Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

what's going on?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

what's going on?

Unread postby 050085 » October 24th, 2006, 1:17 am

Hi there,
just reformatted my drive to install windows xp.
on restart i start getting IE popups which come about 5 at a time.
used spybot and avg to scan. programs say its cleared but popups still appear and avg detects viruses.

my task manager from pressing Ctrl-Alt-Del has also been somehow "disabled by administrator" even though i did not add other users.

here's my hijackthis log, hope you guys can help!

Logfile of HijackThis v1.99.1
Scan saved at 1:12:13 PM, on 10/24/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\System32\Msn32e.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\Y2h1bg\command.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\kernels1118.exe
C:\Program Files\Common Files\{907BA00A-0958-1033-0601-040202050001}\Update.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.ntu.edu.sg/proxy.pac
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7C38565D-E507-4676-903A-4F26BC4B754B} - C:\Program Files\MSN\horeloda.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Layer Services] Msn32e.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zro42981] RUNDLL32.EXE w00225dd.dll,n 0064297b0000000a00225dd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels1118.exe
O4 - HKLM\..\RunServices: [Microsoft Layer Services] Msn32e.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels1118.exe
O4 - HKCU\..\Run: [Microsoft Layer Services] Msn32e.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\o4ns0e57eh.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Y2h1bg\command.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
050085
Active Member
 
Posts: 12
Joined: October 24th, 2006, 1:03 am
Advertisement
Register to Remove

edit

Unread postby 050085 » October 24th, 2006, 1:26 am

by the way, more stuff happening to my comp
the last time i checked, task manager's processor was at 100% so everything lagged..
little MS-DOS windows keep appearing with some unknown .exe file but i just close them.
AVG is taking very long to scan, like 10 seconds for one file.

how can this happen on a FRESH INSTALL?? desperately need help here...
050085
Active Member
 
Posts: 12
Joined: October 24th, 2006, 1:03 am

Unread postby Trogan » October 24th, 2006, 12:25 pm

Hi 050085, welcome to Malware Removal!

You have a couple of problems going on, but hopefully we can get them resolved. This likely happened becuase you did not install AVG anti-virus before connecting to the internet, and also by not having a Firewall (we will get you one soon.)

You said you just reformatted your PC, therefore you have no Service Pack for XP on your computer. Before we continue to fix your problems, you need to download and install Service Pack 1a, becuase without this you will get reinfected immediately after cleanup and we would both be wasting our time.

Download Service Pack 1a from this LINK. Apply the update and reboot your computer once finished.

Important: Do NOT download and install Service Pack 2, because your computer is heavily infected, and doing so may cause your computer to stop working.
______________________________

Once you have Service Pack 1a, you need to get a Firewall. Download one from the list below - They are Free for Personal use!

Zone Alarm << I recommend this
Sunbelt Kerio PF
Outpost Firewall
______________________________

Next, I need you to scan a file so I can get some information on it.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
  • C:\WINDOWS\System32\Msn32e.exe
  • Click on the submit button
  • Save a copy of the results to a Convenient place, such as your Desktop.
______________________________

Now I would like to see another log from HijackThis.
  • Run Hijackthis.
  • Click on Open the Misc Tools section.
  • Next click on Open uninstall manager.
  • Press the Save list button.
  • Save the file to your Desktop, with the default name of uninstall_list
  • Copy & Paste the entire contents of that file in your in your next post.
______________________________

Now that the above has been done, please post the following info:

1) Scan results from Jotti
2) Uninstall list
3) New HijackThis log
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

New scans

Unread postby 050085 » October 24th, 2006, 4:11 pm

rash action - i found a CD of XP pro with SP2 and did an upgrade... hope it didnt screw anything up?? IE windows have stopped popping up BUT C:\WINDOWS\System32\maxd641.exe still runs in a MSdos console.

Msn32e.exe was automatically blocked by winxp upon the first startup.

