ALCWZRD.EXE
Alcmtr = ALCMTR.EXE
Acrobat Assistant 7.0 = "E:\Program Files\Adobe Acrobat 7\Distillr\Acrotray.exe"
NeroFilterCheck = C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
RoboForm = "E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} = "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
AlcoholAutomount = "E:\Program Files\CD_DVD\Alcohol 120\axcmd.exe" /automount
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - E:\Program Files\Adobe Acrobat 7\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - E:\PROGRA~1\Internet\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
RoboForm - E:\Program Files\Internet\Siber Systems\AI RoboForm\RoboForm.dll - {724d43a9-0d85-11d4-9908-00400523e39a}
(no name) - E:\Program Files\Adobe Acrobat 7\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
--------------------------------------------------
Enumerating Download Program Files:
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://www.update.microsoft.com/windows ... 4835282234
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash10a.ocx
CODEBASE = http://fpdownload2.macromedia.com/get/s ... wflash.cab
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\TEMP\UACaf0c.tmp||C:\WINDOWS\system32\UACapynapxy.dll||C:\WINDOWS\system32\UACfoqpkcxe.dll||C:\WINDOWS\system32\UACfrmtyrxj.dll||C:\WINDOWS\system32\UACijnbevyk.dll_old||C:\WINDOWS\system32\UACijnbevyk.dll||C:\WINDOWS\system32\UACpbatnfvv.dll||C:\WINDOWS\system32\drivers\UACjrndddot.sys||C:\WINDOWS\system32\UACdstddekg.log_old||C:\WINDOWS\system32\UACdstddekg.log||C:\WINDOWS\system32\UACrypxmnlm.dat_old||C:\WINDOWS\system32\UACrypxmnlm.dat
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
--------------------------------------------------
End of report, 6,258 bytes
Report generated in 0.047 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
ACDSee 4.0
ACDSee 4.0 Service Release 1
Adobe Acrobat 7.1.0 Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
AI RoboForm (All Users)
Avery DesignPro
FairUse Wizard 2
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Intel(R) Processor ID Utility
InterActual Player
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Mozilla Firefox (3.0.6)
Nero 8
neroxml
NVIDIA Drivers
Realtek High Definition Audio Driver
RunAlyzer
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
Spybot - Search & Destroy
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VCRedistSetup
VLC media player 0.9.4
Windows Internet Explorer 7
Windows Media Format Runtime
Windows XP Service Pack 3
WinRAR archiver
WinZip