Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Possible Infection of VBS/Dropper and BackDoor.Hupigon.BFA

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Unread postby Elrond » July 24th, 2007, 7:15 am

Reopend . OP warned me that he was away for two weeks. Expecting answers about August 1.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Top
Advertisement
Register to Remove

I'm Home and More Diagnostics Run and Logs to Peruse!!!

Unread postby dantijkc » August 1st, 2007, 4:21 pm

Thanks for the good vacation wish - it was a blast! Now, back to seeing if I am or can get clean on this computer!

Upon arriving home, an automatic AVG scan noticed a change in an additional file besides just the kernel32.dll file, this time on a file with no file type extension at C:\WINNT\system32\drivers\etc\hosts

Also, the spelling difference was a typo: the file AVG has consistently listed as "changed" since this problem began is kernel32.dll and now also the file "hosts".

Still there is no odd behaviour from the system which seems to be running fine.

AVG logs follow the others in the order they were asked for.

Note that I have separated the logs by a few spaces and have capitalized the intros to each to make them easier to distinguish, as well as having numbered them:




1) HERE IS THE AUTORUNS LOG:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
+ C:\WINNT\system32\userinit.exe Userinit Logon Application Microsoft Corporation c:\winnt\system32\userinit.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
+ Explorer.exe Windows Explorer Microsoft Corporation c:\winnt\explorer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ Acrobat Assistant 7.0 AcroTray Adobe Systems Inc. d:\program files\adobe\acrobat\distillr\acrotray.exe
+ AVG7_CC AVG Control Center GRISOFT, s.r.o. d:\program files\grisoft\avg\avgcc.exe
+ Lexmark X6100 Series Lexmark X6100 Series Button Manager Lexmark International, Inc. c:\program files\lexmark x6100 series\lxbfbmgr.exe
+ Norton Ghost 9.0 Tray Application Symantec Corporation d:\program files\norton\ghost\agent\ghosttray.exe
+ NvCplDaemon NVIDIA Display Properties Extension NVIDIA Corporation c:\winnt\system32\nvcpl.dll
+ NvMediaCenter NVIDIA Media Center Library NVIDIA Corporation c:\winnt\system32\nvmctray.dll
+ nwiz NVIDIA nView Wizard, Version 110.14 NVIDIA Corporation c:\winnt\system32\nwiz.exe
+ QuickTime Task QuickTime Task Apple Computer, Inc. d:\program files\quicktime\qttask.exe
+ SoundMAX SoundMAX Control Center Analog Devices, Inc. c:\program files\analog devices\soundmax\smax4.exe
+ SoundMAXPnP SMax4PNP MFC Application Analog Devices, Inc. c:\program files\analog devices\soundmax\smax4pnp.exe
+ SunJavaUpdateSched Java(TM) 2 Platform Standard Edition binary Sun Microsystems, Inc. c:\program files\java\jre1.5.0_11\bin\jusched.exe
+ Synchronization Manager Microsoft Synchronization Manager Microsoft Corporation c:\winnt\system32\mobsync.exe
+ THGuard TrojanHunter Guard Mischel Internet Security d:\program files\trojanhunter 4.2\thguard.exe
+ TkBellExe RealNetworks Scheduler RealNetworks, Inc. c:\program files\common files\real\update_ob\realsched.exe
+ Tweak UI User interface customization toy Microsoft Corporation c:\winnt\system32\tweakui.cpl
+ ZoneAlarm Client ZoneAlarm Client Zone Labs, LLC d:\program files\zonealarm\zlclient.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
+ Adobe Acrobat Speed Launcher.lnk c:\winnt\installer\{ac76ba86-1033-f400-7760-000000000002}\sc_acrobat.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
+ MemTurbo.lnk MemTurbo SoftwareOnline.com, Inc. d:\program files\memturbo\memturbo.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ AWMON Ad-Watch System Protector Lavasoft Sweden d:\program files\lavasoft\ad-aware se professional\ad-watch.exe
+ DeskSlide DeskSlide Application George Obada d:\program files\deskslide\deskslide.exe
+ internat.exe Keyboard Language Indicator Applet Microsoft Corporation c:\winnt\system32\internat.exe
+ Norton SystemWorks Symantec Internal Component Symantec Corporation d:\program files\norton\system works\cfgwiz.exe
+ SpybotSD TeaTimer System settings protector Safer Networking Limited d:\program files\spybot - search & destroy\teatimer.exe
HKLM\SOFTWARE\Classes\Protocols\Filter
+ application/octet-stream Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\winnt\system32\mscoree.dll
+ application/x-complus Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\winnt\system32\mscoree.dll
+ application/x-msdownload Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\winnt\system32\mscoree.dll
+ Class Install Handler OLE32 Extensions for Win32 Microsoft Corporation c:\winnt\system32\urlmon.dll
+ deflate OLE32 Extensions for Win32 Microsoft Corporation c:\winnt\system32\urlmon.dll
+ gzip OLE32 Extensions for Win32 Microsoft Corporation c:\winnt\system32\urlmon.dll
+ lzdhtml OLE32 Extensions for Win32 Microsoft Corporation c:\winnt\system32\urlmon.dll
+ text/webviewhtml Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
HKLM\SOFTWARE\Classes\Protocols\Handler
+ about Microsoft (R) HTML Viewer Microsoft Corporation c:\winnt\system32\mshtml.dll
+ cdl OLE32 Extensions for Win32 Microsoft Corporation c:\winnt\system32\urlmon.dll
+ file OLE32 Extensions for Win32 Microsoft Corporation c:\winnt\system32\urlmon.dll
+ ftp OLE32 Extensions for Win32 Microsoft Corporation c:\winnt\system32\urlmon.dll
+ gopher OLE32 Extensions for Win32 Microsoft Corporation c:\winnt\system32\urlmon.dll
+ http OLE32 Extensions for Win32 Microsoft Corporation c:\winnt\system32\urlmon.dll
+ https OLE32 Extensions for Win32 Microsoft Corporation c:\winnt\system32\urlmon.dll
+ its Microsoft® InfoTech Storage System Library Microsoft Corporation c:\winnt\system32\itss.dll
+ javascript Microsoft (R) HTML Viewer Microsoft Corporation c:\winnt\system32\mshtml.dll
+ local OLE32 Extensions for Win32 Microsoft Corporation c:\winnt\system32\urlmon.dll
+ mailto Microsoft (R) HTML Viewer Microsoft Corporation c:\winnt\system32\mshtml.dll
+ mhtml Microsoft Internet Messaging API Microsoft Corporation c:\winnt\system32\inetcomm.dll
+ mk OLE32 Extensions for Win32 Microsoft Corporation c:\winnt\system32\urlmon.dll
+ ms-its Microsoft® InfoTech Storage System Library Microsoft Corporation c:\winnt\system32\itss.dll
+ res Microsoft (R) HTML Viewer Microsoft Corporation c:\winnt\system32\mshtml.dll
+ sysimage Microsoft (R) HTML Viewer Microsoft Corporation c:\winnt\system32\mshtml.dll
+ vbscript Microsoft (R) HTML Viewer Microsoft Corporation c:\winnt\system32\mshtml.dll
+ vnd.ms.radio Windows Media Player 2 ActiveX Control Microsoft Corporation c:\winnt\system32\msdxm.ocx
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
+ 0 File not found: About:Home
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
+ Address Book 5 Outlook Express Setup Library Microsoft Corporation c:\program files\outlook express\setup50.exe
+ Browser Customizations Microsoft Internet Explorer Customization DLL Microsoft Corporation c:\winnt\system32\iedkcs32.dll
+ CRLUpdate UPDCRL Microsoft Corporation c:\winnt\system32\updcrl.exe
+ EnableRevocation Microsoft(C) Register Server Microsoft Corporation c:\winnt\system32\regsvr32.exe
+ Internet Explorer 6 IE 5.0 Per-User Install Utility Microsoft Corporation c:\winnt\system32\ie4uinit.exe
+ Internet Explorer Access Windows NT User Data Migration Tool Microsoft Corporation c:\winnt\system32\shmgrate.exe
+ Microsoft Outlook Express 6 Outlook Express Setup Library Microsoft Corporation c:\program files\outlook express\setup50.exe
+ Microsoft Windows Media Player ADVPACK Microsoft Corporation c:\winnt\system32\advpack.dll
+ n/a Microsoft .NET IE SECURITY REGISTRATION Microsoft Corporation c:\winnt\system32\mscories.dll
+ NetMeeting 3.01 ADVPACK Microsoft Corporation c:\winnt\system32\advpack.dll
+ Outlook Express Access Windows NT User Data Migration Tool Microsoft Corporation c:\winnt\system32\shmgrate.exe
+ Windows Desktop Update Microsoft(C) Register Server Microsoft Corporation c:\winnt\system32\regsvr32.exe
+ Windows Media Player Microsoft Windows Media Player Setup Utility Microsoft Corporation c:\winnt\inf\unregmp2.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