-----SCAN RESULTS FROM JOTTI-----
File: Msn32e.exe
Status: INFECTED/MALWARE
MD5 8c0be3dd837783bf56a56b641ad0faaa
Packers detected: PE_PATCH, MEWBUNDLE, MEW
Scanner results
AntiVir Found Worm/Rbot.210944
ArcaVir Found nothing
Avast Found Win32:SdBot-gen44
AVG Antivirus Found nothing
BitDefender Found Generic.Sdbot.C2E2C018
ClamAV Found nothing
Dr.Web Found Win32.HLLW.MyBot.based
F-Prot Antivirus Found nothing
Fortinet Found W32/RBot.ZI!tr.bdr
Kaspersky Anti-Virus Found Backdoor.Win32.Rbot.gen
NOD32 Found a variant of Win32/Rbot
Norman Virus Control Found W32/Suspicious_M.gen
VirusBuster Found nothing
VBA32 Found Backdoor.Bifrose.16 (probable variant)


-----UNSTALL LIST-----
Adobe Flash Player 9 ActiveX
AVG Free Edition
HijackThis 1.99.1
Mozilla Firefox (1.5)
NVIDIA Drivers
Prevx1
Spybot - Search & Destroy 1.4
Windows Live Messenger

---NEW HIJACKTHIS LOG-----
Logfile of HijackThis v1.99.1
Scan saved at 4:04:54 AM, on 10/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Y2h1bg\command.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Msn32e.exe
C:\WINDOWS\System32\kernels1118.exe
C:\WINDOWS\system32\MsnXp32s.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\{907BA00A-0958-1033-0601-040202050001}\Update.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.ntu.edu.sg/proxy.pac
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7C38565D-E507-4676-903A-4F26BC4B754B} - C:\Program Files\MSN\horeloda.dll (file missing)
O4 - HKLM\..\Run: [Microsoft Layer Services] Msn32e.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zro42981] RUNDLL32.EXE w00225dd.dll,n 0064297b0000000a00225dd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels1118.exe
O4 - HKLM\..\Run: [Microsoft Updates Emulator] MsnXp32s.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Microsoft Layer Services] Msn32e.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels1118.exe
O4 - HKLM\..\RunServices: [Microsoft Updates Emulator] MsnXp32s.exe
O4 - HKCU\..\Run: [Microsoft Layer Services] Msn32e.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Updates Emulator] MsnXp32s.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\o4ns0e57eh.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Y2h1bg\command.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
050085
Active Member
 
Posts: 12
Joined: October 24th, 2006, 1:03 am

P/S

Unread postby 050085 » October 24th, 2006, 4:32 pm

few more things to add...
1) When i start up, a window saying Error loading w00225dd.dll The specidied module could not be found. Is this something important? No recollection of deleting such a file.

2)When i press ctrl-alt-delete, xp says task manager has been disabled by your administrator. But i AM the administrator!

appreciate your help Trogan!
050085
Active Member
 
Posts: 12
Joined: October 24th, 2006, 1:03 am

Unread postby Trogan » October 24th, 2006, 4:58 pm

Hi again 050085! :)

The problems you have are due to the bad infections showing in your log. With that said, there is some bad news. You are infected by Rbot, a worm with backdoor Trojan functionalities. This worm has Keylogging capabilties, which means it records whatever you type! Also, it is very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing other rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. The only certain way to remove whatever has been done, is by backing up any personal information and reformating.

Before deciding on what to do, please do the following immediately...

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.


Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

If you decide to reformat, make sure you have all the necessary equipment handy.

If you would like to try and clean the computer, then please do the following...


I would like to see another log from HijackThis.
  • Run Hijackthis.
  • Click on Open the Misc Tools section.
  • Next click on Open uninstall manager.
  • Press the Save list button.
  • Save the file to your desktop, with the default name of uninstall_list
  • Copy & Paste the entire contents of that file in your in your next post.
________________________

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
________________________

Please post the following:

1) Uninstall list
2) ComboFix log
3) New HijackThis log
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby 050085 » October 24th, 2006, 8:36 pm

wow didnt expect the severity... If i reformat.. do i have to clean up the partitions as well or just C: where windows is installed?

anyway here are the logs!

-----UNINSTALL LIST-----
Adobe Flash Player 9 ActiveX
AVG Free Edition
HijackThis 1.99.1
Mozilla Firefox (1.5)
NVIDIA Drivers
Spybot - Search & Destroy 1.4
Windows Live Messenger
ZoneAlarm

-----COMBOFIX LOG-----
chun - 06-10-25 8:23:37.65 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Program Files\Mozilla Firefox"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{41DAC38C-C67A-4168-8D00-703047E8E5F2}]
@=""

[HKEY_CLASSES_ROOT\clsid\{41DAC38C-C67A-4168-8D00-703047E8E5F2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{41DAC38C-C67A-4168-8D00-703047E8E5F2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{41DAC38C-C67A-4168-8D00-703047E8E5F2}\InprocServer32]
@="C:\\WINDOWS\\system32\\coyptdll.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\hrns0557e.dll


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\deskbar_e34.exe
C:\Documents and Settings\chun\Local Settings\Temporary Internet Files\Content.IE5\O1MVGDE3\deskbar_e[1].exe
C:\WINDOWS\system32\kernels8.exe
C:\WINDOWS\system32\maxd641.exe
C:\Program Files\ToolBar888
C:\Program Files\Common Files\{907BA00A-0958-1033-0601-040202050001}
C:\WINDOWS\Y2h1bg


((((((((((((((((((((((((((((((( Files Created from 2006-09-25 to 2006-10-25 ))))))))))))))))))))))))))))))))))