+ Browseui preloader Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Component Categories cache daemon Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
+ Network.ConnectionTray Network Connections Shell Microsoft Corporation c:\winnt\system32\netshell.dll
+ SysTray Systray shell service object Microsoft Corporation c:\winnt\system32\stobject.dll
+ WebCheck Web Site Monitor Microsoft Corporation c:\winnt\system32\webcheck.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ shell32.dll Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ Web Folders c:\program files\common files\microsoft shared\web folders\msonsext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ &Address Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ &Links Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ .CAB file viewer Cabinet File Viewer Shell Extension Microsoft Corporation c:\winnt\system32\cabview.dll
+ Accessible Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ ActiveDesktop Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ ActiveX Cache Folder Object Control Viewer Microsoft Corporation c:\winnt\system32\occache.dll
+ Add encryption item to context menus in explorer Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ Address Bar Parser Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Address EditBox Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Adobe.Acrobat.ContextMenu Adobe Acrobat Context Menu Adobe Systems Inc. d:\program files\adobe\acrobat\acrobat elements\contextmenu.dll
+ Augmented Shell Folder Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Augmented Shell Folder 2 Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ AVG7 Find Extension AVG Shell Extension GRISOFT, s.r.o. d:\program files\grisoft\avg\avgse.dll
+ AVG7 Shell Extension AVG Shell Extension GRISOFT, s.r.o. d:\program files\grisoft\avg\avgse.dll
+ BandProxy Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Briefcase Windows Briefcase Microsoft Corporation c:\winnt\system32\syncui.dll
+ Briefcase Folder Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ CDF Extension Copy Hook Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
+ Channel File Channel Definition File Viewer Microsoft Corporation c:\winnt\system32\cdfview.dll
+ Channel Handler Object Channel Definition File Viewer Microsoft Corporation c:\winnt\system32\cdfview.dll
+ Channel Menu Channel Definition File Viewer Microsoft Corporation c:\winnt\system32\cdfview.dll
+ Channel Properties Channel Definition File Viewer Microsoft Corporation c:\winnt\system32\cdfview.dll
+ Channel Shortcut Channel Definition File Viewer Microsoft Corporation c:\winnt\system32\cdfview.dll
+ CmdFileIcon Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ Code Download Agent Web Site Monitor Microsoft Corporation c:\winnt\system32\webcheck.dll
+ ConnectionAgent Web Site Monitor Microsoft Corporation c:\winnt\system32\webcheck.dll
+ Cryptext File Encryption Shell Extension c:\winnt\system32\shellext\cryptext.dll
+ Crypto PKO Extension Crypto Shell Extensions Microsoft Corporation c:\winnt\system32\cryptext.dll
+ Crypto Sign Extension Crypto Shell Extensions Microsoft Corporation c:\winnt\system32\cryptext.dll
+ Custom MRU AutoCompleted List Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Darwin App Publisher Shell Application Manager Microsoft Corporation c:\winnt\system32\appwiz.cpl
+ Desktop Explorer NVIDIA Desktop Explorer, Version 110.14 NVIDIA Corporation c:\winnt\system32\nvshell.dll
+ Desktop Explorer Menu NVIDIA Desktop Explorer, Version 110.14 NVIDIA Corporation c:\winnt\system32\nvshell.dll
+ Directory Context Menu Verbs Directory Service Common UI Microsoft Corporation c:\winnt\system32\dsuiext.dll
+ Directory Namespace Directory Service UI Microsoft Corporation c:\winnt\system32\dsfolder.dll
+ Directory Object Find Directory Service Find Microsoft Corporation c:\winnt\system32\dsquery.dll
+ Directory Property UI Directory Service Common UI Microsoft Corporation c:\winnt\system32\dsuiext.dll
+ Directory Query UI Directory Service Find Microsoft Corporation c:\winnt\system32\dsquery.dll
+ Directory Start/Search Find Directory Service Find Microsoft Corporation c:\winnt\system32\dsquery.dll
+ Disk Copy Extension Windows DiskCopy Microsoft Corporation c:\winnt\system32\diskcopy.dll
+ Disk Quota UI Windows Shell Disk Quota UI DLL Microsoft Corporation c:\winnt\system32\dskquoui.dll
+ Display Adapter CPL Extension Advanced display adapter properties Microsoft Corporation c:\winnt\system32\deskadp.dll
+ Display Control Panel HTML Extensions Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ Display Monitor CPL Extension Advanced display monitor properties Microsoft Corporation c:\winnt\system32\deskmon.dll
+ Display TroubleShoot CPL Extension Advanced display performance properties Microsoft Corporation c:\winnt\system32\deskperf.dll
+ Download Status Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ DS Security Page Directory Service Security UI Microsoft Corporation c:\winnt\system32\dssec.dll
+ Explorer Band Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
+ EzCddax extension d:\program files\easy cdda extractor\ezcddax9.dll
+ Favorites Band Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
+ File Property Page Extension Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ File Types Page Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ Folder Options Property Page Extension Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ Folder Shortcut Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ Fonts Windows Font Folder Microsoft Corporation c:\winnt\system32\fontext.dll
+ For &People... Find People Microsoft Corporation c:\program files\outlook express\wabfind.dll
+ Fusion Cache Microsoft .NET Runtime Execution Engine Microsoft Corporation c:\winnt\system32\mscoree.dll
+ Global Folder Settings Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ History Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
+ HTML Thumbnail Extractor Thumbnail View Extension Microsoft Corporation c:\winnt\system32\thumbvw.dll
+ HyperTerminal Icon Ext HyperTerminal Applet Library Hilgraeve, Inc. c:\winnt\system32\hticons.dll
+ ICC Profile Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\winnt\system32\icmui.dll
+ ICM Monitor Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\winnt\system32\icmui.dll
+ ICM Printer Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\winnt\system32\icmui.dll
+ ICM Scanner Management Microsoft Color Matching System User Interface DLL Microsoft Corporation c:\winnt\system32\icmui.dll
+ IE4 Suite Splash Screen Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
+ In-pane search Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Installed Apps Enumerator Shell Application Manager Microsoft Corporation c:\winnt\system32\appwiz.cpl
+ Internet Name Space Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
+ InternetShortcut Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
+ ISFBand OC Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
+ IShellFolderBand Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ LNK file thumbnail interface delegator Thumbnail View Extension Microsoft Corporation c:\winnt\system32\thumbvw.dll
+ Media Band Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Menu Band Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Menu Desk Bar Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Menu Shell Folder Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Menu Site Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Microsoft AutoComplete Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Microsoft Browser Architecture Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
+ Microsoft BrowserBand Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Microsoft CopyTo Service Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ Microsoft Data Link Microsoft Data Access - OLE DB Core Services Microsoft Corporation c:\program files\common files\system\ole db\oledb32.dll