2006-10-25 05:12 26,496 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-10-25 03:37 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2006-10-25 03:37 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2006-10-25 03:37 430,592 --a------ C:\WINDOWS\system32\wuapi.dll
2006-10-25 03:37 36,864 --a------ C:\WINDOWS\system32\wups.dll
2006-10-25 03:37 22,528 --a------ C:\WINDOWS\system32\fltMc.exe
2006-10-25 03:37 183,296 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-10-25 03:37 165,888 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-10-25 03:37 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-10-25 03:37 124,800 --a------ C:\WINDOWS\system32\drivers\fltMgr.sys
2006-10-25 03:37 120,320 --a------ C:\WINDOWS\system32\wuweb.dll
2006-10-25 03:37 112,640 --a------ C:\WINDOWS\system32\wucltui.dll
2006-10-25 03:33 5,504 --a------ C:\WINDOWS\system32\drivers\intelide.sys
2006-10-25 03:33 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2006-10-25 03:31 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-10-25 03:31 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-10-25 03:04 24,644 --a------ C:\WINDOWS\system32\hqghumea.dll
2006-10-25 00:27 11,648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-10-25 00:12 81,672 -rahs---- C:\WINDOWS\system32\MsnXp32s.exe
2006-10-24 14:43 71,778 --a------ C:\WINDOWS\system32\vxgamet4.exe
2006-10-24 14:43 12,552 --a------ C:\WINDOWS\system32\vxgamet2.exe
2006-10-24 14:43 11,488 --a------ C:\WINDOWS\system32\vxgamet3.exe
2006-10-24 14:42 11,816 --a------ C:\WINDOWS\system32\vxgamet1.exe
2006-10-24 10:24 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2006-10-24 10:23 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2006-10-24 10:21 74,752 --a------ C:\WINDOWS\system32\storprop.dll
2006-10-24 10:21 176,157 --a------ C:\WINDOWS\system32\dgrpsetu.dll
2006-10-24 10:21 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2006-10-24 10:21 103,424 --a------ C:\WINDOWS\system32\EqnClass.Dll
2006-10-24 05:06 6,593 --a------ C:\WINDOWS\system32\dlh9jkdq6.exe
2006-10-24 05:06 4,547 --a------ C:\WINDOWS\system32\kernels1118.exe
2006-10-24 05:06 4,547 --a------ C:\WINDOWS\system32\dlh9jkdq5.exe
2006-10-24 05:06 36,738 --a------ C:\WINDOWS\system32\dlh9jkdq2.exe
2006-10-24 05:06 15 --a------ C:\WINDOWS\system32\dlh9jkdq8.exe
2006-10-24 05:06 14,210 --a------ C:\WINDOWS\system32\dlh9jkdq7.exe
2006-10-24 04:35 816,288 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-24 04:35 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-10-24 04:35 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-10-24 04:35 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-10-24 04:35 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-10-24 04:35 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-10-24 04:35 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-24 03:11 20,480 --a------ C:\mc44a35.exe
2006-10-24 03:05 65 --a------ C:\Documents and Settings\chun\wstart.bat
2006-10-24 03:05 229,596 --a------ C:\Documents and Settings\chun\drxx.exe
2006-10-24 03:05 138,862 --a------ C:\Documents and Settings\chun\mc-110-12-0000730.exe
2006-10-24 03:05 1,259 --a------ C:\WINDOWS\system32\zro42981.sys
2006-10-24 02:57 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2006-10-24 02:56 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2006-10-24 01:34 110,350 --a------ C:\WINDOWS\system32\Msn32e.exe
2006-10-24 01:31 112,128 --a------ C:\WINDOWS\system32\mapi32.dll
2006-10-24 01:31 0 -rahs---- C:\MSDOS.SYS
2006-10-24 01:31 0 -rahs---- C:\IO.SYS
2006-10-24 01:31 0 --a------ C:\CONFIG.SYS
2006-10-24 01:31 0 --a------ C:\AUTOEXEC.BAT
2006-10-24 01:29 81,920 --a------ C:\WINDOWS\system32\isign32.dll
2006-10-24 01:29 81,920 --a------ C:\WINDOWS\system32\ils.dll
2006-10-24 01:29 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2006-10-24 01:29 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2006-10-24 01:29 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2006-10-24 01:29 678,400 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-10-24 01:29 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2006-10-24 01:29 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2006-10-24 01:29 64,512 --a------ C:\WINDOWS\system32\acctres.dll
2006-10-24 01:29 48,128 --a------ C:\WINDOWS\system32\inetres.dll
2006-10-24 01:29 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2006-10-24 01:29 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2006-10-24 01:29 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll
2006-10-24 01:29 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2006-10-24 01:29 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2006-10-24 01:29 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2006-10-24 01:29 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2006-10-24 01:29 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2006-10-24 01:29 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2006-10-24 01:29 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2006-10-24 01:29 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
2006-10-24 01:29 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2006-10-24 01:29 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2006-10-24 01:29 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2006-10-24 01:29 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-10-24 01:29 170,496 --a------ C:\WINDOWS\system32\srsvc.dll
2006-10-24 01:29 16,384 --a------ C:\WINDOWS\system32\icfgnt5.dll
2006-10-24 01:29 12,288 --a------ C:\WINDOWS\system32\nmevtmsg.dll
2006-10-24 01:29 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2006-10-24 01:29 11,264 --a------ C:\WINDOWS\system32\atrace.dll
2006-10-24 01:29 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2006-10-24 01:28 5,632 --a------ C:\WINDOWS\system32\write.exe
2006-10-24 01:27 949,248 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-10-24 01:27 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2006-10-24 01:27 90,112 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-10-24 01:27 9,728 --a------ C:\WINDOWS\system32\reset.exe
2006-10-24 01:27 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2006-10-24 01:27 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2006-10-24 01:27 82,432 --a------ C:\WINDOWS\system32\comrepl.dll
2006-10-24 01:27 80,384 --a------ C:\WINDOWS\system32\charmap.exe
2006-10-24 01:27 73,216 --a------ C:\WINDOWS\system32\avwav.dll
2006-10-24 01:27 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2006-10-24 01:27 655,360 --a------ C:\WINDOWS\system32\mstscax.dll
2006-10-24 01:27 628,224 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-10-24 01:27 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2006-10-24 01:27 62,464 --a------ C:\WINDOWS\system32\colbact.dll
2006-10-24 01:27 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2006-10-24 01:27 60,416 --a------ C:\WINDOWS\system32\remotepg.dll
2006-10-24 01:27 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2006-10-24 01:27 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2006-10-24 01:27 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2006-10-24 01:27 58,880 --a------ C:\WINDOWS\system32\licwmi.dll
2006-10-24 01:27 56,832 --a------ C:\WINDOWS\system32\sol.exe
2006-10-24 01:27 56,320 --a------ C:\WINDOWS\system32\servdeps.dll
2006-10-24 01:27 55,296 --a------ C:\WINDOWS\system32\freecell.exe
2006-10-24 01:27 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2006-10-24 01:27 54,272 --a------ C:\WINDOWS\system32\stclient.dll
2006-10-24 01:27 538,624 --a------ C:\WINDOWS\system32\spider.exe
2006-10-24 01:27 501,248 --a------ C:\WINDOWS\system32\clbcatq.dll
2006-10-24 01:27 5,120 --a------ C:\WINDOWS\system32\dcomcnfg.exe
2006-10-24 01:27 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2006-10-24 01:27 44,544 --a------ C:\WINDOWS\system32\hticons.dll
2006-10-24 01:27 425,472 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-10-24 01:27 407,552 --a------ C:\WINDOWS\system32\mstsc.exe
2006-10-24 01:27 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2006-10-24 01:27 4,096 --a------ C:\WINDOWS\system32\rdpcfgex.dll
2006-10-24 01:27 4,096 --a------ C:\WINDOWS\system32\mtxex.dll
2006-10-24 01:27 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll
2006-10-24 01:27 35,328 --a------ C:\WINDOWS\system32\winchat.exe
2006-10-24 01:27 345,088 --a------ C:\WINDOWS\system32\hypertrm.dll
2006-10-24 01:27 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2006-10-24 01:27 33,792 --a------ C:\WINDOWS\system32\regini.exe
2006-10-24 01:27 25,600 --a------ C:\WINDOWS\system32\comaddin.dll
2006-10-24 01:27 25,088 --a------ C:\WINDOWS\system32\mtxlegih.dll
2006-10-24 01:27 229,888 --a------ C:\WINDOWS\system32\catsrv.dll
2006-10-24 01:27 227,840 --a------ C:\WINDOWS\system32\avtapi.dll
2006-10-24 01:27 22,016 --a------ C:\WINDOWS\system32\qwinsta.exe
2006-10-24 01:27 215,552 --a------ C:\WINDOWS\system32\termsrv.dll
2006-10-24 01:27 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2006-10-24 01:27 20,992 --a------ C:\WINDOWS\system32\msg.exe
2006-10-24 01:27 20,480 --a------ C:\WINDOWS\system32\qprocess.exe
2006-10-24 01:27 20,480 --a------ C:\WINDOWS\system32\mtxdm.dll
2006-10-24 01:27 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2006-10-24 01:27 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll
2006-10-24 01:27 185,344 --a------ C:\WINDOWS\system32\cmprops.dll
2006-10-24 01:27 183,808 --a------ C:\WINDOWS\system32\accwiz.exe
2006-10-24 01:27 17,408 --a------ C:\WINDOWS\system32\mmfutil.dll
2006-10-24 01:27 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-10-24 01:27 16,896 --a------ C:\WINDOWS\system32\tsshutdn.exe
2006-10-24 01:27 16,896 --a------ C:\WINDOWS\system32\qappsrv.exe
2006-10-24 01:27 16,384 --a------ C:\WINDOWS\system32\tskill.exe
2006-10-24 01:27 16,384 --a------ C:\WINDOWS\system32\avmeter.dll
2006-10-24 01:27 15,872 --a------ C:\WINDOWS\system32\rwinsta.exe
2006-10-24 01:27 15,872 --a------ C:\WINDOWS\system32\cdmodem.dll
2006-10-24 01:27 15,360 --a------ C:\WINDOWS\system32\logoff.exe
2006-10-24 01:27 147,968 --a------ C:\WINDOWS\system32\rdchost.dll
2006-10-24 01:27 147,456 --a------ C:\WINDOWS\system32\comsnap.dll
2006-10-24 01:27 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe
2006-10-24 01:27 14,848 --a------ C:\WINDOWS\system32\tsdiscon.exe
2006-10-24 01:27 14,848 --a------ C:\WINDOWS\system32\tscon.exe
2006-10-24 01:27 14,848 --a------ C:\WINDOWS\system32\shadow.exe
2006-10-24 01:27 139,400 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2006-10-24 01:27 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2006-10-24 01:27 131,584 --a------ C:\WINDOWS\system32\sndrec32.exe
2006-10-24 01:27 13,824 --a------ C:\WINDOWS\system32\rdsaddin.exe
2006-10-24 01:27 126,976 --a------ C:\WINDOWS\system32\mshearts.exe
2006-10-24 01:27 123,392 --a------ C:\WINDOWS\system32\mplay32.exe
2006-10-24 01:27 12,040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2006-10-24 01:27 119,808 --a------ C:\WINDOWS\system32\winmine.exe
2006-10-24 01:27 114,688 --a------ C:\WINDOWS\system32\calc.exe
2006-10-24 01:27 111,104 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-10-24 01:27 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-10-24 01:27 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
2006-10-24 01:27 11,264 --a------ C:\WINDOWS\system32\icaapi.dll
2006-10-24 01:27 102,912 --a------ C:\WINDOWS\system32\clipbrd.exe
2006-10-24 01:27 1,251,840 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-10-24 01:27 1,161 --a------ C:\WINDOWS\system32\usrlogon.cmd
2006-10-24 01:27 1,134,592 --a------ C:\WINDOWS\system32\wuaueng.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-25 08:25 -------- d-------- C:\Program Files\Common Files
2006-10-25 08:23 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-25 08:21 -------- d-------- C:\Program Files\HijackThis
2006-10-25 04:40 -------- d-------- C:\Program Files\MSN Messenger
2006-10-25 04:40 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-25 04:34 -------- d---s---- C:\Documents and Settings\chun\Application Data\Microsoft
2006-10-25 04:00 -------- d-------- C:\Program Files\Zone Labs
2006-10-25 03:39 -------- d-------- C:\Program Files\Windows Media Player
2006-10-25 03:38 -------- d--h----- C:\Program Files\WindowsUpdate
2006-10-25 03:37 -------- d-------- C:\Program Files\Outlook Express
2006-10-25 03:37 -------- d-------- C:\Program Files\NetMeeting
2006-10-25 03:37 -------- d-------- C:\Program Files\Movie Maker
2006-10-25 03:37 -------- d-------- C:\Program Files\Internet Explorer
2006-10-25 03:37 -------- d-------- C:\Program Files\Common Files\System
2006-10-25 03:36 -------- d-------- C:\Program Files\Windows NT
2006-10-25 03:36 -------- d-------- C:\Program Files\Messenger
2006-10-24 14:06 -------- d-------- C:\Documents and Settings\chun\Application Data\AVG7
2006-10-24 10:21 62 --ahs---- C:\Documents and Settings\chun\Application Data\desktop.ini
2006-10-24 10:21 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-10-24 10:21 -------- d-------- C:\Program Files\Common Files\ODBC
2006-10-24 04:55 -------- d-------- C:\Program Files\MSN
2006-10-24 04:34 -------- d-------- C:\Program Files\Grisoft
2006-10-24 02:56 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-10-24 02:01 -------- d-------- C:\Documents and Settings\chun\Application Data\Mozilla