+ Microsoft History AutoComplete List Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Microsoft Internet Toolbar Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Microsoft MoveTo Service Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ Microsoft Multiple AutoComplete List Container Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Microsoft New Object Service Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ Microsoft Office Binder Unbind Microsoft Office Binder Document Unbinder Microsoft Corporation d:\program files\ms office\office\1033\unbind.dll
+ Microsoft Outlook Custom Icon Handler Microsoft Outlook Shell Hook for Start/Find Microsoft Corporation d:\program files\ms office\office\olkfstub.dll
+ Microsoft SendTo Service Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ Microsoft Shell Folder AutoComplete List Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Microsoft Url History Service Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
+ Microsoft Url Search Hook Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
+ MIME File Types Hook Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ MMC Icon Handler MMC Shell Extension DLL Microsoft Corporation c:\winnt\system32\mmcshext.dll
+ Mounted Volume Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ MRU AutoComplete List Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Multimedia File Property Sheet Control Panel Drivers Applet Microsoft Corporation c:\winnt\system32\mmsys.cpl
+ Multiscan zlavscan shell extension Zone Labs, LLC d:\program files\zonealarm\zlavscan.dll
+ My Computer Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ MyDocs Copy Hook My Documents Folder UI Microsoft Corporation c:\winnt\system32\mydocs.dll
+ MyDocs Drop Target My Documents Folder UI Microsoft Corporation c:\winnt\system32\mydocs.dll
+ MyDocs Folder My Documents Folder UI Microsoft Corporation c:\winnt\system32\mydocs.dll
+ MyDocs Properties My Documents Folder UI Microsoft Corporation c:\winnt\system32\mydocs.dll
+ Network and Dial-up Connections Network Connections Shell Microsoft Corporation c:\winnt\system32\netshell.dll
+ NTFS Security Page Security Shell Extension Microsoft Corporation c:\winnt\system32\rshx32.dll
+ nView Desktop Context Menu NVIDIA Desktop Explorer, Version 110.14 NVIDIA Corporation c:\winnt\system32\nvshell.dll
+ Office Graphics Filters Thumbnail Extractor Thumbnail View Extension Microsoft Corporation c:\winnt\system32\thumbvw.dll
+ Offline Files Folder Client Side Caching UI Microsoft Corporation c:\winnt\system32\cscui.dll
+ Offline Files Folder Options Client Side Caching UI Microsoft Corporation c:\winnt\system32\cscui.dll
+ Offline Files Menu Client Side Caching UI Microsoft Corporation c:\winnt\system32\cscui.dll
+ OLE Docfile Property Page OLE DocFile Property Page Microsoft Corporation c:\winnt\system32\docprop.dll
+ Open With Context Menu Handler Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ PlusPack CPL Extension Effects Control Panel extension Microsoft Corporation c:\winnt\system32\plustab.dll
+ PostAgent Web Site Monitor Microsoft Corporation c:\winnt\system32\webcheck.dll
+ Printers Security Page Security Shell Extension Microsoft Corporation c:\winnt\system32\rshx32.dll
+ Registry Tree Options Utility Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Scheduled Tasks Task Scheduler interface DLL Microsoft Corporation c:\winnt\system32\mstask.dll
+ Search Assistant OC Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
+ Search Band Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Sendmail service Send Mail Microsoft Corporation c:\winnt\system32\sendmail.dll
+ Sendmail service Send Mail Microsoft Corporation c:\winnt\system32\sendmail.dll
+ Shell Application Manager Shell Application Manager Microsoft Corporation c:\winnt\system32\appwiz.cpl
+ Shell Automation Folder View Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ Shell Automation Inproc Service Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
+ Shell Automation Service Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ Shell Band Site Menu Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Shell DeskBar Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Shell DeskBarApp Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Shell DocObject Viewer Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
+ Shell Drag and Drop helper Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ Shell extensions for Microsoft Windows Network objects Network object shell UI Microsoft Corporation c:\winnt\system32\ntlanui2.dll
+ Shell Extensions for RealOne Player RealPlayer Shell Extensions RealNetworks, Inc. d:\program files\real\rpshell.dll
+ Shell extensions for sharing Shell extensions for sharing Microsoft Corporation c:\winnt\system32\ntshrui.dll
+ Shell extensions for sharing Shell extensions for sharing Microsoft Corporation c:\winnt\system32\ntshrui.dll
+ Shell extensions for Windows Script Host Microsoft (r) Shell Extension for Windows Script Host Microsoft Corporation c:\winnt\system32\wshext.dll
+ Shell Favorite Folder Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ Shell Icon Handler for Application References Application Deployment Support Library Microsoft Corporation c:\winnt\system32\dfshim.dll
+ Shell properties for a DS object Directory Service UI Microsoft Corporation c:\winnt\system32\dsfolder.dll
+ Shell Rebar BandSite Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Shell Scrap DataHandler Shell scrap object handler Microsoft Corporation c:\winnt\system32\shscrap.dll
+ ShellLink for Application References Application Deployment Support Library Microsoft Corporation c:\winnt\system32\dfshim.dll
+ Start Menu Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ Subscription Folder Web Site Monitor Microsoft Corporation c:\winnt\system32\webcheck.dll
+ Subscription Mgr Web Site Monitor Microsoft Corporation c:\winnt\system32\webcheck.dll
+ Summary Info Thumbnail handler (DOCFILES) Thumbnail View Extension Microsoft Corporation c:\winnt\system32\thumbvw.dll
+ Tasks Folder Icon Handler Task Scheduler interface DLL Microsoft Corporation c:\winnt\system32\mstask.dll
+ Tasks Folder Shell Extension Task Scheduler interface DLL Microsoft Corporation c:\winnt\system32\mstask.dll
+ Temporary Internet Files Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
+ Temporary Internet Files Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
+ The Internet Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
+ Thumbnail Image Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Thumbnails Thumbnail View Extension Microsoft Corporation c:\winnt\system32\thumbvw.dll
+ Track Popup Bar Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Tracking Shell Menu Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ TrayAgent Web Site Monitor Microsoft Corporation c:\winnt\system32\webcheck.dll
+ TridentImageExtractor Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ TrojanHunter Menu Shell Extension d:\program files\trojanhunter 4.2\contmenu.dll
+ User Assist Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ Web Printer Shell Extension Print UI DLL Microsoft Corporation c:\winnt\system32\printui.dll
+ Web Search Shell Browser UI Library Microsoft Corporation c:\winnt\system32\browseui.dll
+ WebCheck Web Site Monitor Microsoft Corporation c:\winnt\system32\webcheck.dll
+ WebCheck SyncMgr Handler Web Site Monitor Microsoft Corporation c:\winnt\system32\webcheck.dll
+ WebCheckChannelAgent Web Site Monitor Microsoft Corporation c:\winnt\system32\webcheck.dll
+ WebCheckWebCrawler Web Site Monitor Microsoft Corporation c:\winnt\system32\webcheck.dll
+ WinRAR shell extension d:\program files\winrar\rarext.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
+ Fax Tiff Data Column Provider Fax Tiff Data Column Provider Microsoft Corporation c:\winnt\system32\faxshell.dll
+ PDF Shell Extension PDF Shell Extension Adobe Systems, Inc. d:\program files\adobe\acrobat\activex\pdfshell.dll
+ ShAVColumnProvider class DocProp2 Microsoft Corporation c:\winnt\system32\docprop2.dll
+ Version Column Provider DocProp2 Microsoft Corporation c:\winnt\system32\docprop2.dll