2006-10-24 01:47 -------- d-------- C:\Documents and Settings\chun\Application Data\Macromedia
2006-10-24 01:41 -------- d--h----- C:\Program Files\Uninstall Information
2006-10-24 01:41 -------- d-------- C:\Documents and Settings\chun\Application Data\Identities
2006-10-24 01:31 -------- d-------- C:\Program Files\xerox
2006-10-24 01:31 -------- d-------- C:\Program Files\microsoft frontpage
2006-10-24 01:29 -------- d-------- C:\Program Files\Online Services
2006-10-24 01:29 -------- d-------- C:\Program Files\Common Files\Services
2006-10-24 01:29 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-10-24 01:28 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-10-24 01:28 -------- d-------- C:\Program Files\ComPlus Applications
2006-08-11 21:45 888832 --a------ C:\WINDOWS\system32\nvmobls.dll
2006-08-11 21:45 581632 --a------ C:\WINDOWS\system32\nvhwvid.dll
2006-08-11 21:45 5611520 --a------ C:\WINDOWS\system32\nvdisps.dll
2006-08-11 21:45 5251072 --a------ C:\WINDOWS\system32\nvdispsr.dll
2006-08-11 21:45 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2006-08-11 21:45 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2006-08-11 21:45 3039232 --a------ C:\WINDOWS\system32\nvgames.dll
2006-08-11 21:45 2953216 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2006-08-11 21:45 2928640 --a------ C:\WINDOWS\system32\nvgamesr.dll
2006-08-11 21:45 2904064 --a------ C:\WINDOWS\system32\nvvitvs.dll
2006-08-11 21:45 2859008 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2006-08-11 21:45 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2006-08-11 21:45 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2006-08-11 21:45 1732608 --a------ C:\WINDOWS\system32\nvwssr.dll
2006-08-11 21:45 1236992 --a------ C:\WINDOWS\system32\nvwss.dll
2006-08-11 21:44 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2006-08-11 21:43 86016 --a------ C:\WINDOWS\system32\nvmctray.dll
2006-08-11 21:43 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2006-08-11 21:43 794624 --a------ C:\WINDOWS\system32\nvcplui.exe
2006-08-11 21:43 7630848 --a------ C:\WINDOWS\system32\nvcpl.dll
2006-08-11 21:43 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2006-08-11 21:43 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2006-08-11 21:43 425984 --a------ C:\WINDOWS\system32\keystone.exe
2006-08-11 21:43 311296 --a------ C:\WINDOWS\system32\nvexpbar.dll
2006-08-11 21:43 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2006-08-11 21:43 196608 --a------ C:\WINDOWS\system32\nvapi.dll
2006-08-11 21:43 1662976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2006-08-11 21:43 1519616 --a------ C:\WINDOWS\system32\nwiz.exe
2006-08-11 21:43 1470464 --a------ C:\WINDOWS\system32\nview.dll
2006-08-11 21:43 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2006-08-11 21:43 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2006-08-11 21:43 1011712 --a------ C:\WINDOWS\system32\nvcpluir.dll
2006-08-11 21:42 5636096 --a------ C:\WINDOWS\system32\nvoglnt.dll
2006-08-11 21:42 4496128 --a------ C:\WINDOWS\system32\nv4_disp.dll
2006-08-11 21:42 35840 --a------ C:\WINDOWS\system32\nvcodins.dll
2006-08-11 21:42 35840 --a------ C:\WINDOWS\system32\nvcod.dll
2006-08-11 21:42 155715 --a------ C:\WINDOWS\system32\nvsvc32.exe
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Microsoft Layer Services"="Msn32e.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Microsoft Updates Emulator"="MsnXp32s.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Microsoft Layer Services"="Msn32e.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"zro42981"="RUNDLL32.EXE w00225dd.dll,n 0064297b0000000a00225dd"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Microsoft Updates Emulator"="MsnXp32s.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Layer Services"="Msn32e.exe"
"Microsoft Updates Emulator"="MsnXp32s.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Internet Explorer\\kyzexe.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\WindowsUpdate\\howyvysa.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Layer Services"="Msn32e.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Microsoft Updates Emulator"="MsnXp32s.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Microsoft Layer Services"="Msn32e.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Microsoft Updates Emulator"="MsnXp32s.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job