+ {0D2E74C4-3C34-11d2-A27E-00C04FC30871} Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ {24F14F01-7B1C-11d1-838f-0000F80461CF} Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ {24F14F02-7B1C-11d1-838f-0000F80461CF} Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ Adobe PDF Conversion Toolbar Helper Adobe IE plugin Adobe Systems Incorporated d:\program files\adobe\acrobat\acrobat\acroiefavclient.dll
+ Adobe PDF Reader Link Helper Adobe Acrobat IE Helper Version 7.0 for ActiveX Adobe Systems Incorporated d:\program files\adobe\acrobat\activex\acroiehelper.dll
+ SSVHelper Class Java(TM) 2 Platform Standard Edition binary Sun Microsystems, Inc. c:\program files\java\jre1.5.0_11\bin\ssv.dll
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
+ shdocvw.dll Shell Doc Object and Control Library Microsoft Corporation c:\winnt\system32\shdocvw.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ acroiefavclient.dll Adobe IE plugin Adobe Systems Incorporated d:\program files\adobe\acrobat\acrobat\acroiefavclient.dll
+ msdxm.ocx Windows Media Player 2 ActiveX Control Microsoft Corporation c:\winnt\system32\msdxm.ocx
Task Scheduler
+ Norton SystemWorks One Button Checkup.job One Button Checkup Symantec Corporation d:\program files\norton\system works\obc.exe
+ Symantec Drmc.job Symantec Shared File Symantec Corporation c:\program files\common files\symantec shared\symdrmc.exe
HKLM\System\CurrentControlSet\Services
+ Automatic LiveUpdate Scheduler Manages the scheduling of Automatic LiveUpdate sessions Symantec Corporation c:\program files\symantec\liveupdate\aluschedulersvc.exe
+ Avg7Alrt AVG Alert Manager GRISOFT, s.r.o. d:\program files\grisoft\avg\avgamsvr.exe
+ Avg7UpdSvc AVG Update Service GRISOFT, s.r.o. d:\program files\grisoft\avg\avgupsvc.exe
+ Browser Maintains an up-to-date list of computers on your network and supplies the list to programs that request it. Microsoft Corporation c:\winnt\system32\services.exe
+ ccEvtMgr Symantec Event Manager Symantec Corporation c:\program files\common files\symantec shared\ccevtmgr.exe
+ ccSetMgr Symantec Settings Manager Symantec Corporation c:\program files\common files\symantec shared\ccsetmgr.exe
+ Dhcp Manages network configuration by registering and updating IP addresses and DNS names. Microsoft Corporation c:\winnt\system32\services.exe
+ dmserver Logical Disk Manager Watchdog Service Microsoft Corporation c:\winnt\system32\services.exe
+ Dnscache Resolves and caches Domain Name System (DNS) names. Microsoft Corporation c:\winnt\system32\services.exe
+ Eventlog Logs event messages issued by programs and Windows. Event Log reports contain information that can be useful in diagnosing problems. Reports are viewed in Event Viewer. Microsoft Corporation c:\winnt\system32\services.exe
+ GEARSecurity gearsec GEAR Software c:\winnt\system32\gearsec.exe
+ lanmanserver Provides RPC support and file, print, and named pipe sharing. Microsoft Corporation c:\winnt\system32\services.exe
+ lanmanworkstation Provides network connections and communications. Microsoft Corporation c:\winnt\system32\services.exe
+ LexBceS LexBce Service Lexmark International, Inc. c:\winnt\system32\lexbces.exe
+ LmHosts Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Microsoft Corporation c:\winnt\system32\services.exe
+ Messenger Sends and receives messages transmitted by administrators or by the Alerter service. Microsoft Corporation c:\winnt\system32\services.exe
+ Norton Ghost Administrative service for scheduling and disk imaging. Symantec Corporation d:\program files\norton\ghost\agent\pqv2isvc.exe
+ NProtectService Protects files deleted from command line prompt and applications Symantec Corporation d:\program files\norton\system works\norton utilities\nprotect.exe
+ NtmsSvc Manages removable media, drives, and libraries. Microsoft Corporation c:\winnt\system32\ntmssvc.dll
+ NVSvc Provides system and desktop level support to the NVIDIA display driver NVIDIA Corporation c:\winnt\system32\nvsvc32.exe
+ PlugPlay Manages device installation and configuration and notifies programs of device changes. Microsoft Corporation c:\winnt\system32\services.exe
+ PolicyAgent Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. Microsoft Corporation c:\winnt\system32\lsass.exe
+ ProtectedStorage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. Microsoft Corporation c:\winnt\system32\services.exe
+ RemoteRegistry Allows remote registry manipulation. Microsoft Corporation c:\winnt\system32\regsvc.exe
+ RpcSs Provides the endpoint mapper and other miscellaneous RPC services. Microsoft Corporation c:\winnt\system32\rpcss.dll
+ SamSs Stores security information for local user accounts. Microsoft Corporation c:\winnt\system32\lsass.exe
+ Schedule Enables a program to run at a designated time. Microsoft Corporation c:\winnt\system32\mstask.exe
+ ScsiAccess d:\program files\proshow gold\scsiaccess.exe
+ seclogon Enables starting processes under alternate credentials Microsoft Corporation c:\winnt\system32\services.exe
+ SENS Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. Microsoft Corporation c:\winnt\system32\sens.dll
+ SharedAccess Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection. Microsoft Corporation c:\winnt\system32\ipnathlp.dll
+ SoundMAX Agent Service (default) SoundMAX service agent component Analog Devices, Inc. c:\program files\analog devices\soundmax\smagent.exe
+ Speed Disk service Used to schedule disk defragmentation Symantec Corporation d:\program files\norton\system works\norton utilities\speed disk\nopdb.exe
+ Spooler Loads files to memory for later printing. Microsoft Corporation c:\winnt\system32\spoolsv.exe
+ StiSvc Still Image Devices Monitor Microsoft Corporation c:\winnt\system32\stisvc.exe
+ Symantec Core LC Symantec Core LC Symantec Corporation c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe
+ TrkWks Sends notifications of files moving between NTFS volumes in a network domain. Microsoft Corporation c:\winnt\system32\services.exe
+ vsmon Monitors internet traffic and generates alerts for disallowed access. Zone Labs, LLC c:\winnt\system32\zonelabs\vsmon.exe
+ WinMgmt Provides system management information. Microsoft Corporation c:\winnt\system32\wbem\winmgmt.exe
+ wuauserv Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. Microsoft Corporation c:\winnt\system32\wuauserv.dll
HKLM\System\CurrentControlSet\Services
+ ACPI ACPI Driver for NT Microsoft Corporation c:\winnt\system32\drivers\acpi.sys
+ aeaudio Andrea Audio Noise Cancellation Driver Andrea Electronics Corporation c:\winnt\system32\drivers\aeaudio.sys
+ AFD Ancillary Function Driver for WinSock Microsoft Corporation c:\winnt\system32\drivers\afd.sys
+ aic78xx Adaptec CHIM Family SCSI miniport Microsoft Corporation c:\winnt\system32\drivers\aic78xx.sys
+ AsyncMac RAS Asynchronous Media Driver Microsoft Corporation c:\winnt\system32\drivers\asyncmac.sys
+ atapi IDE/ATAPI Port Driver Microsoft Corporation c:\winnt\system32\drivers\atapi.sys
+ Atmarpc ATM ARP Client Protocol Microsoft Corporation c:\winnt\system32\drivers\atmarpc.sys
+ audstub AudStub Driver Microsoft Corporation c:\winnt\system32\drivers\audstub.sys
+ Avg7Core AVG Scanning Engine GRISOFT, s.r.o. c:\winnt\system32\drivers\avg7core.sys
+ Avg7RsNT AVG Resident Anti-Virus Shield GRISOFT, s.r.o. c:\winnt\system32\drivers\avg7rsnt.sys
+ Avg7RsW AVG Resident Shield Unload Helper GRISOFT, s.r.o. c:\winnt\system32\drivers\avg7rsw.sys
+ AvgClean AVG7 Clean Driver GRISOFT, s.r.o. c:\winnt\system32\drivers\avgclean.sys
+ catchme File not found: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys
+ CCDECODE WDM Closed Caption VBI Codec Microsoft Corporation c:\winnt\system32\drivers\ccdecode.sys
+ Cdrom SCSI CD-ROM Driver Microsoft Corporation c:\winnt\system32\drivers\cdrom.sys
+ CDRPDACC CD Device Access Arrowkey d:\program files\321 studios\shared\cdrpdacc.sys
+ CO_Mon c:\winnt\system32\drivers\co_mon.sys
+ Disk PnP Disk Driver Microsoft Corporation c:\winnt\system32\drivers\disk.sys
+ dmio NT Disk Manager I/O Driver VERITAS Software Corp. c:\winnt\system32\drivers\dmio.sys
+ dmload NT Disk Manager Startup Driver VERITAS Software Corp. c:\winnt\system32\drivers\dmload.sys
+ DMusic Microsoft DirectMusic Software Synthesizer (WDM) Microsoft Corporation c:\winnt\system32\drivers\dmusic.sys
+ Fdc Floppy Disk Controller Driver Microsoft Corporation c:\winnt\system32\drivers\fdc.sys
+ Flpydisk Floppy Driver Microsoft Corporation c:\winnt\system32\drivers\flpydisk.sys
+ FltMgr File System Filter Manager Driver Microsoft Corporation c:\winnt\system32\drivers\fltmgr.sys
+ Ftdisk FT Disk Driver Microsoft Corporation c:\winnt\system32\drivers\ftdisk.sys
+ gmer GMER Driver http://www.gmer.net GMER c:\winnt\system32\drivers\gmer.sys
+ Gpc Generic Packet Classifier Microsoft Corporation c:\winnt\system32\drivers\msgpc.sys
+ hidusb USB Miniport Driver for Input Devices Microsoft Corporation c:\winnt\system32\drivers\hidusb.sys
+ i8042prt i8042 Port Driver Microsoft Corporation c:\winnt\system32\drivers\i8042prt.sys
+ IpFilterDriver IP Traffic Filter Driver Microsoft Corporation c:\winnt\system32\drivers\ipfltdrv.sys
+ IpInIp IP in IP Tunnel Driver Microsoft Corporation c:\winnt\system32\drivers\ipinip.sys
+ IpNat IP Network Address Translator Microsoft Corporation c:\winnt\system32\drivers\ipnat.sys
+ IPSEC IPSEC driver Microsoft Corporation c:\winnt\system32\drivers\ipsec.sys
+ IRENUM Infra-Red Bus Enumerator Microsoft Corporation c:\winnt\system32\drivers\irenum.sys
+ isapnp PNP ISA Bus Driver Microsoft Corporation c:\winnt\system32\drivers\isapnp.sys
+ Kbdclass Keyboard Class Driver Microsoft Corporation c:\winnt\system32\drivers\kbdclass.sys
+ kbdhid HID Mouse Filter Driver Microsoft Corporation c:\winnt\system32\drivers\kbdhid.sys
+ kmixer Kernel Mode Audio Mixer Microsoft Corporation c:\winnt\system32\drivers\kmixer.sys
+ MidiSyn SoundMAX Wavetable Synthesizer (WDM) Analog Devices, Inc. c:\winnt\system32\drivers\midisyn.sys
+ Mouclass Mouse Class Driver Microsoft Corporation c:\winnt\system32\drivers\mouclass.sys
+ mouhid HID Mouse Filter Driver Microsoft Corporation c:\winnt\system32\drivers\mouhid.sys
+ MPE Microsoft MPE to IP Filter Microsoft Corporation c:\winnt\system32\drivers\mpe.sys
+ MRxSmb MRXSMB Microsoft Corporation c:\winnt\system32\drivers\mrxsmb.sys
+ MSKSSRV MS KS Server Microsoft Corporation c:\winnt\system32\drivers\mskssrv.sys
+ MSPCLOCK MS Proxy Clock Microsoft Corporation c:\winnt\system32\drivers\mspclock.sys
+ MSPQM MS Proxy Quality Manager Microsoft Corporation c:\winnt\system32\drivers\mspqm.sys
+ MSTEE WDM Tee/Communication Transform Filter Microsoft Corporation c:\winnt\system32\drivers\mstee.sys
+ NABTSFEC WDM NABTS/FEC VBI Codec Microsoft Corporation c:\winnt\system32\drivers\nabtsfec.sys
+ Nbf NetBEUI Protocol Microsoft Corporation c:\winnt\system32\drivers\nbf.sys
+ NdisTapi Remote Access NDIS TAPI Driver Microsoft Corporation c:\winnt\system32\drivers\ndistapi.sys
+ Ndisuio NDIS Usermode I/O Protocol Microsoft Corporation c:\winnt\system32\drivers\ndisuio.sys
+ NdisWan Remote Access NDIS WAN Driver Microsoft Corporation c:\winnt\system32\drivers\ndiswan.sys
+ NetBIOS NetBIOS Interface Microsoft Corporation c:\winnt\system32\drivers\netbios.sys
+ NetBT NetBios over Tcpip Microsoft Corporation c:\winnt\system32\drivers\netbt.sys
+ NetDetect Network Card Detection driver Microsoft Corporation c:\winnt\system32\drivers\netdtect.sys
+ NPDriver Norton Protection Driver Symantec Corporation c:\winnt\system32\drivers\npdriver.sys
+ nv NVIDIA Compatible Windows 2000 Miniport Driver, Version 81.98 NVIDIA Corporation c:\winnt\system32\drivers\nv4_mini.sys
+ NwlnkFlt IPX Traffic Filter Driver Microsoft Corporation c:\winnt\system32\drivers\nwlnkflt.sys
+ NwlnkFwd IPX Traffic Forwarder Driver Microsoft Corporation c:\winnt\system32\drivers\nwlnkfwd.sys
+ openhci Open Host Controller Interface USB Driver Microsoft Corporation c:\winnt\system32\drivers\openhci.sys
+ Parallel Parallel Printer Driver Microsoft Corporation c:\winnt\system32\drivers\parallel.sys
+ Parport Parallel Port Driver Microsoft Corporation c:\winnt\system32\drivers\parport.sys
+ PCI NT Plug and Play PCI Enumerator Microsoft Corporation c:\winnt\system32\drivers\pci.sys
+ PCIIde Generic PCI IDE Bus Driver Microsoft Corporation c:\winnt\system32\drivers\pciide.sys
+ Pcouffin Patin-Couffin low level access layer for CD devices VSO Software c:\winnt\system32\drivers\pcouffin.sys
+ PptpMiniport WAN Miniport (PPTP) Microsoft Corporation c:\winnt\system32\drivers\raspptp.sys
+ Ptilink Direct Parallel Link Driver Parallel Technologies, Inc. c:\winnt\system32\drivers\ptilink.sys
+ RasAcd Remote Access Auto Connection Driver Microsoft Corporation c:\winnt\system32\drivers\rasacd.sys
+ Rasl2tp WAN Miniport (L2TP) Microsoft Corporation c:\winnt\system32\drivers\rasl2tp.sys
+ Raspti Direct Parallel Microsoft Corporation c:\winnt\system32\drivers\raspti.sys
+ RCA RCA filter Microsoft Corporation c:\winnt\system32\drivers\rca.sys
+ Rdbss Rdbss Microsoft Corporation c:\winnt\system32\drivers\rdbss.sys
+ redbook Redbook Audio Filter Driver Microsoft Corporation c:\winnt\system32\drivers\redbook.sys
+ SDdriver SDDRIVER Symantec Corporation c:\winnt\system32\drivers\sddriver.sys
+ senfilt Sensaura WDM 3D Audio Driver Sensaura c:\winnt\system32\drivers\senfilt.sys
+ serenum Serial Port Enumerator Microsoft Corporation c:\winnt\system32\drivers\serenum.sys
+ Serial Serial Device Driver Microsoft Corporation c:\winnt\system32\drivers\serial.sys
+ SiSGbe2K NDIS 5.0 Miniport Driver for SiS191/SiS190 Ethernet Device Silicon Integrated Systems Corp. c:\winnt\system32\drivers\sisgbe2k.sys
+ SLIP Microsoft Slip Deframing Filter Minidriver Microsoft Corporation c:\winnt\system32\drivers\slip.sys
+ smwdm SoundMAX Integrated Digital Audio Analog Devices, Inc. c:\winnt\system32\drivers\smwdm.sys
+ srescan srescan Zone Labs, LLC c:\winnt\system32\zonelabs\srescan.sys
+ Srv Srv Microsoft Corporation c:\winnt\system32\drivers\srv.sys
+ sscdbus SAMSUNG USB Composite Device Driver MCCI c:\winnt\system32\drivers\sscdbus.sys
+ sscdmdfl SAMSUNG CDMA Modem Filter MCCI c:\winnt\system32\drivers\sscdmdfl.sys
+ sscdmdm SAMSUNG CDMA Modem Drivers MCCI c:\winnt\system32\drivers\sscdmdm.sys
+ streamip Microsoft IP Driver Microsoft Corporation c:\winnt\system32\drivers\streamip.sys
+ swenum Plug and Play Software Device Enumerator Microsoft Corporation c:\winnt\system32\drivers\swenum.sys
+ swmidi Microsoft GS Wavetable Synthesizer Microsoft Corporation c:\winnt\system32\drivers\swmidi.sys
+ SymEvent Symantec Event Library Symantec Corporation c:\program files\symantec\symevent.sys
+ symlcbrd Symantec Core Component Symantec Corporation c:\winnt\system32\drivers\symlcbrd.sys
+ sysaudio System Audio WDM Filter Microsoft Corporation c:\winnt\system32\drivers\sysaudio.sys
+ Tcpip TCP/IP Protocol Driver Microsoft Corporation c:\winnt\system32\drivers\tcpip.sys
+ Update Update Driver Microsoft Corporation c:\winnt\system32\drivers\update.sys
+ usbehci EHCI eUSB Miniport Driver Microsoft Corporation c:\winnt\system32\drivers\usbehci.sys
+ usbhub Default Hub Driver for USB Microsoft Corporation c:\winnt\system32\drivers\usbhub.sys
+ usbhub20 Default Hub Driver for USB 2.0 Microsoft Corporation c:\winnt\system32\drivers\usbhub20.sys
+ usbprint USB Printer driver Microsoft Corporation c:\winnt\system32\drivers\usbprint.sys
+ usbscan USB Scanner Driver Microsoft Corporation c:\winnt\system32\drivers\usbscan.sys
+ USBSTOR USB Mass Storage Class Driver Microsoft Corporation c:\winnt\system32\drivers\usbstor.sys
+ VgaSave VGA/Super VGA Video Driver Microsoft Corporation c:\winnt\system32\drivers\vga.sys
+ vsdatant TrueVector Device Driver Zone Labs, LLC c:\winnt\system32\vsdatant.sys
+ Wanarp Remote Access IP ARP Driver Microsoft Corporation c:\winnt\system32\drivers\wanarp.sys
+ wdmaud MMSYSTEM Wave/Midi API mapper Microsoft Corporation c:\winnt\system32\drivers\wdmaud.sys
+ WmBEnum Logitech WingMan Virtual Bus Enumerator Driver Logitech Inc. c:\winnt\system32\drivers\wmbenum.sys
+ WmFilter Logitech WingMan Hid Filter Driver Logitech Inc. c:\winnt\system32\drivers\wmfilter.sys
+ WmVirHid Logitech WingMan Virtual Hid Device Driver Logitech Inc. c:\winnt\system32\drivers\wmvirhid.sys
+ WmXlCore Logitech WingMan Translation Driver Logitech Inc. c:\winnt\system32\drivers\wmxlcore.sys
+ WSTCODEC WDM WST Codec Driver Microsoft Corporation c:\winnt\system32\drivers\wstcodec.sys
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
+ autocheck autochk * Auto Check Utility Microsoft Corporation c:\winnt\system32\autochk.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
+ Your Image File Name Here without a path Symbolic Debugger for Windows 2000 Microsoft Corporation c:\winnt\system32\ntsd.exe
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
+ advapi32 Advanced Windows 32 Base API Microsoft Corporation c:\winnt\system32\advapi32.dll
+ comdlg32 Common Dialogs DLL Microsoft Corporation c:\winnt\system32\comdlg32.dll
+ gdi32 GDI Client DLL Microsoft Corporation c:\winnt\system32\gdi32.dll
+ imagehlp Windows NT Image Helper Microsoft Corporation c:\winnt\system32\imagehlp.dll
+ kernel32 Windows NT BASE API Client DLL Microsoft Corporation c:\winnt\system32\kernel32.dll
+ lz32 LZ Expand/Compress API DLL Microsoft Corporation c:\winnt\system32\lz32.dll
+ ole32 Microsoft OLE for Windows Microsoft Corporation c:\winnt\system32\ole32.dll
+ oleaut32 Microsoft Corporation c:\winnt\system32\oleaut32.dll
+ olecli32 Object Linking and Embedding Client Library Microsoft Corporation c:\winnt\system32\olecli32.dll
+ olecnv32 Microsoft OLE for Windows Microsoft Corporation c:\winnt\system32\olecnv32.dll
+ olesvr32 Object Linking and Embedding Server Library Microsoft Corporation c:\winnt\system32\olesvr32.dll
+ olethk32 Microsoft OLE for Windows Microsoft Corporation c:\winnt\system32\olethk32.dll
+ rpcrt4 Remote Procedure Call Runtime Microsoft Corporation c:\winnt\system32\rpcrt4.dll
+ shell32 Windows Shell Common Dll Microsoft Corporation c:\winnt\system32\shell32.dll
+ url Internet Shortcut Shell Extension DLL Microsoft Corporation c:\winnt\system32\url.dll
+ urlmon OLE32 Extensions for Win32 Microsoft Corporation c:\winnt\system32\urlmon.dll
+ user32 Windows 2000 USER API Client DLL Microsoft Corporation c:\winnt\system32\user32.dll
+ version Version Checking and File Installation Libraries Microsoft Corporation c:\winnt\system32\version.dll
+ wininet Internet Extensions for Win32 Microsoft Corporation c:\winnt\system32\wininet.dll
+ wldap32 Win32 LDAP API DLL Microsoft Corporation c:\winnt\system32\wldap32.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ crypt32chain Crypto API32 Microsoft Corporation c:\winnt\system32\crypt32.dll
+ cryptnet Crypto Network Related API Microsoft Corporation c:\winnt\system32\cryptnet.dll
+ cscdll Offline Network Agent Microsoft Corporation c:\winnt\system32\cscdll.dll
+ sclgntfy Secondary Logon Service Notification DLL Microsoft Corporation c:\winnt\system32\sclgntfy.dll
+ SensLogn Common DLL to receive Winlogon notifications Microsoft Corporation c:\winnt\system32\wlnotify.dll
+ wzcnotif Wireless Zero Configuration Service UI Microsoft Corporation c:\winnt\system32\wzcdlg.dll
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
+ MSAFD NetBIOS [\Device\Nbf_NdisWanNbfIn{097DCC31-53F2-421C-842E-496B68B6A5BD}] DATAGRAM 5 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD NetBIOS [\Device\Nbf_NdisWanNbfIn{097DCC31-53F2-421C-842E-496B68B6A5BD}] SEQPACKET 5 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD NetBIOS [\Device\Nbf_NdisWanNbfIn{3CD29930-6D17-4DD3-B2A2-0E7BF8ECB156}] DATAGRAM 6 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD NetBIOS [\Device\Nbf_NdisWanNbfIn{3CD29930-6D17-4DD3-B2A2-0E7BF8ECB156}] SEQPACKET 6 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD NetBIOS [\Device\Nbf_NdisWanNbfIn{A31013BE-D54C-476B-B7CD-05E73ADEB3F1}] DATAGRAM 7 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD NetBIOS [\Device\Nbf_NdisWanNbfIn{A31013BE-D54C-476B-B7CD-05E73ADEB3F1}] SEQPACKET 7 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD NetBIOS [\Device\Nbf_NdisWanNbfOut{567B5B20-1B08-4B22-B929-CCA320509A09}] DATAGRAM 4 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD NetBIOS [\Device\Nbf_NdisWanNbfOut{567B5B20-1B08-4B22-B929-CCA320509A09}] SEQPACKET 4 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD NetBIOS [\Device\Nbf_NdisWanNbfOut{5E643D81-83CE-41CD-942E-432D9DD73844}] DATAGRAM 9 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD NetBIOS [\Device\Nbf_NdisWanNbfOut{5E643D81-83CE-41CD-942E-432D9DD73844}] SEQPACKET 9 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD NetBIOS [\Device\Nbf_NdisWanNbfOut{A586A6BF-B7C8-462D-86A3-2D93DBE2CC5E}] DATAGRAM 8 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD NetBIOS [\Device\Nbf_NdisWanNbfOut{A586A6BF-B7C8-462D-86A3-2D93DBE2CC5E}] SEQPACKET 8 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD NetBIOS [\Device\Nbf_{15D4E2FE-16D1-42D2-8486-61C9986D71E1}] DATAGRAM 3 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD NetBIOS [\Device\Nbf_{15D4E2FE-16D1-42D2-8486-61C9986D71E1}] SEQPACKET 3 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{15D4E2FE-16D1-42D2-8486-61C9986D71E1}] DATAGRAM 0 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{15D4E2FE-16D1-42D2-8486-61C9986D71E1}] SEQPACKET 0 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{1743D244-09C1-487B-A809-37F1038EF62E}] DATAGRAM 2 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{1743D244-09C1-487B-A809-37F1038EF62E}] SEQPACKET 2 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{E62F7943-0EF8-464E-A781-E8C09C4F8DE4}] DATAGRAM 1 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{E62F7943-0EF8-464E-A781-E8C09C4F8DE4}] SEQPACKET 1 Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD Tcpip [RAW/IP] Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD Tcpip [TCP/IP] Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ MSAFD Tcpip [UDP/IP] Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation c:\winnt\system32\msafd.dll
+ RSVP TCP Service Provider Microsoft Windows Rsvp 1.0 Service Provider Microsoft Corporation c:\winnt\system32\rsvpsp.dll
+ RSVP UDP Service Provider Microsoft Windows Rsvp 1.0 Service Provider Microsoft Corporation c:\winnt\system32\rsvpsp.dll
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
+ Adobe PDF Port Acrobat ® PDF Port Adobe Systems Incorporated. c:\winnt\system32\adobepdf.dll
+ BJ Language Monitor Langage Monitor for Canon Bubble-Jet Printer Microsoft Corporation c:\winnt\system32\cnbjmon.dll
+ Lexmark Network Port LEXLMPM DLL Lexmark International, Inc. c:\winnt\system32\lexlmpm.dll
+ Local Port Local Spooler DLL Microsoft Corporation c:\winnt\system32\localspl.dll
+ PJL Language Monitor Spooler Setup DLL Microsoft Corporation c:\winnt\system32\pjlmon.dll
+ Standard TCP/IP Port Standard TCP/IP Port Monitor DLL Microsoft Corporation c:\winnt\system32\tcpmon.dll
+ USB Monitor Standard USB printing Port Monitor DLL Microsoft Corporation c:\winnt\system32\usbmon.dll
+ Windows NT Fax Monitor Fax Print Monitor Microsoft Corporation c:\winnt\system32\msfaxmon.dll
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
+ digest.dll Digest SSPI Authentication Package Microsoft Corporation c:\winnt\system32\digest.dll
+ msapsspc.dll DPA Client for 32 bit platforms Microsoft Corporation c:\winnt\system32\msapsspc.dll
+ msnsspc.dll MSN Client for 32 bit platforms Microsoft Corporation c:\winnt\system32\msnsspc.dll
+ schannel.dll TLS / SSL Security Provider Microsoft Corporation c:\winnt\system32\schannel.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
+ msv1_0 Microsoft Authentication Package v1.0 Microsoft Corporation c:\winnt\system32\msv1_0.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
+ scecli Windows Security Configuration Editor Client Engine Microsoft Corporation c:\winnt\system32\scecli.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
+ kerberos Kerberos Security Package Microsoft Corporation c:\winnt\system32\kerberos.dll
+ msv1_0 Microsoft Authentication Package v1.0 Microsoft Corporation c:\winnt\system32\msv1_0.dll
+ schannel TLS / SSL Security Provider Microsoft Corporation c:\winnt\system32\schannel.dll
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
+ LanmanWorkstation Microsoft Windows Network Microsoft Corporation c:\winnt\system32\ntlanman.dll







2a) NOW, HERE IS THE COMBOFIX LOG, WHICH I FOUND:

"Derek" - 07/11/2007 18:57:50 - ComboFix 07-07-10.1 - Service Pack 4


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((( Files Created from 2007-06-11 to 2007-07-11 )))))))))))))))))))))))))))))))


2007-07-11 18:56 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-11 16:57 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-07-11 16:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-10 14:07 552 --a------ C:\WINNT\system32\d3d8caps.dat
2007-07-10 13:55 122,880 --ah----- C:\DOCUME~1\SYSTEM\NTUSER.DAT
2007-06-27 17:01 90,112 --a------ C:\WINNT\system32\odbcint.dll
2007-06-27 17:01 61,440 --a------ C:\WINNT\system32\odbccu32.dll
2007-06-27 17:01 61,440 --a------ C:\WINNT\system32\odbccr32.dll
2007-06-27 17:01 45,632 --a------ C:\WINNT\system32\cliconfg.exe
2007-06-27 17:01 4,656 --a------ C:\WINNT\system32\ds16gt.dll
2007-06-27 17:01 36,864 --a------ C:\WINNT\system32\mscpxl32.dll
2007-06-27 17:01 32,768 --a------ C:\WINNT\system32\odbcad32.exe
2007-06-27 17:01 28,672 --a------ C:\WINNT\system32\dbnmpntw.dll
2007-06-27 17:01 26,224 --a------ C:\WINNT\system32\odbc16gt.dll
2007-06-27 17:01 24,576 --a------ C:\WINNT\system32\dbmsvinn.dll
2007-06-27 17:01 24,576 --a------ C:\WINNT\system32\dbmsrpcn.dll
2007-06-27 17:01 24,576 --a------ C:\WINNT\system32\dbmsgnet.dll
2007-06-27 17:01 20,480 --a------ C:\WINNT\system32\msorc32r.dll
2007-06-27 17:01 20,480 --a------ C:\WINNT\system32\dbmsadsn.dll
2007-06-27 17:01 180,800 --a------ C:\WINNT\system32\sqlunirl.dll
2007-06-27 17:01 16,384 --a------ C:\WINNT\system32\odbc32gt.dll
2007-06-27 17:01 16,384 --a------ C:\WINNT\system32\ds32gt.dll
2007-06-27 17:01 147,456 --a------ C:\WINNT\system32\odbctrac.dll
2007-06-27 17:01 131,072 --a------ C:\WINNT\system32\msorcl32.dll
2007-06-27 17:01 127,552 --a------ C:\WINNT\system32\cliconfg.dll
2007-06-27 17:01 126,976 --a------ C:\WINNT\system32\msdart.dll
2007-06-20 15:17 <DIR> d-------- C:\WINNT\system32\SoftwareDistribution
2007-06-12 23:32 <DIR> d-------- C:\Program Files\Comical
2007-06-12 13:47 <DIR> d-a------ C:\WINNT\system32\appmgmt


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-29 06:09:34 28,672 ----a-w C:\WINNT\system32\drivers\CO_Mon.sys
2007-06-12 18:47:51 -------- d-----w C:\Program Files\emoze
2007-04-25 07:52:16 147,216 ----a-w C:\WINNT\system32\SCHANNEL.DLL
2007-04-18 15:56:26 5,241,359 ------w C:\AVG7QT.DAT
2007-04-17 03:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-16 12:44:08 54,032 ----a-w C:\WINNT\system32\mpr.dll
2007-04-13 00:12:56 4,212 ---h--w C:\WINNT\system32\zllictbl.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
06-12-18 04:16 59032 --a------ D:\Program Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
05-05-31 01:04 853672 --a------ D:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
06-12-15 03:23 440056 --a------ C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
06-12-18 04:18 231160 --a------ D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"Tweak UI"="TWEAKUI.CPL" [00-06-18 13:03 C:\WINNT\system32\TWEAKUI.CPL]
"Lexmark X6100 Series"="C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe" [03-09-23 01:01 ]
"THGuard"="D:\Program Files\TrojanHunter 4.2\THGuard.exe" [05-02-19 15:36 ]
"Norton Ghost 9.0"="D:\Program Files\Norton\Ghost\Agent\GhostTray.exe" [04-07-29 03:41 ]
"Acrobat Assistant 7.0"="D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe" [06-01-12 19:52 ]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [04-10-14 08:11 ]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [04-09-23 11:41 ]
"@"="" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06-08-10 10:11 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [06-12-15 03:23 ]
"ZoneAlarm Client"="D:\Program Files\ZoneAlarm\zlclient.exe" [07-03-09 00:02 ]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVG\avgcc.exe" [07-04-21 08:40 ]
"nwiz"="nwiz.exe" [05-12-10 02:06 C:\WINNT\system32\nwiz.exe]
"QuickTime Task"="D:\Program Files\Quicktime\qttask.exe" [06-08-09 22:32 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-07 07:00 C:\WINNT\system32\internat.exe]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [05-05-31 01:04 ]
"Norton SystemWorks"="D:\Program Files\Norton\System Works\cfgwiz.exe" [04-09-09 21:12 ]
"AWMON"="D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [05-05-25 11:12 ]
"DeskSlide"="D:\Program Files\DeskSlide\DeskSlide.exe" [06-06-27 21:31 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=01000000

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINNT\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINNT\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINNT\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe]
C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


Contents of the 'Scheduled Tasks' folder
2007-07-08 16:23:51 C:\WINNT\tasks\Norton SystemWorks One Button Checkup.job
2007-07-11 05:02:59 C:\WINNT\tasks\Symantec Drmc.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-11 19:04:04
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINNT\system32\Perflib_Perfdata_c9c.dat

scan completed successfully
hidden files: 1

**************************************************************************

Completion time: 2007-07-11 19:06:51 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-07-11 19:06

--- E O F ---






2b) THERE WAS ALSO A FILE at C:\ CALLED ComboFix-quarantined-files.txt AND IT FOLLOWS IN CASE IT IS NECESSARY:

Code: Select all
07-07-11 18:59       352    --a------    C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.cf


Folder PATH listing
Volume serial number is 0006FE80 A888:7B57
C:\QOOBOX
\---Quarantine
    \---Registry_backups
            services_nm.reg.cf








3) HERE IS THE FIND VBS.BAT LOG FILE:


Volume in drive C has no label.
Volume Serial Number is A888-7B57

Directory of C:\ComboFix

07/08/07 09:23p 15,399 FProps.vbs
1 File(s) 15,399 bytes

Directory of C:\Documents and Settings\Administrator\Desktop

07/12/07 11:07a 347,253 Silent Runners.vbs
1 File(s) 347,253 bytes

Directory of C:\WINNT\system32

12/07/99 07:00a 3,708 pubprn.vbs
1 File(s) 3,708 bytes

Total Files Listed:
3 File(s) 366,360 bytes
0 Dir(s) 7,699,726,336 bytes free








4) HERE IS THE NEW HIJACKTHIS LOG FILE:

Logfile of HijackThis v1.99.1
Scan saved at 4:11:27 PM, on 8/01/07
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\PROGRA~1\Grisoft\AVG\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\GEARSec.exe
D:\Program Files\Norton\Ghost\Agent\PQV2iSvc.exe
D:\PROGRA~1\Norton\SYSTEM~1\NORTON~1\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
D:\Program Files\ProShow Gold\ScsiAccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\PROGRA~1\Norton\SYSTEM~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT
dantijkc
Active Member
 
Posts: 11
Joined: July 10th, 2007, 11:23 am
Top

Part 2

Unread postby dantijkc » August 1st, 2007, 4:26 pm

All of the text showed up in the box before, but not upon posting, so let's try again. I'll start from the HijackThis log again:

4) HERE IS THE NEW HIJACKTHIS LOG FILE:

Logfile of HijackThis v1.99.1
Scan saved at 4:11:27 PM, on 8/01/07
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\PROGRA~1\Grisoft\AVG\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\GEARSec.exe
D:\Program Files\Norton\Ghost\Agent\PQV2iSvc.exe
D:\PROGRA~1\Norton\SYSTEM~1\NORTON~1\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
D:\Program Files\ProShow Gold\ScsiAccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\PROGRA~1\Norton\SYSTEM~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
D:\Program Files\Norton\Ghost\Agent\GhostTray.exe
D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
D:\Program Files\ZoneAlarm\zlclient.exe
D:\PROGRA~1\Grisoft\AVG\avgcc.exe
D:\Program Files\Quicktime\qttask.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\internat.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\rundll32.exe
D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
D:\Program Files\DeskSlide\DeskSlide.exe
D:\Program Files\MemTurbo\MemTurbo.exe
D:\PROGRA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] D:\Program Files\Norton\Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "D:\Program Files\Norton\System Works\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [AWMON] "D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [DeskSlide] D:\Program Files\DeskSlide\DeskSlide.exe -logon -hide
O4 - Startup: MemTurbo.lnk = D:\Program Files\MemTurbo\MemTurbo.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = D:\Program Files\Adobe\Acrobat\Acrobat\acrobat_sl.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5152811406
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{15D4E2FE-16D1-42D2-8486-61C9986D71E1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{15D4E2FE-16D1-42D2-8486-61C9986D71E1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{15D4E2FE-16D1-42D2-8486-61C9986D71E1}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - D:\Program Files\Norton\Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\PROGRA~1\Norton\SYSTEM~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - D:\Program Files\ProShow Gold\ScsiAccess.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\Norton\SYSTEM~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe










5) FINALLY, HERE ARE FOUR AVG LOGS, THE FIRST PERTAINS TO THE FIRST TIME A PROBLEM WAS FOUND (VBS/DROPPER AND A 'CHANGE' TO KERNEL32.DLL), THE SECOND PERTAINS TO THE NEXT DAY WHEN BACKDOOR.HUPIGON WAS FOUND IN AN UNRELATED FILE, THE THIRD TO THE FOLLOWING DAY WHEN SUPPOSEDLY DELETED OR QUARANTINED FILES SHOWED UP AGAIN PERHAPS DUE TO NORTON PROTECTED RECYCLE BIN, AND THE FOURTH SHOWS THE FIRST SCAN UPON ARRIVING HOME WHEN A CHANGE WAS NOTICED IN BOTH KERNEL32.DLL AND HOSTS

It is worth noting that the file supposedly infected with BackDoor.Hupigon.BFA was downloaded about a year ago and has never shown up as infected until this scan, despite daily AVG scans. It seems odd to have suddenly become infected the day after or perhaps AVG was finally updated to recognize this problem?

5a)

"General properties",""
"Report name","Complete Test"
"Start time","7/6/2007 12:08:02 AM"
"End time","7/6/2007 12:44:17 AM (total: 36:13.5 Min)"
"Launch method","Scanning launched manually"
"Scanning result","Threats found"
"Report status","Scanning stopped manually"
" ",""
"Object summary",""
"Scanned","82801"
"Threats Found","1"
"Cleaned","0"
"Moved to vault","0"
"Deleted","0"
"Errors","0"
"C:\WINNT\system32\kernel32.dll","Change","Changed"
"C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6GDVR6H7\royaldirect[1].htm","Virus found VBS/Dropper","Infected"

5b)

"General properties",""
"Report name","Complete Test"
"Start time","7/6/2007 8:00:09 AM"
"End time","7/6/2007 8:55:10 AM (total: 55:01.5 Min)"
"Launch method","Scanning launched by scheduler"
"Scanning result","Threats found"
"Report status","Scanning completed successfully"
" ",""
"Object summary",""
"Scanned","97199"
"Threats Found","2"
"Cleaned","0"
"Moved to vault","1"
"Deleted","1"
"Errors","0"
"C:\WINNT\system32\kernel32.dll","Change","Changed"
"E:\Downloads\GTA SAN ANDREAS CRACK BY HOODLUM.rar:\HOODLUM\HLM-INTR.EXE","Trojan horse BackDoor.Hupigon.BFA","Infected, Embedded object, Deleted"
"D:\Program Files\Rockstar Games\GTA San Andreas\HLM-INTR.EXE","","Deleted"
"E:\Downloads\GTA SAN ANDREAS CRACK BY HOODLUM.rar","","Moved to Vault, Archive"

5c)

"General properties",""
"Report name","Complete Test"
"Start time","7/7/2007 8:00:09 AM"
"End time","7/7/2007 8:55:17 AM (total: 55:07.2 Min)"
"Launch method","Scanning launched by scheduler"
"Scanning result","Threats found"
"Report status","Scanning completed successfully"
" ",""
"Object summary",""
"Scanned","97843"
"Threats Found","1"
"Cleaned","0"
"Moved to vault","1"
"Deleted","0"
"Errors","0"
"C:\WINNT\system32\kernel32.dll","Change","Changed"
"E:\RECYCLER\NPROTECT\00000010.RAR:\HOODLUM\HLM-INTR.EXE","Trojan horse BackDoor.Hupigon.BFA","Infected, Embedded object, Deleted"
"E:\RECYCLER\NPROTECT\00000010.RAR","","Moved to Vault, Archive"

5d)

"General properties",""
"Report name","Complete Test"
"Start time","8/1/2007 8:00:07 AM"
"End time","8/1/2007 8:57:36 AM (total: 57:28.7 Min)"
"Launch method","Scanning launched by scheduler"
"Scanning result","No threats found"
"Report status","Scanning completed successfully"
" ",""
"Object summary",""
"Scanned","98981"
"Threats Found","0"
"Cleaned","0"
"Moved to vault","0"
"Deleted","0"
"Errors","0"
"C:\WINNT\system32\kernel32.dll","Change","Changed"
"C:\WINNT\system32\drivers\etc\hosts","Change","Changed"



THANKS AGAIN!
dantijkc
Active Member
 
Posts: 11
Joined: July 10th, 2007, 11:23 am
Top

Unread postby Elrond » August 2nd, 2007, 1:54 am

Good to hear that you had a good vacation.

From what I can see after working through the logs your computer seems to be OK.

AVG caught the infections before they could infect the machine and the logs from it only shows stuff that is already rendered undangerous. We will try to clean it out in a bit.

However I saw that one of the infections came in a crack. Cracks are besides being ilegal and theft one of the most dangerous things you can have on your computer. They are used by the malware spreaders as an ideal way of spreading malware. You are expecting the program to install something and if that something also includes a few nice pieces of malware you will not notice it until it is too late.

This is what AVG says about the entries in the form like those two.
"C:\WINNT\system32\kernel32.dll","Change","Changed"
"C:\WINNT\system32\drivers\etc\hosts","Change","Changed"
It is normal that AVG shows that files, the MBR or Boot record to have changed. These are done during normal maintenance, when you or windows updates files or have had to correct errors on the drive. The only time that you should worry is if they also show as infected.

To get AVG to quit showing them as changed, open the AVG Test Center, click the F3 key on your keyboard and tell it to accept the changes. If it still shows something as changed after this.. delete the file named AVG7QT.DAT in C:\ and AVG will rebuild it the next time it is run.


There are a few things that still needs to be done to make the computer safer against infections.

I do not know if you do need Java run time. It is a pain in the neck to keep updated because every time they find another security hole in it and they patch it you have to uninstall the old one ond install the new version. You can not just install the new one over the older one because that leaves the old one with the security holes still on your computer and exploitable. :roll:
If you decide not to install the latest version but simply try to see if you can live without it then simply follow the part about uninstalling below.

Download the latest Java from here.

Scroll down to Java Runtime Environment (JRE) 6u2 and click on Download. Click on Accept License Agreement, the page will refresh.

Click on Windows Offline Installation, Multi-language and save it.

Do not run it yet.

  1. Go to Start > Control Panel. Double click on Add/Remove Programs.
  2. Locate J2SE Runtime Environment 5.0 Update 3 and click on Change/Remove to uninstall it.
  3. Once done, close Add/Remove Programs and Control Panel.
After uninstalling the old Java program, install the latest version of Java that you've downloaded earlier.


Now for some cleanup and then some good advise. :)

I would advise you to delete the following. The tools are really not suitable for regular use and can be dangerous if misused. They also clutter up your computer:
Please delete
  • combofix.exe and its backup and log files
    C:\ComboFix-quarantined-files.txt
    C:\combofix.txt
  • Silent Runners and its log
  • C:\program files\GMER folder
  • AutoRuns and the log (if you saved it)
  • Find VBS.bat and vbssearch.txt (if you can find it)

Set correct settings for files that should be hidden in Windows XP
  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
  • If unchecked please checkHide protected operating system files (Recommended)
  • If necessary check "Display content of system folders"
  • If necessary Uncheck Hide file extensions for known file types.
  • Click OK
  1. Clean out Temporary Files etc. Download System Security Suite from http://www.igorshpak.net/software/3ssetup104.zip. Extract it from the zip file into a folder and double click on sss.exe. Please check the following check-boxes under the Items to Clear tab:
    1. Under Internet Explorer
      • History
      • Temporary Files
    2. Under My Computer
      • Recycle Bin
      • Run (Menu)
      • Search History
      • Temporary Files
    Next click 'Clear Selected Items'. Reboot when prompted. It is a good idea to do this every few weeks as a lot of junk collects there over time.

  2. if you are using Internet Explorer v. 6
    Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
    There are good reasons to upgrade to Internet Explorer v. 7. Do look into this. You can find a lot of information about it on Microsoft's website.
  3. Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  4. Update your Anti Virus Software - It is imperative that you update your Anti virus software at least once a week (Once a day is a good idea). If you do not update your anti virus software it will not be able to catch new variants that come out.
  5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Windows Firewall is not recommended.
    Be restrictive with granting access to the Internet. If you are unsure if the program really needs the access, test it by denying the access and see if this has any negative effects. If not, make the block permanent.
  6. Never run two Antivirus programs or two Firewalls at the same time. They can interfere with each other and cause problems.
  7. Visit Microsoft's Windows Update Site Frequently or better yet set computer for automatic updates.
  8. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  9. Read and follow the sugestions given at this web site by Miekiemoes http://users.telenet.be/bluepatchy/miek ... ntion.html that will give you more information on some of the points above.
Follow this list and your potential for being infected again will reduce dramatically.

Stand up and be Counted.
NOW is the time you can start to hit back at the people who infected you.
Image
Please take the time to go and complain - that forum has a topic for your infection which is Vundo and some bots. Please post as a reply, you do not need to register to do so (but you can if you wish). It will also have a list of other places you can go to to register your complaint, depending on the country you are resident in. Please read the topics and complain, it is only with such complaints to government or government agencies that something will get done.

I hope I could help you. E :)
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Top
Advertisement
Register to Remove
Previous
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 441 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index