Completion time: 06-10-25 8:25:42.46
C:\ComboFix.txt ... 06-10-25 08:25


-----NEW HIJACKTHIS LOG-----
Logfile of HijackThis v1.99.1
Scan saved at 8:32:16 AM, on 10/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\Msn32e.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\MsnXp32s.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.ntu.edu.sg/proxy.pac
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7C38565D-E507-4676-903A-4F26BC4B754B} - C:\Program Files\MSN\horeloda.dll (file missing)
O4 - HKLM\..\Run: [Microsoft Layer Services] Msn32e.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zro42981] RUNDLL32.EXE w00225dd.dll,n 0064297b0000000a00225dd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft Updates Emulator] MsnXp32s.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Microsoft Layer Services] Msn32e.exe
O4 - HKLM\..\RunServices: [Microsoft Updates Emulator] MsnXp32s.exe
O4 - HKCU\..\Run: [Microsoft Layer Services] Msn32e.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Updates Emulator] MsnXp32s.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
050085
Active Member
 
Posts: 12
Joined: October 24th, 2006, 1:03 am

Unread postby Trogan » October 24th, 2006, 8:43 pm

Hi 050085! You will only need to format the C: Drive, since that is where the infection is.

Please let me know what you want to do, before we continue.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby 050085 » October 25th, 2006, 12:42 am

Hi trogan,
I guess it would be easier to format C: and wont trouble you so much. :)

Am i right to say that when i reinstall xp again i'll have to plug out the internet connection, reinstall all the programs - spybot, zonealarm, avg etc before i connect to the net?
please advice on any other precautions i should take. thanks!
050085
Active Member
 
Posts: 12
Joined: October 24th, 2006, 1:03 am

Unread postby Trogan » October 25th, 2006, 10:52 am

Hi 050085! Its no trouble for me to help you, but knowing the infection that is present, it is best to reformat.

What you should do is download a copy of the Installation files for AVG and Zone Alarm to a CD, or USB memory stick. Once reformatted, connect to the Internet BUT DO NOT go online. First thing you need to do is install AVG and Zone Alarm. After that, install Service Pack 2.

Here are some other measures you can take, after reformatting, to stay more secure online:

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera.

Install and keep updated, Ad-Aware SE and Spybot Search & Destroy.
Run them both on a regular basis, following the manufacturer's recommendations.

Install and keep updated, SpywareBlaster and SpywareGuard

After reformatting, you can post a new HijackThis log, and I will check to make sure it is clean.

Otherwise, let me know if I can help with anything else.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Formatted computer

Unread postby 050085 » October 25th, 2006, 3:00 pm

Hi trogan,
i formatted C: and installed the protection before going online..
currently downloading the spyware programs now.
So far there have been no major issues asides from ONE party poker popup from firefox. AVG and zonealarm did not warn anything about that...

anyways here is my latest hijackthis log, hope im finally clean!

Logfile of HijackThis v1.99.1
Scan saved at 2:57:35 AM, on 10/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
F:\PROGRA~1\Valve\Steam\Steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
F:\Program Files\Miranda IM\miranda32.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
F:\temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.ntu.edu.sg/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [CmiRemoveDir] C:\WINDOWS\CMIRMR~1.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] F:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [updateMgr] F:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
050085
Active Member
 
Posts: 12
Joined: October 24th, 2006, 1:03 am

Unread postby Trogan » October 25th, 2006, 4:07 pm

Your log is clean, and much better looking than before. :thumbleft:

Let me know if I can help with anything else, or if we can archive this thread.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby NonSuch » October 26th, 2006, 4:16 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 299 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware