# Infected with WinReanimator



## GTROCKER (Aug 21, 2007)

Hello...I need help to remove WinReanimator from my computer. It's slowing my system down to a crawl. I ran Kaspersky Virus Scan and it found :
Trojan-Downloader.Win32.FraudLoad.X..... 
Trojan-DownLoader.Win32.Lastad.h......Trojan.Win32Pakes.cjm and Trojan-Spy.Win32Zbot.amb 
I also have no access to my Task Manager now. Im using Windows XP. Please help!! Thank you!

GTROCKER


----------



## Jintan (Oct 4, 2007)

Hello GTROCKER,

Right off I need you to now make any more new requests, to keep from bogging things down here. Let's see what all is loaded there, then decide on repairs.

Please download HijackThis from Here. Then click on the downloaded file to install HijackThis. After it is installed open HijackThis and select Do a system scan and save logfile. Use copy/paste and post that log back here for review.

Also go Here and download *Silent Runners* to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and *will notify when the scan is complete*. Copy the log from the Startup Programs file back here. You can use separate posts here if needed.


----------



## GTROCKER (Aug 21, 2007)

Hello Jintan,

Thank you for your reply. Sorry about the duplicate request. My Task Manager is suddenly working again and after running more antivirus scans, the computer seems to be running a little better. I still see WinReanimator and Braviax in the System Config Utility Start Up. Here is the log from HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:58 PM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\common files\aol\1131511753\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\AOL\1131511753\ee\aolsoftware.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\AOL\1131511753\ee\aolsoftware.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [tjrjnnfn] rundll32.exe "C:\WINDOWS\TEMP\mscbmlcje.dll" WLEntryPoint
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [AOLAspSunset] "C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [onadoj] rundll32.exe "C:\WINDOWS\system32\mmcrmtsbq.nls" WLEntryPoint
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183763861125
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tsnqpoj - C:\WINDOWS\SYSTEM32\tsnqpoj.dll
O21 - SSODL: altvxvm - {5672A077-15AE-48C0-A4EC-58D4D6D2DFF1} - C:\WINDOWS\altvxvm.dll (file missing)
O21 - SSODL: CDWin - {39e884ff-1588-4bf2-a2f6-796d87d05f72} - C:\WINDOWS\Installer\{39e884ff-1588-4bf2-a2f6-796d87d05f72}\CDWin.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel Centrino2 - Unknown owner - C:\WINDOWS\System32\VsTaskMngr.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O24 - Desktop Component 0: Privacy Protection - about:home

--
End of file - 10248 bytes

--------------------------------------------------------------------------------------------------------


----------



## GTROCKER (Aug 21, 2007)

Here is the Silent Runner log:

[/U]
"Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"onadoj" = "rundll32.exe "C:\WINDOWS\system32\mmcrmtsbq.nls" WLEntryPoint" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"PrinTray" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" ["Lexmark"]
"tjrjnnfn" = "rundll32.exe "C:\WINDOWS\TEMP\mscbmlcje.dll" WLEntryPoint" [MS]
"AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"" ["Kaspersky Lab"]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"Pure Networks Port Magic" = ""C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run" ["Pure Networks, Inc."]
"lxczbmgr.exe" = ""C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"" ["Lexmark International, Inc."]
"jdgf894jrghoiiskd" = "C:\WINDOWS\TEMP\winlogan.exe" [file not found]
"HostManager" = "C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe" ["AOL LLC"]
"AOLDialer" = ""C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"" ["AOL LLC"]
"AOLAspSunset" = ""C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe"" [file not found]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]
"FaxCenterServer" = ""C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s" [empty string]
"BCMSMMSG" = "BCMSMMSG.exe" ["Broadcom Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{C5AF49A2-94F3-42BD-F434-2604812C897D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "C:\WINDOWS\system32\jfiehayd.dll"
\InProcServer32\(Default) = "C:\WINDOWS\system32\jfiehayd.dll" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{6EE51AA0-77A0-11D7-B4E1-000347126E46}" = "Window Washer Shredding Utility"
-> {HKLM...CLSID} = "Window Washer Shredding Utility"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{7CDDBD23-1B50-47b2-B28D-1B84D9A40ED1}" = "Sony Digital Voice File Shell Extention Module"
-> {HKLM...CLSID} = "Sony Digital Voice File Shell Extention Module"
\InProcServer32\(Default) = "IcdShlex.dll" ["Sony Corporation"]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web Anti-Virus statistics"
-> {HKLM...CLSID} = "Web Anti-Virus statistics"
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
<<!>> "{C5AF49A2-94F3-42BD-F434-2604812C897D}" = "jhsf8d984jief8dsfus98jkefn"
-> {HKLM...CLSID} = "C:\WINDOWS\system32\jfiehayd.dll"
\InProcServer32\(Default) = "C:\WINDOWS\system32\jfiehayd.dll" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
"altvxvm" = "{5672A077-15AE-48C0-A4EC-58D4D6D2DFF1}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\altvxvm.dll" [file not found]
"CDWin" = "{39e884ff-1588-4bf2-a2f6-796d87d05f72}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\Installer\{39e884ff-1588-4bf2-a2f6-796d87d05f72}\CDWin.dll" [file not found]

HKLM\SOFTWARE\Microsoft\Command Processor\
<<!>> "AutoRun" = "rundll32.exe "C:\WINDOWS\TEMP\mcipgb.nls" WLEntryPoint" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Aedebug\
<<!>> "Debugger" = ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\vs7jit.exe" -p %ld -e %ld" [MS]

HKLM\SOFTWA	RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Taskman" = "rundll32.exe "C:\WINDOWS\system32\iasdkreps.sys" WLEntryPoint" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]|"stera" [file not found]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]
<<!>> tsnqpoj\DLLName = "tsnqpoj.dll" [MS]
<<!>> WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll" ["Kaspersky Lab"]
Washer\(Default) = "{6EE51AA0-77A0-11D7-B4E1-000347126E46}"
-> {HKLM...CLSID} = "Window Washer Shredding Utility"
 \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
Washer\(Default) = "{6EE51AA0-77A0-11D7-B4E1-000347126E46}"
-> {HKLM...CLSID} = "Window Washer Shredding Utility"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll" ["Kaspersky Lab"]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

Default executables:
--------------------

HKLM\SOFTWARE\Classes\.exe\(Default) = "exefile"
<<!>> HKLM\SOFTWARE\Classes\exefile\shell\open\command\(Default) = "rundll32.exe "C:\WINDOWS\TEMP\modealgji.sys" WLEntry %1 %*" [MS]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"ClassicShell" = (REG_DWORD) dword:0x00000000
{Enable Classic Shell / Turn on Classic Shell}

"NoFolderOptions" = (REG_DWORD) dword:0x00000001
{Removes the Folder Options menu item from the Tools menu}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableTaskMgr" = (REG_DWORD) dword:0x00000000
{Remove Task Manager}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000001
{Prevent access to registry editing tools}

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

"NoSplash" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\

"Disable Config" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]

Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Inc."]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
"{DE9C389F-3316-41A7-809B-AA305ED9D922}" = "AOL Toolbar"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

HKLM\SOFTWARE\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Web Anti-Virus statistics"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]

{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Web Anti-Virus statistics"

{3369AF0D-62E9-4BDA-8103-B4C75499B578}\
"ButtonText" = "AOL Toolbar"
"CLSIDExtension" = "{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EA756889-2338-43DB-8F07-D1CA6FB9C90D}" = (no title provided)
-> {HKLM...CLSID} = "AOLTBSearch Class"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ad-Aware 2007 Service, aawservice, "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe" ["Lavasoft AB"]
AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" ["AOL LLC"]
Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
Bonjour Service, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
lxcz_device, lxcz_device, "C:\WINDOWS\system32\lxczcoms.exe -service" [" "]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Webroot Spy Sweeper Engine, WebrootSpySweeperService, "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" ["Webroot Software, Inc."]
Window Washer Engine, wwEngineSvc, "C:\Program Files\Webroot\Washer\WasherSvc.exe" ["Webroot Software, Inc."]

Keyboard Driver Filters:
------------------------

HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = <<!>> "SSKBFD" ["Webroot Software Inc (www.webroot.com)"]

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
1200 Series Port\Driver = "lxczlmpm.dll" [" "]
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Lexmark Print-2-Fax Port\Driver = "LXPRMON.DLL" [empty string]

---------- (launch time: 2008-03-20 12:08:23)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 186 seconds, including 24 seconds for message boxes)


----------



## Jintan (Oct 4, 2007)

Ouch - two antivirus softwares at once with Avast and AVG there. Although this system is also suffering from some tough infection you need to uninstall one of those now or we will hit a brick wall during repairs. Too many conflicts and issues as is. Then make very sure SpySweeper is either disabled or uninstalled - it has overlapping protection with your AV software and also can bring conflicts (your choice on that, and it can be reinstalled later, but be sure it is out of the way).

Once you have completed that To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Download SDFix.exe and save it to your desktop. However, I would like you to rename the file as you download it (do not download it directly without renaming it).Rename the download file to george.exe, so george.exe is downloaded and saved to your desktop.

===================================================

Reboot into *Safe Mode* (at startup tap the F8 key and select Safe Mode).

Click on the renamed SDFix file george.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click *RunThis.bat* to start the script.

Next type *Y* to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When the desktop loads the Fixtool will complete the removal and display *Finished*, then press any key to end the script and load your desktop icons.

Then open the C:\SDFix folder and copy and paste the contents of the results file *Report.txt* back here.

=============================

After the reboot Download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it). For this rename the downloading file to matt.exe, then click the renamed matt.exe to run that scan.

When starting ComboFix will cause your computer's internal speakers to produce two beeps, and during the start process display two warnings. These are intended to discourage people who are not getting help in the forum from just experimenting with tools they do not understand. Just to inform you so you will understand that the procedures are expected, and okay.

ComboFix will also change the drive autoplay settings there as it's own added security measure. When we have completed all repairs here we will return the default Windows settings.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop, however given the infection there ComboFix will likely cause a reboot in order to complete it's repairs.

(ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)

Post back the C:\ComboFix.txt log as well as the SFDix report.txt and a new HijackThis log please.


----------



## GTROCKER (Aug 21, 2007)

Here is the Combofix log:

ComboFix 08-03-20.5 - Owner 2008-03-20 18:57:15.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.83 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\matt.exe.exe
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\sxvbotak.dat
C:\WINDOWS\system32\tsnqpoj.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KZRRSIHR
-------\Service_kzrrsihr

((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.

2008-03-20 18:14 . 2008-03-20 18:14 d--------	C:\WINDOWS\ERUNT
2008-03-20 18:03 . 2008-03-20 18:36 d--------	C:\SDFix
2008-03-20 09:50 . 2008-03-20 09:50 d--------	C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-19 00:40 . 2008-03-19 00:40 d--------	C:\Program Files\Security Task Manager
2008-03-19 00:40 . 2008-03-19 00:45 d--------	C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-18 23:25 . 2008-03-18 23:26 d--------	C:\Documents and Settings\Owner\Application Data\MSN6
2008-03-18 23:25 . 2008-03-18 23:25 d--------	C:\Documents and Settings\All Users\Application Data\MSN6
2008-03-18 18:04 . 2008-03-18 18:05 d--------	C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-17 23:20 . 2008-03-17 23:20 d--------	C:\WINDOWS\system32\SuperAdBlocker.com
2008-03-17 15:32 . 2008-03-17 15:32 d--------	C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-17 15:31 . 2008-03-17 15:31 d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-03-17 15:31 . 2008-03-17 15:31 d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-17 15:30 . 2008-03-17 15:30 d--------	C:\Program Files\Common Files\Download Manager
2008-03-17 15:06 . 2007-12-04 09:51	42,912	--a------	C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-17 15:06 . 2007-12-04 09:49	26,624	--a------	C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-17 15:06 . 2007-12-04 09:53	23,152	--a------	C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-17 15:05 . 2007-12-04 07:54	95,608	--a------	C:\WINDOWS\system32\AvastSS.scr
2008-03-17 15:03 . 2007-12-04 09:55	94,544	--a------	C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-17 15:03 . 2007-12-04 09:56	93,264	--a------	C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-17 15:01 . 2007-12-04 08:04	837,496	--a------	C:\WINDOWS\system32\aswBoot.exe
2008-03-17 15:01 . 2004-01-09 04:13	380,928	--a------	C:\WINDOWS\system32\actskin4.ocx
2008-03-17 10:52 . 2008-03-17 11:07	91,700	--a------	C:\WINDOWS\system32\drivers\klin.dat
2008-03-17 10:52 . 2008-03-17 11:07	85,860	--a------	C:\WINDOWS\system32\drivers\klick.dat
2008-03-17 10:51 . 2008-03-17 10:51 d--------	C:\Program Files\Kaspersky Lab
2008-03-17 10:51 . 2008-03-20 18:38 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-17 10:51 . 2008-03-20 19:04	3,829,536	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-17 10:51 . 2008-03-20 19:04	49,148	--ahs----	C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-17 10:51 . 2008-03-20 19:04	35,104	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-17 10:51 . 2008-03-20 19:04	4,172	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.idx
2008-03-17 10:42 . 2008-03-17 10:42 d--------	C:\KAV
2008-03-15 23:31 . 2008-03-18 08:32 d--------	C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-15 23:30 . 2008-03-15 23:30 d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-15 23:29 . 2008-03-20 16:23 d--------	C:\Documents and Settings\All Users\Application Data\avg7
2008-03-15 22:32 . 2003-07-16 16:24	4,224	--a------	C:\WINDOWS\system32\drivers\beep.sys
2008-03-15 22:32 . 2003-07-16 16:24	4,224	--a--c---	C:\WINDOWS\system32\dllcache\beep.sys
2008-03-15 08:50 . 2008-03-15 08:50	19,103	--a------	C:\Documents and Settings\Owner\Application Data\jykiquc.com
2008-03-15 08:50 . 2008-03-15 08:50	18,453	--a------	C:\Program Files\Common Files\uqyliramos.sys
2008-03-15 08:50 . 2008-03-15 08:50	17,817	--a------	C:\Program Files\Common Files\ehurawole.bat
2008-03-15 08:50 . 2008-03-15 08:50	13,373	--a------	C:\Documents and Settings\All Users\Application Data\ybugy.pif
2008-03-15 08:50 . 2008-03-15 08:50	10,337	--a------	C:\Documents and Settings\Owner\Application Data\zisawobur.bin
2008-03-15 08:37 . 2007-06-13 06:23	114,688	--a------	C:\WINDOWS\system32\modealgji.sys
2008-03-15 08:34 . 2008-03-15 08:34	88	--a------	C:\WINDOWS\system32\delself.bat
2008-03-08 16:04 . 2008-03-08 16:04 d--------	C:\Program Files\iPod
2008-03-08 16:03 . 2008-03-08 16:04 d--------	C:\Program Files\iTunes
2008-03-08 16:01 . 2008-03-08 16:01 d--------	C:\Program Files\Bonjour
2008-03-08 16:00 . 2008-03-08 16:01 d--------	C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-20 20:52	---------	d-----w	C:\Program Files\Webroot
2008-03-20 20:43	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Webroot
2008-03-20 20:43	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-20 13:51	---------	d-----w	C:\Program Files\Common Files\AOL
2008-03-18 03:40	---------	d-----w	C:\Program Files\SUPERAntiSpyware
2008-03-18 03:39	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-03-16 16:48	---------	d-----w	C:\Program Files\Enigma Software Group
2008-03-15 12:50	17,274	----a-w	C:\WINDOWS\yzytac.sys
2008-03-15 12:50	14,901	----a-w	C:\WINDOWS\tusigytys.reg
2008-03-15 12:50	14,749	----a-w	C:\WINDOWS\system32\osany.bat
2008-03-15 12:50	14,537	----a-w	C:\WINDOWS\system32\pajewa.bin
2008-03-15 12:50	12,978	----a-w	C:\WINDOWS\system32\fujama.com
2008-03-15 12:50	12,924	----a-w	C:\WINDOWS\system32\uxymex.bat
2008-03-15 12:50	12,398	----a-w	C:\WINDOWS\system32\yqut.com
2008-03-15 12:50	10,291	----a-w	C:\WINDOWS\system32\ixuti.exe
2008-03-09 16:41	---------	d-----w	C:\Program Files\Sony
2008-03-04 02:26	---------	d-----w	C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-02-20 02:15	---------	d-----w	C:\Program Files\AIM
2007-12-28 18:27	164	----a-w	C:\install.dat
2006-07-01 18:42	3,796	-c--a-w	C:\Documents and Settings\Owner\Application Data\FNTCACHE.BIN
2006-04-26 04:11	17,144	-c--a-w	C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2001-07-26 23:58	47	-c--a-w	C:\Program Files\ACMonitor_X73.ini
2001-07-05 19:46	8,116	-c--a-w	C:\Program Files\OSLO3071b2.USB
2001-05-11 18:39	53,248	-c--a-w	C:\Program Files\ACMonitor_X73.exe
2001-05-08 23:36	114,688	-c--a-w	C:\Program Files\lxarscan.dll
2001-04-23 21:22	1,437	-c--a-w	C:\Program Files\gtx73.ini
2001-02-22 16:54	768	-c--a-w	C:\Program Files\x73_lut.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5AF49A2-94F3-42BD-F434-2604812C897D}]
C:\WINDOWS\system32\jfiehayd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 18:08 67160]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 15:51 118784]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 15:55 155648]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 03:42 36864]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2007-01-29 23:02 200768]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 20:54 99480]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 18:52 74672]
"HostManager"="C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe" [2007-10-08 17:50 41824]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"AOLAspSunset"="C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe" [ ]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 18:56 295856]
"BCMSMMSG"="BCMSMMSG.exe" [2002-12-17 15:03 90112 C:\WINDOWS\BCMSMMSG.exe]
"njjnrfrj"="C:\WINDOWS\TEMP\msxmlrjjr.dll" [2007-06-13 06:23 114688]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 05:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"bfbnrr"= rundll32.exe "C:\WINDOWS\system32\mmcrmtsbq.nls" WLEntryPoint

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"= C:\WINDOWS\system32\jfiehayd.dll [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CDWin"= {39e884ff-1588-4bf2-a2f6-796d87d05f72} - C:\WINDOWS\Installer\{39e884ff-1588-4bf2-a2f6-796d87d05f72}\CDWin.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
C:\Program Files\antiviirus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fbrjjbjj]
C:\WINDOWS\TEMP\mscbmlcje.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jjrbbffr]
C:\WINDOWS\TEMP\mscbmlcje.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\njbfjjbb]
C:\WINDOWS\TEMP\mscbmlcje.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\onaporit]
C:\WINDOWS\TEMP\mscbmlcje.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Piolet]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a--c--- 2005-01-07 04:04 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rfrbrffn]
C:\WINDOWS\TEMP\mscbmlcje.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Cleaner]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-29 16:03 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinReanimator]
C:\Program Files\WinReanimator\WinReanimator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\lxczcoms.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27692:TCP"= 27692:TCPxpsp2res.dll,-22004
"45515:TCP"= 45515:TCPxpsp2res.dll,-22004
"31957:TCP"= 31957:TCPxpsp2res.dll,-22004
"14808:TCP"= 14808:TCPxpsp2res.dll,-22004
"5307:TCP"= 5307:TCPxpsp2res.dll,-22004

R2 lxcz_device;lxcz_device;C:\WINDOWS\system32\lxczcoms.exe [2007-02-08 18:50]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-08-09 13:56]
S2 Intel Centrino2;Intel Centrino2;C:\WINDOWS\System32\VsTaskMngr.exe []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-20 17:22:34 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 19:06:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
c:\program files\common files\aol\1131511753\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-20 19:17:58 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-03-20 23:17:50
ComboFix2.txt 2007-08-21 18:47:39
.
2008-03-12 03:22:20	--- E O F ---


----------



## GTROCKER (Aug 21, 2007)

Here is the SFDIX report and the latest ComboFix log:

*SDFix: Version 1.159 *

Run by Owner on Thu 03/20/2008 at 06:17 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

*Checking Services *:

Name:
pzqlp

Path:
\??\C:\WINDOWS\Help\pzqlp.chm

pzqlp - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting

*Checking Files *:

Trojan Files Found:

C:\678796~1 - Deleted
C:\WINDOWS\system32\KBRunOnce2.t__ - Deleted
C:\WINDOWS\rs.txt - Deleted

Folder C:\Program Files\Helper - Removed

Removing Temp Files

*ADS Check *:

*Final Check *:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 18:31:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

*Remaining Services *:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*isabled:Firefox"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\WINDOWS\\system32\\lxczcoms.exe"="C:\\WINDOWS\\system32\\lxczcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

*Remaining Files *:

File Backups: - C:\SDFix\backups\backups.zip

*Files with Hidden Attributes *:

Fri 7 May 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Fri 7 May 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Fri 7 May 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Mon 9 Oct 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 16 Nov 2006 22,016 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0004.tmp"
Fri 8 Dec 2006 22,016 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0072.tmp"
Sun 11 Feb 2007 33,280 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0117.tmp"
Wed 22 Feb 2006 19,968 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0222.tmp"
Sat 10 Feb 2007 19,968 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0486.tmp"
Fri 8 Dec 2006 21,504 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0705.tmp"
Sat 23 Apr 2005 21,504 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0718.tmp"
Sat 10 Feb 2007 33,280 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0803.tmp"
Tue 27 Feb 2007 20,992 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0962.tmp"
Tue 1 May 2007 22,528 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL1104.tmp"
Thu 27 Apr 2006 199,680 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL1299.tmp"
Fri 5 Jan 2007 22,016 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL1403.tmp"
Wed 19 Jul 2006 23,040 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL2162.tmp"
Tue 27 Feb 2007 21,504 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL2390.tmp"
Wed 19 Jul 2006 21,504 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL2482.tmp"
Tue 27 Feb 2007 22,528 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL2517.tmp"
Wed 19 Jul 2006 26,624 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3483.tmp"
Wed 22 Feb 2006 24,064 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3549.tmp"
Mon 4 Dec 2006 20,480 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3743.tmp"
Thu 4 May 2006 265,216 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3862.tmp"
Thu 30 Nov 2006 28,160 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3874.tmp"
Wed 19 Jul 2006 22,528 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3976.tmp"
Mon 8 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Mon 9 Jul 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\19525589545ebdc47d68693afa9f982d\BIT122.tmp"
Thu 27 Apr 2006 29,696 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2279.tmp"
Sat 29 Apr 2006 28,160 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3736.tmp"
Mon 9 Oct 2006 4,348 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Sun 5 Aug 2007 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 18 Jul 2007 400 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"
Sun 5 Aug 2007 1,536 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2lic.bak"
Tue 8 Feb 2005 49,386 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\VisualStudio\7.1\vs000223.tmp"

*Finished!*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:25 PM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
c:\program files\common files\aol\1131511753\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1131511753\ee\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [AOLAspSunset] "C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [njjnrfrj] rundll32.exe "C:\WINDOWS\TEMP\mscjbp.drv" WLEntryPoint
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [bfbnrr] rundll32.exe "C:\WINDOWS\system32\mmcrmtsbq.nls" WLEntryPoint
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183763861125
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: CDWin - {39e884ff-1588-4bf2-a2f6-796d87d05f72} - C:\WINDOWS\Installer\{39e884ff-1588-4bf2-a2f6-796d87d05f72}\CDWin.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel Centrino2 - Unknown owner - C:\WINDOWS\System32\VsTaskMngr.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 8956 bytes


----------



## GTROCKER (Aug 21, 2007)

That last post was the Sfdix report and the lastest Hijackthis report (not Combofix...sorry for the error.


----------



## Jintan (Oct 4, 2007)

Looks at all those malware random named files. Reminds me of the old line about an infinite number of monkeys and typewriters - if malware coders keep it up someday their files will spell out the Da Vinci code or some other revelation. But for now let's remove their handiwork completely. Making good progress so far.

Be sure to continue to temporarily disable any protective software when running the scan tools we use here.

Open notepad (go to Start, Run, type *notepad* and press Enter) and copy/paste the text in the codebox below into it:


```
File::
C:\Documents and Settings\Owner\Application Data\jykiquc.com
C:\Program Files\Common Files\uqyliramos.sys
C:\Program Files\Common Files\ehurawole.bat
C:\Documents and Settings\All Users\Application Data\ybugy.pif
C:\Documents and Settings\Owner\Application Data\zisawobur.bin
C:\WINDOWS\system32\modealgji.sys
C:\WINDOWS\system32\delself.bat
C:\WINDOWS\yzytac.sys
C:\WINDOWS\tusigytys.reg
C:\WINDOWS\system32\osany.bat
C:\WINDOWS\system32\pajewa.bin
C:\WINDOWS\system32\fujama.com
C:\WINDOWS\system32\uxymex.bat
C:\WINDOWS\system32\yqut.com
C:\WINDOWS\system32\ixuti.exe
C:\WINDOWS\system32\jfiehayd.dll
C:\WINDOWS\system32\mmcrmtsbq.nls
C:\Program Files\antiviirus.exe
C:\WINDOWS\TEMP\mscbmlcje.dll
Folder::
C:\WINDOWS\TEMP
Regsitry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5AF49A2-94F3-42BD-F434-2604812C897D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"njjnrfrj"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"bfbnrr"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\share dtaskscheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CDWin"=
[-HKEY_CLASSES_ROOT\CLSID\{39e884ff-1588-4bf2-a2f6-796d87d05f72}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{39e884ff-1588-4bf2-a2f6-796d87d05f72}]
[-HKEY_CLASSES_ROOT\TypeLib\{39e884ff-1588-4bf2-a2f6-796d87d05f72}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fbrjjbjj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jjrbbffr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\njbfjjbb]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\onaporit]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Piolet]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rfrbrffn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Cleaner]
```
Save this to your desktop as *"CFScript"*

(include the "quotation marks" with the name)

You should now have both ComboFix and that CFScript on the desktop. Just left click/hold on the CFScript file, and drag it into ComboFix to start the scan.

ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

-----------------------------

Go here and download the free version of SUPERAntiSpyware and install it.

After installation accept any prompts to allow SUPERAntiSpyware to install the latest infection definition files. Next follow the prompts to complete the installation. For now, uncheck the option to have SUPERAntiSpyware "Automatically check for program and definition updates". Providing an email address and allowing the software to send diagnostic reports to it's research center are up to you. Do NOT allow SUPERAntiSpyware to Protect your Home Page settings.

Once the installation is complete open SUPERAntiSpyware and press the *Preferences* button. Under the General and Startup tab, uncheck the following (leaving all other settings as is).

*Start-up Options:*
*Start SUPERAntiSpyware when Windows starts

*Automatic Updates:*
*Check for program updates when the application starts.
*Start-up Scanning:*
*Check for updates before scanning on startup.

Then select Close. Don't scan just yet though.

Also Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.

===============================================

Reboot into *Safe Mode* (at startup tap the F8 key and select Safe Mode).

Open SUPERAntiSpyware and click the *Scan your Computer* button. You may need to start SUPERAntiSpyware, then right click the Taskbar icon (the little bug shaped icon) and select "Scan for Spyware, Adware, Malware..." to access the scan panel. Making sure that Fixed Drive (NTFS) is checked (typically the C Drive), check "Perform Complete Scan", then click Next. SUPERAntiSpyware will now complete a system scan.

SUPERAntiSpyware will now scan your computer and when its finished it will list all the infections it has found. Make sure that they all have a check next to them and click next. If prompted allow the reboot (or manually reboot at this time), and after the reboot open SUPERAntiSpyware again (double click the bug-shaped Taskbar icon).

Click Preferences, then under the Statistics/Logs tab, click to select the most recent Scan Log, then click View Log. Save the log to your desktop, and copy/paste the text from the log back here along with the ComboFix.txt log and a new HijackThis log please.


----------



## GTROCKER (Aug 21, 2007)

Hello Jintan.....I followed your last instructions and the computer seems to running much better. Here are the logs you requested:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/27/2007 at 02:09 PM

Application Version : 3.9.1008

Core Rules Database Version : 3315
Trace Rules Database Version: 1301

Scan type : Complete Scan
Total Scan Time : 00:44:28

Memory items scanned : 436
Memory threats detected : 0
Registry items scanned : 5587
Registry threats detected : 0
File items scanned : 30340
File threats detected : 0

ComboFix 08-03-20.5 - Owner 2008-03-20 23:59:25.4 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\matt.exe.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*

FILE ::
C:\Documents and Settings\All Users\Application Data\ybugy.pif
C:\Documents and Settings\Owner\Application Data\jykiquc.com
C:\Documents and Settings\Owner\Application Data\zisawobur.bin
C:\Program Files\antiviirus.exe
C:\Program Files\Common Files\ehurawole.bat
C:\Program Files\Common Files\uqyliramos.sys
C:\WINDOWS\system32\delself.bat
C:\WINDOWS\system32\fujama.com
C:\WINDOWS\system32\ixuti.exe
C:\WINDOWS\system32\jfiehayd.dll
C:\WINDOWS\system32\mmcrmtsbq.nls
C:\WINDOWS\system32\modealgji.sys
C:\WINDOWS\system32\osany.bat
C:\WINDOWS\system32\pajewa.bin
C:\WINDOWS\system32\uxymex.bat
C:\WINDOWS\system32\yqut.com
C:\WINDOWS\TEMP\mscbmlcje.dll
C:\WINDOWS\tusigytys.reg
C:\WINDOWS\yzytac.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\ybugy.pif
C:\Documents and Settings\Owner\Application Data\jykiquc.com
C:\Documents and Settings\Owner\Application Data\zisawobur.bin
C:\Program Files\Common Files\ehurawole.bat
C:\Program Files\Common Files\uqyliramos.sys
C:\WINDOWS\system32\delself.bat
C:\WINDOWS\system32\fujama.com
C:\WINDOWS\system32\ixuti.exe
C:\WINDOWS\system32\mmcrmtsbq.nls
C:\WINDOWS\system32\modealgji.sys
C:\WINDOWS\system32\osany.bat
C:\WINDOWS\system32\pajewa.bin
C:\WINDOWS\system32\uxymex.bat
C:\WINDOWS\system32\yqut.com
C:\WINDOWS\TEMP\kbdbrfrbr.nls
C:\WINDOWS\TEMP\mscjbp.drv
C:\WINDOWS\TEMP\Perflib_Perfdata_630.dat
C:\WINDOWS\TEMP\usbfbp.sys
C:\WINDOWS\tusigytys.reg
C:\WINDOWS\yzytac.sys
C:\WINDOWS\TEMP . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))
.

2008-03-20 18:14 . 2008-03-20 18:14 d--------	C:\WINDOWS\ERUNT
2008-03-20 18:03 . 2008-03-20 18:36 d--------	C:\SDFix
2008-03-20 09:50 . 2008-03-20 09:50 d--------	C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-19 00:40 . 2008-03-19 00:40 d--------	C:\Program Files\Security Task Manager
2008-03-19 00:40 . 2008-03-19 00:45 d--------	C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-18 23:25 . 2008-03-18 23:26 d--------	C:\Documents and Settings\Owner\Application Data\MSN6
2008-03-18 23:25 . 2008-03-18 23:25 d--------	C:\Documents and Settings\All Users\Application Data\MSN6
2008-03-18 18:04 . 2008-03-18 18:05 d--------	C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-17 23:20 . 2008-03-17 23:20 d--------	C:\WINDOWS\system32\SuperAdBlocker.com
2008-03-17 15:32 . 2008-03-17 15:32 d--------	C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-17 15:31 . 2008-03-17 15:31 d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-03-17 15:31 . 2008-03-17 15:31 d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-17 15:30 . 2008-03-17 15:30 d--------	C:\Program Files\Common Files\Download Manager
2008-03-17 15:06 . 2007-12-04 09:51	42,912	--a------	C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-17 15:06 . 2007-12-04 09:49	26,624	--a------	C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-17 15:06 . 2007-12-04 09:53	23,152	--a------	C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-17 15:05 . 2007-12-04 07:54	95,608	--a------	C:\WINDOWS\system32\AvastSS.scr
2008-03-17 15:03 . 2007-12-04 09:55	94,544	--a------	C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-17 15:03 . 2007-12-04 09:56	93,264	--a------	C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-17 15:01 . 2007-12-04 08:04	837,496	--a------	C:\WINDOWS\system32\aswBoot.exe
2008-03-17 15:01 . 2004-01-09 04:13	380,928	--a------	C:\WINDOWS\system32\actskin4.ocx
2008-03-17 10:52 . 2008-03-17 11:07	91,700	--a------	C:\WINDOWS\system32\drivers\klin.dat
2008-03-17 10:52 . 2008-03-17 11:07	85,860	--a------	C:\WINDOWS\system32\drivers\klick.dat
2008-03-17 10:51 . 2008-03-17 10:51 d--------	C:\Program Files\Kaspersky Lab
2008-03-17 10:51 . 2008-03-20 19:11 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-17 10:51 . 2008-03-21 00:04	3,829,536	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-17 10:51 . 2008-03-21 00:04	51,020	--ahs----	C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-17 10:51 . 2008-03-21 00:06	40,992	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-17 10:51 . 2008-03-21 00:04	4,844	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.idx
2008-03-17 10:42 . 2008-03-17 10:42 d--------	C:\KAV
2008-03-15 23:31 . 2008-03-18 08:32 d--------	C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-15 23:30 . 2008-03-15 23:30 d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-15 23:29 . 2008-03-20 16:23 d--------	C:\Documents and Settings\All Users\Application Data\avg7
2008-03-15 22:32 . 2003-07-16 16:24	4,224	--a------	C:\WINDOWS\system32\drivers\beep.sys
2008-03-15 22:32 . 2003-07-16 16:24	4,224	--a--c---	C:\WINDOWS\system32\dllcache\beep.sys
2008-03-15 08:50 . 2008-03-15 08:50	18,584	--a------	C:\WINDOWS\system32\sysi
2008-03-15 08:50 . 2008-03-15 08:50	18,059	--a------	C:\WINDOWS\system32\yjyfyroj.db
2008-03-15 08:50 . 2008-03-15 08:50	12,436	--a------	C:\WINDOWS\system32\qimy.ban
2008-03-08 16:04 . 2008-03-08 16:04 d--------	C:\Program Files\iPod
2008-03-08 16:03 . 2008-03-08 16:04 d--------	C:\Program Files\iTunes
2008-03-08 16:01 . 2008-03-08 16:01 d--------	C:\Program Files\Bonjour
2008-03-08 16:00 . 2008-03-08 16:01 d--------	C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 03:51	---------	d-----w	C:\Program Files\SUPERAntiSpyware
2008-03-20 20:52	---------	d-----w	C:\Program Files\Webroot
2008-03-20 20:43	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Webroot
2008-03-20 20:43	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-20 13:51	---------	d-----w	C:\Program Files\Common Files\AOL
2008-03-18 03:39	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-03-16 16:48	---------	d-----w	C:\Program Files\Enigma Software Group
2008-03-09 16:41	---------	d-----w	C:\Program Files\Sony
2008-03-04 02:26	---------	d-----w	C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-02-20 02:15	---------	d-----w	C:\Program Files\AIM
2007-12-28 18:27	164	----a-w	C:\install.dat
2006-07-01 18:42	3,796	-c--a-w	C:\Documents and Settings\Owner\Application Data\FNTCACHE.BIN
2006-04-26 04:11	17,144	-c--a-w	C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2001-07-26 23:58	47	-c--a-w	C:\Program Files\ACMonitor_X73.ini
2001-07-05 19:46	8,116	-c--a-w	C:\Program Files\OSLO3071b2.USB
2001-05-11 18:39	53,248	-c--a-w	C:\Program Files\ACMonitor_X73.exe
2001-05-08 23:36	114,688	-c--a-w	C:\Program Files\lxarscan.dll
2001-04-23 21:22	1,437	-c--a-w	C:\Program Files\gtx73.ini
2001-02-22 16:54	768	-c--a-w	C:\Program Files\x73_lut.dat
.

((((((((((((((((((((((((((((( [email protected]_19.17.21.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-21 04:05:51	16,384	----atw	C:\WINDOWS\Temp\Perflib_Perfdata_644.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5AF49A2-94F3-42BD-F434-2604812C897D}]
C:\WINDOWS\system32\jfiehayd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 18:08 67160]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 15:51 118784]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 15:55 155648]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 03:42 36864]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2007-01-29 23:02 200768]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 20:54 99480]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 18:52 74672]
"HostManager"="C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe" [2007-10-08 17:50 41824]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"AOLAspSunset"="C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe" [ ]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 18:56 295856]
"BCMSMMSG"="BCMSMMSG.exe" [2002-12-17 15:03 90112 C:\WINDOWS\BCMSMMSG.exe]
"njjnrfrj"="C:\WINDOWS\TEMP\dnsbbfrb.dll" [2007-06-13 06:23 114688]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 05:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"bfbnrr"= rundll32.exe "C:\WINDOWS\system32\shelljtff.sys" WLEntryPoint

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"= C:\WINDOWS\system32\jfiehayd.dll [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CDWin"= {39e884ff-1588-4bf2-a2f6-796d87d05f72} - C:\WINDOWS\Installer\{39e884ff-1588-4bf2-a2f6-796d87d05f72}\CDWin.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
C:\Program Files\antiviirus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fbrjjbjj]
C:\WINDOWS\TEMP\mscbmlcje.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jjrbbffr]
C:\WINDOWS\TEMP\mscbmlcje.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\njbfjjbb]
C:\WINDOWS\TEMP\mscbmlcje.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\onaporit]
C:\WINDOWS\TEMP\mscbmlcje.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Piolet]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a--c--- 2005-01-07 04:04 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rfrbrffn]
C:\WINDOWS\TEMP\mscbmlcje.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Cleaner]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-29 16:03 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinReanimator]
C:\Program Files\WinReanimator\WinReanimator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\lxczcoms.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21920:TCP"= 21920:TCPxpsp2res.dll,-22004
"48127:TCP"= 48127:TCPxpsp2res.dll,-22004
"24922:TCP"= 24922:TCPxpsp2res.dll,-22004
"27393:TCP"= 27393:TCPxpsp2res.dll,-22004
"5307:TCP"= 5307:TCPxpsp2res.dll,-22004

R2 lxcz_device;lxcz_device;C:\WINDOWS\system32\lxczcoms.exe [2007-02-08 18:50]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-08-09 13:56]
S2 Intel Centrino2;Intel Centrino2;C:\WINDOWS\System32\VsTaskMngr.exe []

*Newly Created Service* - SASDIFSV
.
Contents of the 'Scheduled Tasks' folder
"2008-03-20 17:22:34 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 00:06:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\shelljtff.sys 114688 bytes executable

scan completed successfully 
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
c:\program files\common files\aol\1131511753\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-03-21 0:16:38 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-03-21 04:16:26
ComboFix2.txt 2008-03-20 23:17:59
ComboFix3.txt 2007-08-21 18:47:39
.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:17 AM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Common Files\AOL\1131511753\ee\aolsoftware.exe
c:\program files\common files\aol\1131511753\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [AOLAspSunset] "C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [bfrjrjfn] rundll32.exe "C:\WINDOWS\TEMP\cdbjbbrnj.drv" WLEntryPoint
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [bfbnrr] rundll32.exe "C:\WINDOWS\system32\shelljtff.sys" WLEntryPoint
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183763861125
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: CDWin - {39e884ff-1588-4bf2-a2f6-796d87d05f72} - C:\WINDOWS\Installer\{39e884ff-1588-4bf2-a2f6-796d87d05f72}\CDWin.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel Centrino2 - Unknown owner - C:\WINDOWS\System32\VsTaskMngr.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 9022 bytes


----------



## GTROCKER (Aug 21, 2007)

I noticed that WinReanimator and Braviax are still in the System Config startup (unchecked). Can they be deleted from the startup?


----------



## Jintan (Oct 4, 2007)

We'll need to make another run at that. I left in a forum line spacing needing correcting, and can see additional driver info now but be very sure all security software is completely disabled. I can appreciate your concerns seeing things you recognize as infection but we will have it all removed soon.

Open Notepad (Start, Run type *notepad* and select Enter) and copy/paste the following text.


```
[Version]
Signature="$CHICAGO$"

[DefaultInstall]
DelReg=Del.Settings

[Del.Settings]
HKCU,"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer',"NoFolderOptions"
HKCU,"Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableRegistryTools"
HKCU,"Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableTaskMgr"
HKLM,"Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions","NoSplash" 
HKLM,"SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore","Disable Config"
```
Save this as *correct2.inf*

Where it says "Files of Type", select All Files and click on Save and save it to your desktop. Exit Notepad, Then right-click on correct2.inf and select Install. This will correct the rest of the block settings showing in the earlier Silent Runners

----------------------------------------------------------


```
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
@="\"%1\" %*"
```
Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it fixer.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.

-------------------------------------------

Be sure to again temporarily disable any protective software when running the scan tools we use here.

Open notepad (go to Start, Run, type *notepad* and press Enter) and copy/paste the text in the codebox below into it:


```
Driver::
shelljtff
Intel Centrino2
File::
C:\WINDOWS\system32\shelljtff.sys
C:\WINDOWS\System32\VsTaskMngr.exe
C:\WINDOWS\system32\sysi
C:\WINDOWS\system32\yjyfyroj.db
C:\WINDOWS\system32\qimy.ban
C:\WINDOWS\system32\jfiehayd.dll
Folder::
C:\WINDOWS\TEMP
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"bfbnrr"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CDWin"=-
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5AF49A2-94F3-42BD-F434-2604812C897D}]
[-HKEY_CLASSES_ROOT\CLSID\{39e884ff-1588-4bf2-a2f6-796d87d05f72}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{39e884ff-1588-4bf2-a2f6-796d87d05f72}]
[-HKEY_CLASSES_ROOT\TypeLib\{39e884ff-1588-4bf2-a2f6-796d87d05f72}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fbrjjbjj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jjrbbffr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\njbfjjbb]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\onaporit]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Piolet]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rfrbrffn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Cleaner]
```
Save this to your desktop as *"CFScript"*

(include the "quotation marks" with the name)

You should now have ComboFix and CFScript on your desktop. Just left click on CFScript and drag it into ComboFix to start the scan again.

ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

-----------------------

Also Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.

To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".

Post back that log along with the ComboFix log and a new HijackThis log please.


----------



## GTROCKER (Aug 21, 2007)

Hello Jitan....I followed all your instructions up to downloading the SuperAntispyware...but it won't download. I says "Failed to load Kaspersky Online ActiveX control! You must have administrative rights on this computer; you must have all the IE security settings to the Medium level". 
Please advise as to how I should proceed. Thank you.


----------



## Jintan (Oct 4, 2007)

We will likely spend too much time trying to assess why one online scanner's ActiveX object is not being allowed there, but let's see where you are at first before deciding anything else. Post back the new C:\ComboFix.txt log and let's check that.


----------



## GTROCKER (Aug 21, 2007)

Here is the lastet ComboFix log:

ComboFix 08-03-20.5 - Owner 2008-03-24 13:01:13.6 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\matt.exe.exe

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((( Files Created from 2008-02-24 to 2008-03-24 )))))))))))))))))))))))))))))))
.

2008-03-23 18:35 . 2008-03-23 18:42	2,319	--a------	C:\WINDOWS\unins000.dat
2008-03-20 18:14 . 2008-03-20 18:14 d--------	C:\WINDOWS\ERUNT
2008-03-20 18:03 . 2008-03-20 18:36 d--------	C:\SDFix
2008-03-20 09:50 . 2008-03-20 09:50 d--------	C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-19 00:40 . 2008-03-19 00:40 d--------	C:\Program Files\Security Task Manager
2008-03-19 00:40 . 2008-03-19 00:45 d--------	C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-18 23:25 . 2008-03-18 23:26 d--------	C:\Documents and Settings\Owner\Application Data\MSN6
2008-03-18 23:25 . 2008-03-18 23:25 d--------	C:\Documents and Settings\All Users\Application Data\MSN6
2008-03-18 18:04 . 2008-03-18 18:05 d--------	C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-17 23:20 . 2008-03-17 23:20 d--------	C:\WINDOWS\system32\SuperAdBlocker.com
2008-03-17 15:32 . 2008-03-17 15:32 d--------	C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-17 15:31 . 2008-03-17 15:31 d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-03-17 15:31 . 2008-03-17 15:31 d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-17 15:30 . 2008-03-17 15:30 d--------	C:\Program Files\Common Files\Download Manager
2008-03-17 15:06 . 2007-12-04 09:51	42,912	--a------	C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-17 15:06 . 2007-12-04 09:49	26,624	--a------	C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-17 15:06 . 2007-12-04 09:53	23,152	--a------	C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-17 15:05 . 2007-12-04 07:54	95,608	--a------	C:\WINDOWS\system32\AvastSS.scr
2008-03-17 15:03 . 2007-12-04 09:55	94,544	--a------	C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-17 15:03 . 2007-12-04 09:56	93,264	--a------	C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-17 15:01 . 2007-12-04 08:04	837,496	--a------	C:\WINDOWS\system32\aswBoot.exe
2008-03-17 15:01 . 2004-01-09 04:13	380,928	--a------	C:\WINDOWS\system32\actskin4.ocx
2008-03-17 10:52 . 2008-03-17 11:07	91,700	--a------	C:\WINDOWS\system32\drivers\klin.dat
2008-03-17 10:52 . 2008-03-17 11:07	85,860	--a------	C:\WINDOWS\system32\drivers\klick.dat
2008-03-17 10:51 . 2008-03-17 10:51 d--------	C:\Program Files\Kaspersky Lab
2008-03-17 10:51 . 2008-03-24 12:44 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-17 10:51 . 2008-03-24 13:05	4,266,784	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-17 10:51 . 2008-03-24 13:05	61,472	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-17 10:51 . 2008-03-24 12:39	57,836	--ahs----	C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-17 10:51 . 2008-03-24 12:39	6,692	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.idx
2008-03-17 10:42 . 2008-03-17 10:42 d--------	C:\KAV
2008-03-15 23:31 . 2008-03-18 08:32 d--------	C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-15 23:30 . 2008-03-15 23:30 d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-15 23:29 . 2008-03-20 16:23 d--------	C:\Documents and Settings\All Users\Application Data\avg7
2008-03-15 22:32 . 2003-07-16 16:24	4,224	--a------	C:\WINDOWS\system32\drivers\beep.sys
2008-03-15 22:32 . 2003-07-16 16:24	4,224	--a--c---	C:\WINDOWS\system32\dllcache\beep.sys
2008-03-08 16:04 . 2008-03-08 16:04 d--------	C:\Program Files\iPod
2008-03-08 16:03 . 2008-03-08 16:04 d--------	C:\Program Files\iTunes
2008-03-08 16:01 . 2008-03-08 16:01 d--------	C:\Program Files\Bonjour
2008-03-08 16:00 . 2008-03-08 16:01 d--------	C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 03:51	---------	d-----w	C:\Program Files\SUPERAntiSpyware
2008-03-20 20:52	---------	d-----w	C:\Program Files\Webroot
2008-03-20 20:43	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Webroot
2008-03-20 20:43	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-20 13:51	---------	d-----w	C:\Program Files\Common Files\AOL
2008-03-18 03:39	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-03-16 16:48	---------	d-----w	C:\Program Files\Enigma Software Group
2008-03-09 16:41	---------	d-----w	C:\Program Files\Sony
2008-03-04 02:26	---------	d-----w	C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-02-20 02:15	---------	d-----w	C:\Program Files\AIM
2007-12-28 18:27	164	----a-w	C:\install.dat
2006-07-01 18:42	3,796	-c--a-w	C:\Documents and Settings\Owner\Application Data\FNTCACHE.BIN
2006-04-26 04:11	17,144	-c--a-w	C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2001-07-26 23:58	47	-c--a-w	C:\Program Files\ACMonitor_X73.ini
2001-07-05 19:46	8,116	-c--a-w	C:\Program Files\OSLO3071b2.USB
2001-05-11 18:39	53,248	-c--a-w	C:\Program Files\ACMonitor_X73.exe
2001-05-08 23:36	114,688	-c--a-w	C:\Program Files\lxarscan.dll
2001-04-23 21:22	1,437	-c--a-w	C:\Program Files\gtx73.ini
2001-02-22 16:54	768	-c--a-w	C:\Program Files\x73_lut.dat
.

((((((((((((((((((((((((((((( [email protected]_19.17.21.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-16 03:14:50	32,768	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-24 16:41:14	32,768	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-16 03:14:50	32,768	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-24 16:41:14	32,768	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-16 03:14:50	49,152	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-24 16:41:14	49,152	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-07-10 16:01:46	111,784	----a-w	C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-03-24 16:40:01	122,136	----a-w	C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-06-13 10:23:07	114,688	----a-w	C:\WINDOWS\system32\msxmlj.drv
+ 2008-03-24 16:40:20	16,384	----atw	C:\WINDOWS\Temp\Perflib_Perfdata_618.dat
+ 2004-01-16 08:00:00	76,946	----a-w	C:\WINDOWS\unins000.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5AF49A2-94F3-42BD-F434-2604812C897D}]
C:\WINDOWS\system32\jfiehayd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 18:08 67160]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 15:51 118784]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 15:55 155648]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 03:42 36864]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2007-01-29 23:02 200768]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 20:54 99480]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 18:52 74672]
"HostManager"="C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe" [2007-10-08 17:50 41824]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"AOLAspSunset"="C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe" [ ]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 18:56 295856]
"BCMSMMSG"="BCMSMMSG.exe" [2002-12-17 15:03 90112 C:\WINDOWS\BCMSMMSG.exe]
"nfbnbb"="C:\WINDOWS\TEMP\adsbjfjj.drv WLEntryPoint" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 05:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"bbrjpljj"= rundll32.exe "C:\WINDOWS\system32\msxmlj.drv" WLEntryPoint

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a--c--- 2005-01-07 04:04 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-29 16:03 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinReanimator]
C:\Program Files\WinReanimator\WinReanimator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\lxczcoms.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"32686:TCP"= 32686:TCPxpsp2res.dll,-22004
"24405:TCP"= 24405:TCPxpsp2res.dll,-22004
"22936:TCP"= 22936:TCPxpsp2res.dll,-22004
"24799:TCP"= 24799:TCPxpsp2res.dll,-22004
"5307:TCP"= 5307:TCPxpsp2res.dll,-22004

R2 lxcz_device;lxcz_device;C:\WINDOWS\system32\lxczcoms.exe [2007-02-08 18:50]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-08-09 13:56]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-20 17:22:34 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-24 13:05:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-24 13:07:44
ComboFix-quarantined-files.txt 2008-03-24 17:07:33
ComboFix2.txt 2008-03-21 18:50:34
ComboFix3.txt 2008-03-21 04:16:38
ComboFix4.txt 2008-03-20 23:17:59
ComboFix5.txt 2007-08-21 18:47:39
.
2008-03-12 03:22:20	--- E O F ---


----------



## Jintan (Oct 4, 2007)

Improved each time, but something still is blocking some repairs here. Again be very sure all security software is completely disabled when running any of these repair steps.

Download The Avenger by Swandog from here and save it to your Desktop.

Disconnect from net access, close all open programs and unzip the downloaded avenger.zip file. Then in the new avenger folder created locate and click on avenger.exe to run the tool.

Okay the warning. When the Avenger display opens copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system.


```
Drivers to delete:
msxmlj
Files to delete:
C:\WINDOWS\system32\msxmlj.drv
C:\WINDOWS\system32\jfiehayd.dll
Folders to delete:
C:\WINDOWS\TEMP
Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run | bbrjpljj
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | nfbnbb
Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5AF49A2-94F3-42BD-F434-2604812C897D}
```
Your system may reboot twice to complete the repairs. After the reboot a text will open - copy/paste those contents back here please. The log can also be found at C:\avenger.txt.

Also run and post back new ComboFix and HijackThis logs please.


----------



## GTROCKER (Aug 21, 2007)

I downloaded Avenger by Swandog, saved it to the desktop and unzipped the file, but I don't see anything to click on in the temp file that says "avenger.exe". I see "Installer" in the file but nothing happens when I click on that. Am I doing something wrong?


----------



## Jintan (Oct 4, 2007)

Not quite sure you unzipped that correctly. What do you normally use to unzip files there? If needed you can do a quick web search and locate some free or trial downloads of 7-Zip or Winzip to use.


----------



## GTROCKER (Aug 21, 2007)

OK thanks..I'll try that and post back here with the results.


----------



## GTROCKER (Aug 21, 2007)

I downloaded WinZip and it worked well ...thanks. Here are the lastest logfiles you requested:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msxmlj" not found!
Deletion of driver "msxmlj" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\msxmlj.drv" deleted successfully.

Error: file "C:\WINDOWS\system32\jfiehayd.dll" not found!
Deletion of file "C:\WINDOWS\system32\jfiehayd.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\WINDOWS\TEMP" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run|bbrjpljj" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|nfbnbb" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5AF49A2-94F3-42BD-F434-2604812C897D}" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Tue Mar 25 01:17:34 2008

01:17:34: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msxmlj" not found!
Deletion of driver "msxmlj" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\msxmlj.drv" not found!
Deletion of file "C:\WINDOWS\system32\msxmlj.drv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\jfiehayd.dll" not found!
Deletion of file "C:\WINDOWS\system32\jfiehayd.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\WINDOWS\TEMP" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run|bbrjpljj" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|nfbnbb" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5AF49A2-94F3-42BD-F434-2604812C897D}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5AF49A2-94F3-42BD-F434-2604812C897D}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

ComboFix 08-03-20.5 - Owner 2008-03-25 9:48:31.7 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\matt.exe.exe

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 )))))))))))))))))))))))))))))))
.

2008-03-25 00:37 . 2008-03-25 01:17	12,192	--a------	C:\backup.reg
2008-03-25 00:36 . 2008-03-25 01:17	135,168	--a------	C:\zip.exe
2008-03-25 00:36 . 2008-03-25 01:17	19,286	--a------	C:\cleanup.exe
2008-03-25 00:36 . 2008-03-25 01:17	574	--a------	C:\cleanup.bat
2008-03-24 23:59 . 2008-03-25 00:03 d--------	C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-23 18:35 . 2008-03-23 18:42	2,319	--a------	C:\WINDOWS\unins000.dat
2008-03-20 18:14 . 2008-03-20 18:14 d--------	C:\WINDOWS\ERUNT
2008-03-20 18:03 . 2008-03-20 18:36 d--------	C:\SDFix
2008-03-20 09:50 . 2008-03-20 09:50 d--------	C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-19 00:40 . 2008-03-19 00:40 d--------	C:\Program Files\Security Task Manager
2008-03-19 00:40 . 2008-03-19 00:45 d--------	C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-18 23:25 . 2008-03-18 23:26 d--------	C:\Documents and Settings\Owner\Application Data\MSN6
2008-03-18 23:25 . 2008-03-18 23:25 d--------	C:\Documents and Settings\All Users\Application Data\MSN6
2008-03-18 18:04 . 2008-03-18 18:05 d--------	C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-17 23:20 . 2008-03-17 23:20 d--------	C:\WINDOWS\system32\SuperAdBlocker.com
2008-03-17 15:32 . 2008-03-17 15:32 d--------	C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-17 15:31 . 2008-03-17 15:31 d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-03-17 15:31 . 2008-03-17 15:31 d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-17 15:30 . 2008-03-17 15:30 d--------	C:\Program Files\Common Files\Download Manager
2008-03-17 15:06 . 2007-12-04 09:51	42,912	--a------	C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-17 15:06 . 2007-12-04 09:49	26,624	--a------	C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-17 15:06 . 2007-12-04 09:53	23,152	--a------	C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-17 15:05 . 2007-12-04 07:54	95,608	--a------	C:\WINDOWS\system32\AvastSS.scr
2008-03-17 15:03 . 2007-12-04 09:55	94,544	--a------	C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-17 15:03 . 2007-12-04 09:56	93,264	--a------	C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-17 15:01 . 2007-12-04 08:04	837,496	--a------	C:\WINDOWS\system32\aswBoot.exe
2008-03-17 15:01 . 2004-01-09 04:13	380,928	--a------	C:\WINDOWS\system32\actskin4.ocx
2008-03-17 10:52 . 2008-03-17 11:07	91,700	--a------	C:\WINDOWS\system32\drivers\klin.dat
2008-03-17 10:52 . 2008-03-17 11:07	85,860	--a------	C:\WINDOWS\system32\drivers\klick.dat
2008-03-17 10:51 . 2008-03-17 10:51 d--------	C:\Program Files\Kaspersky Lab
2008-03-17 10:51 . 2008-03-25 01:22 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-17 10:51 . 2008-03-25 09:52	4,483,616	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-17 10:51 . 2008-03-25 09:52	72,480	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-17 10:51 . 2008-03-25 01:19	60,452	--ahs----	C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-17 10:51 . 2008-03-25 01:19	7,700	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.idx
2008-03-17 10:42 . 2008-03-17 10:42 d--------	C:\KAV
2008-03-15 23:31 . 2008-03-18 08:32 d--------	C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-15 23:30 . 2008-03-15 23:30 d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-15 23:29 . 2008-03-20 16:23 d--------	C:\Documents and Settings\All Users\Application Data\avg7
2008-03-15 22:32 . 2003-07-16 16:24	4,224	--a------	C:\WINDOWS\system32\drivers\beep.sys
2008-03-15 22:32 . 2003-07-16 16:24	4,224	--a--c---	C:\WINDOWS\system32\dllcache\beep.sys
2008-03-08 16:04 . 2008-03-08 16:04 d--------	C:\Program Files\iPod
2008-03-08 16:03 . 2008-03-08 16:04 d--------	C:\Program Files\iTunes
2008-03-08 16:01 . 2008-03-08 16:01 d--------	C:\Program Files\Bonjour
2008-03-08 16:00 . 2008-03-08 16:01 d--------	C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 05:07	114,688	----a-w	C:\WINDOWS\system32\wuaffrjrr.drv
2008-03-25 04:14	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-03-25 04:14	---------	d-----w	C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-21 03:51	---------	d-----w	C:\Program Files\SUPERAntiSpyware
2008-03-20 20:52	---------	d-----w	C:\Program Files\Webroot
2008-03-20 20:43	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Webroot
2008-03-20 20:43	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-20 13:51	---------	d-----w	C:\Program Files\Common Files\AOL
2008-03-18 03:39	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-03-16 16:48	---------	d-----w	C:\Program Files\Enigma Software Group
2008-03-09 16:41	---------	d-----w	C:\Program Files\Sony
2008-03-04 02:26	---------	d-----w	C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-02-20 02:15	---------	d-----w	C:\Program Files\AIM
2007-12-28 18:27	164	----a-w	C:\install.dat
2006-07-01 18:42	3,796	-c--a-w	C:\Documents and Settings\Owner\Application Data\FNTCACHE.BIN
2006-04-26 04:11	17,144	-c--a-w	C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2001-07-26 23:58	47	-c--a-w	C:\Program Files\ACMonitor_X73.ini
2001-07-05 19:46	8,116	-c--a-w	C:\Program Files\OSLO3071b2.USB
2001-05-11 18:39	53,248	-c--a-w	C:\Program Files\ACMonitor_X73.exe
2001-05-08 23:36	114,688	-c--a-w	C:\Program Files\lxarscan.dll
2001-04-23 21:22	1,437	-c--a-w	C:\Program Files\gtx73.ini
2001-02-22 16:54	768	-c--a-w	C:\Program Files\x73_lut.dat
.

((((((((((((((((((((((((((((( [email protected]_19.17.21.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-25 04:00:37	632,320	----a-r	C:\WINDOWS\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}\IconCD95F66110.exe
+ 2008-03-25 04:00:37	29,184	----a-r	C:\WINDOWS\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}\IconCD95F6617.exe
- 2008-03-16 03:14:50	32,768	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-25 04:23:39	32,768	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-16 03:14:50	32,768	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-25 04:23:39	32,768	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-16 03:14:50	49,152	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-25 04:23:39	49,152	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-07-10 16:01:46	111,784	----a-w	C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-03-24 16:40:01	122,136	----a-w	C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-03-25 05:20:17	16,384	----atw	C:\WINDOWS\TEMP\Perflib_Perfdata_584.dat
+ 2004-01-16 08:00:00	76,946	----a-w	C:\WINDOWS\unins000.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 18:08 67160]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 15:51 118784]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 15:55 155648]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 03:42 36864]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 20:54 99480]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 18:52 74672]
"HostManager"="C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe" [2007-10-08 17:50 41824]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"AOLAspSunset"="C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe" [ ]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 18:56 295856]
"BCMSMMSG"="BCMSMMSG.exe" [2002-12-17 15:03 90112 C:\WINDOWS\BCMSMMSG.exe]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [2004-08-04 03:56 158208]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2007-01-29 23:02 200768]
"jrbjnnnf"="C:\WINDOWS\TEMP\ctlrnnrrf.nls WLEntryPoint" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 05:01:04 83360]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-02-08 11:10:00 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"bbrjpljj"= rundll32.exe "C:\WINDOWS\system32\wuaffrjrr.drv" WLEntryPoint

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
--a------ 2007-01-29 23:02 200768 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a--c--- 2005-01-07 04:04 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-29 16:03 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinReanimator]
C:\Program Files\WinReanimator\WinReanimator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\lxczcoms.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8047:TCP"= 8047:TCPxpsp2res.dll,-22004
"47538:TCP"= 47538:TCPxpsp2res.dll,-22004
"49673:TCP"= 49673:TCPxpsp2res.dll,-22004
"56940:TCP"= 56940:TCPxpsp2res.dll,-22004
"5307:TCP"= 5307:TCPxpsp2res.dll,-22004

R2 lxcz_device;lxcz_device;C:\WINDOWS\system32\lxczcoms.exe [2007-02-08 18:50]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-20 17:22:34 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 09:53:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-25 9:55:27
ComboFix-quarantined-files.txt 2008-03-25 13:55:07
ComboFix2.txt 2008-03-24 17:07:45
ComboFix3.txt 2008-03-21 18:50:34
ComboFix4.txt 2008-03-21 04:16:38
ComboFix5.txt 2008-03-20 23:17:59
.
2008-03-12 03:22:20	--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:07 AM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
c:\program files\common files\aol\1131511753\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1131511753\ee\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\AOL\1131511753\ee\anotify.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [AOLAspSunset] "C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [jrbjnnnf] rundll32.exe "C:\WINDOWS\TEMP\mscbrrrrj.dll" WLEntryPoint
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [bbrjpljj] rundll32.exe "C:\WINDOWS\system32\wuaffrjrr.drv" WLEntryPoint
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183763861125
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 8752 bytes


----------



## Jintan (Oct 4, 2007)

Progress, but the malware created what appears to be a new driver file, and I sense we are not seeing the driver it is associated with. We could do this delete step again but will likely be right back at this point after.

Download gmer.zip from here. Once downloaded, doubleclick on gmer.zip and unzip the file to its own folder

When you have done this, doubleclick on Gmer.exe to run it and click on Settings. Check the first five settings (see below)

*System Protection and Tracing
Processes
Save created processes to the log
Drivers
Save loaded drivers to the log*

You will be prompted to restart your computer. Please do so.

Run Gmer again and click on the Rootkit tab. Look at the righthand side (under Files) and uncheck all drives with the exception of your C drive and then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan). When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.


----------



## Jintan (Oct 4, 2007)

Though getting access to check it might be locked there, before you do that step see if you can upload that new driver file created to be checked out.

Download the Suspicious Files Packer and unzip it to your desktop:

Then highlight the items shown in Bold below, and right-click/copy that.

*C:\WINDOWS\system32\wuaffrjrr.drv*

Then start the file packer program (sfp.exe) and right click in the white box and select paste to paste the copied file names in the field.

Press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Once you have done that Just go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select the CAB archive file on your computer (You will not be able to see the file once uploaded).

You DO NOT need to be a member to upload, anybody can upload the files.


----------



## GTROCKER (Aug 21, 2007)

Not sure I uploaded that file correctly....if not, please let me know and
I'll try try again. Thank you, GTROCKER


----------



## Jintan (Oct 4, 2007)

I received the file, thanks. Very much a spambot/IRCbot, so be sure to minimize maintaining net access there as much as possible until we complete repairs here. Yes, get that Gmer log back here and let's see if we can complete those repairs with it's info.


----------



## GTROCKER (Aug 21, 2007)

Hey Jintan....I tired to post the Gmer log but it said "The text that you have entered is too long (281463 characters)...does that sound right? Please advise....thank you.


----------



## Jintan (Oct 4, 2007)

May have picked up a bunch of other security software activity there. Zip a copy of it, and send it to [email protected] as an attachment. Please place "Submitted Files - GTROCKER" as the email Subject. I will review it and post back here the relevant details for everyone to be able to review.


----------



## GTROCKER (Aug 21, 2007)

OK I will send it out...thank you very much.


----------



## Jintan (Oct 4, 2007)

Others are reviewing our work here and providing some excellent input on the issues showing in the logs. I did receive the Gmer log, thanks. I won't post the majority here, which reflects many "hooks" in processes created by Kaspersky, Avast and some other softwares there, but the last part of the log is where we see some of what we will work with next.

---- Threads - GMER 1.0.14 ----

Thread 4:112 819E9330
Thread 4:116 819E9330
Thread 4:120 819A8F10
Thread 4:124 819A8F10
Thread 4:128 819A8F10
Thread 4:360 819E9330
Thread 4:544 819E9330

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage 
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\0 
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_name mscbrrrrj
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_expand dll
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_path C:\WINDOWS\TEMP\
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_name jrbjnnnf
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_id 234533
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_function WLEntryPoint
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\1  
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_name wuaffrjrr
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_expand drv
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_path C:\WINDOWS\system32\
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_name bbrjpljj
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_id 235124
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_function WLEntryPoint
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\2 
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_name urlbjjnff
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_expand nls
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_path C:\WINDOWS\TEMP\
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_name hndjnr
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_id 987234
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_function WLEntryPoint
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\3 
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_name iasdkreps
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_expand sys
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_path C:\WINDOWS\system32\
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_name pfnffjrj
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_id 7237565
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_function WLEntryPoint
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\4 
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_name cdfbrbnnb
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_expand sys
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_path C:\WINDOWS\TEMP\
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_name bnnfjbbf
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_id 7523455
Reg HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\[email protected]_function WLEntry

---- EOF - GMER 1.0.14 ----

The tool's author was kind enough to take time to look at that, and indicates what would normally be very suspect, the items listed under "Threads" with no processes associated with them, are the result of some of the other software hooks there. But the remainder of the info suggests the existence of a "null" embedded character reg key, which our other tools wouldn't pick up in scans. Let's act on the available info and check after.

Be sure to continue to temp disable all security software when running these repair steps.

Go to Start - Run, type cmd (and OK). At the prompt type or copy/paste the following:

*swreg null delete HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}*

Then press Enter. There are methods to record or copy the results of that but to simplify things just write down the results to type back here. You should either get a "Success", or information that the key does not exist. Then type Exit (and Enter) to close the command window. (I appreciate the work of Bobbi Flekmann and CreteMonster for the creative thinking in these steps).

--------------------------------------------

Then disable from net access, and again click on avenger.exe to run the tool.

Okay the warning. When the Avenger display opens copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system.


```
Files to delete:
C:\WINDOWS\system32\wuaffrjrr.drv
C:\WINDOWS\system32\iasdkreps.sys
C:\WINDOWS\TEMP\mscbrrrrj.dll
C:\WINDOWS\TEMP\urlbjjnff.nls
C:\WINDOWS\TEMP\cdfbrbnnb.sys
Folders to delete:
C:\WINDOWS\TEMP
Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | jrbjnnnf
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run | bbrjpljj
Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}
```
Your system may reboot twice to complete the repairs. After the reboot a text will open - copy/paste those contents back here please. The log can also be found at C:\avenger.txt.

Also run and post back new ComboFix and HijackThis logs please. Of course reconnect to the net at this time for that. You may get some error notifications indicating file or processes do not exist after the rebooting is completed, but we will be addressing all that as we go.


----------



## GTROCKER (Aug 21, 2007)

Hello Jintan...here is the first result:

Error:Key:software\classes\clsid\<1626500a-805e-23d6-16b7-f057631963e4\>DOES NOT EXIST!

I ran Avenger with the text you provided, but when I restarted all I got was repeated error message which said: "Error loading c:\windows\temp\cdfbrbnnb.sys 
The specified module could not be found" Also, since the restart, I cannot access Firefox (Internet Explorer does work though), I cannot run ComboFix or HijackThis. When I click on any of those, I also get the error message above. Please advise. Thank you.


----------



## Jintan (Oct 4, 2007)

ComboFix and HijackThis are name functions things called AV Killers target, but the Firefox issue doesn't tie in to that. They would have in common some function that the malware was loading from, which would make sense of the error you are seeing there. And the IE executable would not run if this were an issue with .exe files alone. A bit of thinking out loud here if you don't mind. I very much would like to get some files already quarantined by past work done, so they can be used to determine some source issues your system is experiencing. I will take the current situation into review for the moment, but see if you can do the following for now as well.

Just go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select the following files/folders on your computer.

C:\QooBox\Quarantine\C <-- that entire C folder
C:\Avenger\backup(day/date/time).zip <-- the date/times of the two most recent Avenger steps you did

You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.

If possible zip a copy of that C folder to reduce it's size and "safe" it, but if you are unable to that is okay.


----------



## GTROCKER (Aug 21, 2007)

now I'm getting more error messages: 

"Error loadingC:\WINDOWS\system32\iasdkreps
The specified module could not be found"

"A runtime error has occurred
Do you wish to debug?
line 4549
Error: cell Node.parent node is null or not an object"

The computer is suddenly running very slow and I cannot run any antivirus/ spyware programs....help!
Thank you.


----------



## Jintan (Oct 4, 2007)

Was an Avenger log created - it would be C:\avenger.txt.

I see we are cross posting each other. Better to not experiment with running other softwares, especially security softwares. I am reviewing the procedures that occurred for now, since quick action is not a good idea.

Another item that would provide excellent data on the situation is what is called a "dumprep". Navigate to the following folder:

c:\windows\*minidump*

And if one is there, locate in it any recent minidump(date-somenumber).dmp files created, where "date-somenumber" matches dates of any recent crashes there. If they exist, either upload them to the site I just posted, or again just zip copies, and send it to [email protected] as an attachment. Please place "Submitted Files - GTRocker" as the email Subject.


----------



## Jintan (Oct 4, 2007)

Although I would like you to complete those tasks i just requested of you, I would also like you to try and run Gmer at this time. If it does run, please run the same steps as previously for scanning and creating a log file to post.


----------



## Jintan (Oct 4, 2007)

I have some updated steps to run to see about removing the registry entry that is effecting these errors on your system, but will need you to post back an update on things as you were working through your own procedures there when you last posted.


----------



## GTROCKER (Aug 21, 2007)

Think I found the Avenger logfile you requested. Shall I go ahead and follow your instructions starting from you post #30?

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\wuaffrjrr.drv" deleted successfully.
File "C:\WINDOWS\system32\iasdkreps.sys" deleted successfully.
File "C:\WINDOWS\TEMP\mscbrrrrj.dll" deleted successfully.
File "C:\WINDOWS\TEMP\urlbjjnff.nls" deleted successfully.
File "C:\WINDOWS\TEMP\cdfbrbnnb.sys" deleted successfully.
Folder "C:\WINDOWS\TEMP" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|jrbjnnnf" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run|bbrjpljj" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.


----------



## Jintan (Oct 4, 2007)

Any of the uploads I have requested would be beneficial to getting a handle on this type of malware technique, though with the review from others there are some solid procedures for us to do now. So you get a chance pass along those files if you would.

You will want to copy or have other access to a copy of the following as you will be doing it while in Safe Mode.

Reboot into *Safe Mode* (at startup tap the F8 key about once a second, and select Safe Mode from the list). Not Safe Mode with Networking though - we don't want that access while doing these repairs.

Go to Start - Run, type *cmd* (and OK). At the prompt type as accurately as possible the following entries, Enter after each:


```
swreg null delete HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage

swreg delete HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}
```
Again take note of the results. If they indicate the registry entries were successfully removed, while still in Safe Mode go ahead and click and run ComboFix.exe, saving that log to post back here. If it does not bring on a reboot reboot the system yourself, then post that log and any updated info you have.

If there was no success with those "swreg delete" procedures just stop, and post back that info so we can assess the next steps please.


----------



## GTROCKER (Aug 21, 2007)

I tried but Gmer will not run. I did upload the Zipped C:\QooBox\Quarantine\C <-- that entire C folder (hope you get it) but I'm having a problem uploading the C:\Avenger\backup(day/date/time).zip. It says "Error loading C:\WINDOWS\TEMP\cdfbrbnnb.sys.....the specified module could not be found"


----------



## Jintan (Oct 4, 2007)

I retrieved the uploaded file, thanks. No need to run Gmer or other scans now. If you would just follow the Safe Mode steps I last posted.


----------



## GTROCKER (Aug 21, 2007)

I rebooted in safe mode, went to Sart-Run, typed in cmd, hit OK and got the previous error message : Error loadingC:\WINDOWS\TEMP\cdfbrbnnb.sys. The specified module could not be found.


----------



## Jintan (Oct 4, 2007)

That malware function is monitoring the use of executables. See if you can bypass the Win32 part of that. Instead of *cmd*, at the prompt type either of the following:

*command

command.com*

These will open the 16 bit DOS command console emulator, though admittedly it still relies on cmd.exe to run. You can try that now, in normal mode, but if successful, stop, type *exit* to close that window, and do the actual other part of the steps in Safe Mode. Always be sure to type exit when using command/command.com to close the window (console).

Another method would be to make changes before Windows actually loads, but would require a boot CD. Do you have a copy of the XP CD if needed, or can borrow one?


----------



## GTROCKER (Aug 21, 2007)

Both Command and Command.com worked. I'm going to run it again in safe mode, complete the rest of the steps and post the results. Yes, I do have an XP CD.


----------



## GTROCKER (Aug 21, 2007)

No success with the "swreg delete" procedures. Got>> Error:"Key..........does not exist" for each entry I typed in. Also noticed: "error loading C:\windows\temp\urlbjjnff.nls. The specified module could not be found.


----------



## Jintan (Oct 4, 2007)

Good effort on your part there, as I have gone through some of the same trial and checks you are doing now. But it'll resolve out shortly. Let's see if we can just locate the unseen malware services and take them out of the equation before the system loads.


```
listsvc
dir c:\windows\system32\drivers
```
Open Notepad (Start - Run, type *notepad* and press Enter).

Copy/paste the above text into the open text box, then save this to your C:\Windows folder as *"servcheck.bat"*

It should then be C:\Windows\servcheck.bat (important). Be sure to use the double quotes "" in the file name.

Then load the XP CD into the CD-ROM drive and restart the system. On reboot watch for and agree to any prompts to boot from the CD. If the system only reboots to Windows stop and post back here and we will discuss steps to make changes in the BIOS.

After the installation software inspects the system and loads all necessary device drivers you will see the the "Welcome To Setup" screen, with the following menu:



> This portion of the Setup program prepares Microsoft Windows XP to run on your computer:
> 
> To setup Windows XP now, press ENTER.
> 
> ...


Press "R" to start the Recovery Console setup. After you start the Windows Recovery Console, you receive the following message:



> Microsoft Windows(R) Recovery Console
> 
> The Recovery Console provides system repair and recovery functionality.
> Type EXIT to quit the Recovery Console and restart the computer.
> ...


After you enter the number for the appropriate Windows installation (usually #1), Windows will then prompt you to enter the Administrator account password if one was created.

At the prompt type the following, pressing Enter after each:

*batch servcheck.bat c:\windows\servicelook.txt

exit*

When you hit Enter after typing exit your computer will reboot. Do Not press any key until the system has completely rebooted, then after the reboot be sure to remove your XP CD from the CD-ROM drive.

Then locate and post back here the contents of c:\windows\servicelook.txt please.


----------



## GTROCKER (Aug 21, 2007)

The CD I have says "Operating System....XP Reinstallation CD". Is that the right one? Just want to make sure before I proceed.


----------



## Jintan (Oct 4, 2007)

Good you checked, and unfortunately no, that will not be what you need. Always good to have, if you want to bring the system back to the original install setup.

If you can't borrow the actual XP CD from someone, if you have another PC available that has a cd rewriter then you could create a disk with the recovery console on it. You will need a ISO burning program installed first on the working PC, so if you do not have one then InfraRecorder will work fine for this

http://infrarecorder.sourceforge.net/?page_id=5

But either way you can download a Recovery Console ISO from here

http://www.thecomputerparamedic.com/files/rc.iso

To burn a disk using the InfraRecorder program just install it, insert a blank disk then open the program, click Actions on the Top bar then click Burn Image, locate the rc.iso then double click it and follow the onscreen prompts. If you can get this onto disk then you can do the steps I posted earlier. (I should add that I "borrowed" some of those steps from Andy Manchesta, in case they look familiar).


----------



## GTROCKER (Aug 21, 2007)

I found a CD that says "Dell Dimension ResourceCD", Contents: Device Drivers, Diagnostics and Utilities, Computer Documentation. "You must boot your computer from this CD to run the diagnostics, which may require changing your computer's boot sequence" Is this the right CD?


----------



## Jintan (Oct 4, 2007)

No, those are all your support software CD's in case reinstallation of any of the original software is needed. Perhaps the obvious is being overlooked here though. Try renaming ComboFix.exe to *larry.com* (okay any file name change warnings).

Then click on larry.com to run the Combofix scan.


----------



## GTROCKER (Aug 21, 2007)

I renamed ComboFix tp "larry.com" (on the desktop) but it still did not run. Is it possible that it would run if I downloaded ComboFix again?


----------



## Jintan (Oct 4, 2007)

Renaming during the downloading is one method that bypasses some malware monitoring tricks, but not sure it will prove helpful there. Though you can try that. Until the method of monitoring activities is identified I am stuck with a bit of guessing on the correct approach for getting some diagnostic results returned here.

Run a new Silent Runners scan (click the Silent Runners.vbs file) and post those results please.

---------------------------------------

Then again reboot into Safe Mode, and again navigate to the C:\SDFix folder and double click *RunThis.bat* to start the script.

Next type *Y* to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When the desktop loads the Fixtool will complete the removal and display *Finished*, then press any key to end the script and load your desktop icons.

Then open the C:\SDFix folder and copy and paste the contents of the results file *Report.txt* back here as well please.

-----------------------------------

And last, if this is solely a name recognition AVKiller issue, download System Repair Engineer. Use either of the Local Download buttons to download sreng2.zip

1. Extract it to it's own folder on your Desktop, then double click SREng.exe to run it.
2. Select 'Smart Scan' & tick "Verify Digital Signatures"
3. Click on the [Scan] button
4. When finished, click on the [Save Reports] button & save the log to Desktop.

Please post that log back here for review - it will be large, so use extra posts as needed.


----------



## GTROCKER (Aug 21, 2007)

Here is the Silent Runners log. I'm following the rest of your instructions now.

"Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"onadoj" = "rundll32.exe "C:\WINDOWS\system32\mmcrmtsbq.nls" WLEntryPoint" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"PrinTray" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" ["Lexmark"]
"tjrjnnfn" = "rundll32.exe "C:\WINDOWS\TEMP\mscbmlcje.dll" WLEntryPoint" [MS]
"AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"" ["Kaspersky Lab"]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"Pure Networks Port Magic" = ""C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run" ["Pure Networks, Inc."]
"lxczbmgr.exe" = ""C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"" ["Lexmark International, Inc."]
"jdgf894jrghoiiskd" = "C:\WINDOWS\TEMP\winlogan.exe" [file not found]
"HostManager" = "C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe" ["AOL LLC"]
"AOLDialer" = ""C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"" ["AOL LLC"]
"AOLAspSunset" = ""C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe"" [file not found]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]
"FaxCenterServer" = ""C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s" [empty string]
"BCMSMMSG" = "BCMSMMSG.exe" ["Broadcom Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{C5AF49A2-94F3-42BD-F434-2604812C897D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "C:\WINDOWS\system32\jfiehayd.dll"
\InProcServer32\(Default) = "C:\WINDOWS\system32\jfiehayd.dll" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{6EE51AA0-77A0-11D7-B4E1-000347126E46}" = "Window Washer Shredding Utility"
-> {HKLM...CLSID} = "Window Washer Shredding Utility"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{7CDDBD23-1B50-47b2-B28D-1B84D9A40ED1}" = "Sony Digital Voice File Shell Extention Module"
-> {HKLM...CLSID} = "Sony Digital Voice File Shell Extention Module"
\InProcServer32\(Default) = "IcdShlex.dll" ["Sony Corporation"]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web Anti-Virus statistics"
-> {HKLM...CLSID} = "Web Anti-Virus statistics"
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
<<!>> "{C5AF49A2-94F3-42BD-F434-2604812C897D}" = "jhsf8d984jief8dsfus98jkefn"
-> {HKLM...CLSID} = "C:\WINDOWS\system32\jfiehayd.dll"
\InProcServer32\(Default) = "C:\WINDOWS\system32\jfiehayd.dll" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
"altvxvm" = "{5672A077-15AE-48C0-A4EC-58D4D6D2DFF1}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\altvxvm.dll" [file not found]
"CDWin" = "{39e884ff-1588-4bf2-a2f6-796d87d05f72}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\Installer\{39e884ff-1588-4bf2-a2f6-796d87d05f72}\CDWin.dll" [file not found]

HKLM\SOFTWARE\Microsoft\Command Processor\
<<!>> "AutoRun" = "rundll32.exe "C:\WINDOWS\TEMP\mcipgb.nls" WLEntryPoint" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Aedebug\
<<!>> "Debugger" = ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\vs7jit.exe" -p %ld -e %ld" [MS]

HKLM\SOFTWA	RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Taskman" = "rundll32.exe "C:\WINDOWS\system32\iasdkreps.sys" WLEntryPoint" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]|"stera" [file not found]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]
<<!>> tsnqpoj\DLLName = "tsnqpoj.dll" [MS]
<<!>> WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll" ["Kaspersky Lab"]
Washer\(Default) = "{6EE51AA0-77A0-11D7-B4E1-000347126E46}"
-> {HKLM...CLSID} = "Window Washer Shredding Utility"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
Washer\(Default) = "{6EE51AA0-77A0-11D7-B4E1-000347126E46}"
-> {HKLM...CLSID} = "Window Washer Shredding Utility"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll" ["Kaspersky Lab"]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

Default executables:
--------------------

HKLM\SOFTWARE\Classes\.exe\(Default) = "exefile"
<<!>> HKLM\SOFTWARE\Classes\exefile\shell\open\command\(Default) = "rundll32.exe "C:\WINDOWS\TEMP\modealgji.sys" WLEntry %1 %*" [MS]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"ClassicShell" = (REG_DWORD) dword:0x00000000
{Enable Classic Shell / Turn on Classic Shell}

"NoFolderOptions" = (REG_DWORD) dword:0x00000001
{Removes the Folder Options menu item from the Tools menu}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableTaskMgr" = (REG_DWORD) dword:0x00000000
{Remove Task Manager}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000001
{Prevent access to registry editing tools}

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

"NoSplash" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\

"Disable Config" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]

Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Inc."]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
 -> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
"{DE9C389F-3316-41A7-809B-AA305ED9D922}" = "AOL Toolbar"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

HKLM\SOFTWARE\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Web Anti-Virus statistics"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]

{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Web Anti-Virus statistics"

{3369AF0D-62E9-4BDA-8103-B4C75499B578}\
"ButtonText" = "AOL Toolbar"
"CLSIDExtension" = "{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EA756889-2338-43DB-8F07-D1CA6FB9C90D}" = (no title provided)
-> {HKLM...CLSID} = "AOLTBSearch Class"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ad-Aware 2007 Service, aawservice, "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe" ["Lavasoft AB"]
AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" ["AOL LLC"]
Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
Bonjour Service, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
lxcz_device, lxcz_device, "C:\WINDOWS\system32\lxczcoms.exe -service" [" "]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Webroot Spy Sweeper Engine, WebrootSpySweeperService, "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" ["Webroot Software, Inc."]
Window Washer Engine, wwEngineSvc, "C:\Program Files\Webroot\Washer\WasherSvc.exe" ["Webroot Software, Inc."]

Keyboard Driver Filters:
------------------------

HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = <<!>> "SSKBFD" ["Webroot Software Inc (www.webroot.com)"]

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
1200 Series Port\Driver = "lxczlmpm.dll" [" "]
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Lexmark Print-2-Fax Port\Driver = "LXPRMON.DLL" [empty string]

---------- (launch time: 2008-03-20 12:08:23)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 186 seconds, including 24 seconds for message boxes)


----------



## Jintan (Oct 4, 2007)

I just received some sound ideas on using swreg to go after the null embedded key issue there, which remains at the heart of these recreating malware problems. Let me know where you are at in the steps, then stop at that point and we will discuss the new approach.


----------



## GTROCKER (Aug 21, 2007)

I ran Silent Runners and it worked. I have access to all my programs again....thank you! Do I still need to download System Engine Repair?

*SDFix: Version 1.159 *

Run by Owner on Sat 03/29/2008 at 12:46 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

*Checking Services *:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

*Checking Files *:

No Trojan Files Found


----------



## GTROCKER (Aug 21, 2007)

Not sure if this was part of that last log......

Removing Temp Files

*ADS Check *:

*Final Check *:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 12:58:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

*Remaining Services *:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*isabled:Firefox"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\WINDOWS\\system32\\lxczcoms.exe"="C:\\WINDOWS\\system32\\lxczcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

*Remaining Files *:

File Backups: - C:\SDFix\backups\backups.zip

*Files with Hidden Attributes *:

Fri 7 May 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Fri 7 May 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Fri 7 May 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Mon 9 Oct 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 16 Nov 2006 22,016 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0004.tmp"
Fri 8 Dec 2006 22,016 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0072.tmp"
Sun 11 Feb 2007 33,280 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0117.tmp"
Wed 22 Feb 2006 19,968 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0222.tmp"
Sat 10 Feb 2007 19,968 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0486.tmp"
Fri 8 Dec 2006 21,504 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0705.tmp"
Sat 23 Apr 2005 21,504 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0718.tmp"
Sat 10 Feb 2007 33,280 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0803.tmp"
Tue 27 Feb 2007 20,992 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0962.tmp"
Tue 1 May 2007 22,528 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL1104.tmp"
Thu 27 Apr 2006 199,680 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL1299.tmp"
Fri 5 Jan 2007 22,016 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL1403.tmp"
Wed 19 Jul 2006 23,040 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL2162.tmp"
Tue 27 Feb 2007 21,504 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL2390.tmp"
Wed 19 Jul 2006 21,504 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL2482.tmp"
Tue 27 Feb 2007 22,528 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL2517.tmp"
Wed 19 Jul 2006 26,624 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3483.tmp"
Wed 22 Feb 2006 24,064 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3549.tmp"
Mon 4 Dec 2006 20,480 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3743.tmp"
Thu 4 May 2006 265,216 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3862.tmp"
Thu 30 Nov 2006 28,160 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3874.tmp"
Wed 19 Jul 2006 22,528 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3976.tmp"
Mon 8 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 9 Jul 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\19525589545ebdc47d68693afa9f982d\BIT122.tmp"
Thu 27 Apr 2006 29,696 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2279.tmp"
Sat 29 Apr 2006 28,160 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3736.tmp"
Mon 9 Oct 2006 4,348 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Sun 5 Aug 2007 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 18 Jul 2007 400 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"
Sun 5 Aug 2007 1,536 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2lic.bak"
Tue 8 Feb 2005 49,386 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\VisualStudio\7.1\vs000223.tmp"

*Finished!*


----------



## Jintan (Oct 4, 2007)

I am glad to read you have improvements there. Just need to have a clear idea of the changes just made. Improvements came after running Silent Runners, or after the SDFix scan? Post back on that, but also, while we are discussing change, do this step to undo other changes made to some accesses there.

Open Notepad (Start, Run, type *notepad* and select Enter) and copy/paste the following text.


```
[Version]
Signature="$CHICAGO$"

[DefaultInstall]
DelReg=Del.Settings

[Del.Settings]
HKCU,"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoFolderOptions"
HKCU,"Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableRegistryTools" 
HKLM,"SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions","NoSplash"
HKLM,"SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore","Disable Config"
```
Save this as *"correct2.inf"*

Make sure you save it including the "quotes". Exit Notepad, Then right-click on correct2.inf and select Install.


----------



## GTROCKER (Aug 21, 2007)

The improvements came after I SDFix scan. Is seems all my programs run now except that I cannot access the internet using Internet Explorer or Firefox (access with AOL works fine). I completed the "correct2.inf" install as directed. Computer seems to be running much better/ no error messages.


----------



## Jintan (Oct 4, 2007)

SDFix includes some resetting of registry defaults which may have aided the situation, but we'll need to get more details back to see where you stand now. Including addressing the access issues you mention.

The idea that some null embedded registry entries were involved is still something to address first. You can go ahead and do this in normal mode, and we will check results after.

Again open a command console window using Start - Run - *command*, and at the prompt type the following, being sure to note the intended spaces near the ends of each line. Fairly detailed for typing, so you can do copy/paste as well, being sure to press Enter after each entry.


```
cd\

swreg acl HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage /oa

swreg null delete HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage* /n *

swreg delete HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4} > C:\Confirm.txt

exit
```
For now, though more scan logs would be great, post back the contents of the C:\Confirm.txt log please.


----------



## GTROCKER (Aug 21, 2007)

After restarting the computer, Internet Explorer and Firefox are running fine now. I'm following your last instructions and will post back when completed.


----------



## GTROCKER (Aug 21, 2007)

The following is all that was found in the confirm.txt file:
Error: Key: software\classes\clsid\{1626500a-805e-23d6-16b7-f057631963e4} does not exist!

While using Command...after the first code entry, I did see this in the Command console window which may be helpful to you:

Owner change for "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\{16246500A-805E 23D6-16B7-F057631963EE4}\Storage" to administrators group was successful


----------



## Jintan (Oct 4, 2007)

That info does help, and shows Admin users there now have full permissions for that key. Let's double check on that if you would. Reboot into Safe Mode again, and copy/paste or type each of the following, again Enter after each:


```
cd\

swreg null delete HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage* /n *

swreg delete HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4} > C:\Confirm.txt

exit
```
This is just to verify an Admin user is completing the steps, regardless of what the status of the user account you have been using is. Post back your valuable observations as well as the log contents please.


----------



## GTROCKER (Aug 21, 2007)

On your last post, is cd\ part of the first entry? Just want to be sure Im entering the code correctly.


----------



## Jintan (Oct 4, 2007)

Yes, just like the last time you did it, if you check. That means "*c*hange *d*irectory", and there will make sure the current directory (folder) to start from is your C drive. It is a shortcut for what would normally be typed as *CD C:\* if you were changing to a drive other than your "root" drive (which here is C). I was lazy and did not use capital letters, but it will work just using *cd\* there.


----------



## GTROCKER (Aug 21, 2007)

This is the result found at Confirm.txt: Error: Key: software\classes\clsid\{1626500a-805e-23d6-16b7-f057631963e4} does not exist!


----------



## Jintan (Oct 4, 2007)

That suggests either the key truly no longer remains, or we are not quite accurate on what subkey of that would include the null embedded entries (the "Storage*" part). If you have no issues with it now go ahead and run a new ComboFix scan, and post that log please, and I will also review the null key results with others at this time.


----------



## GTROCKER (Aug 21, 2007)

Everything seems to be running pretty smooth, although Kaspersky seems to be slowing things down. I'm still seeing an error message during startup that says "error loading c:\WINDOWS\system 32\jasdkreps.sys. The specified module could not be found" 
Here's a new ComboFix log for your review:

ComboFix 08-03-20.5 - Owner 2008-03-31 19:02:18.8 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\larry.com.exe

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-26 09:13 . 2008-03-26 20:55	345	--a------	C:\WINDOWS\gmer.ini
2008-03-25 00:37 . 2008-03-27 21:36	13,956	--a------	C:\backup.reg
2008-03-25 00:36 . 2008-03-27 21:36	135,168	--a------	C:\zip.exe
2008-03-25 00:36 . 2008-03-27 21:36	19,286	--a------	C:\cleanup.exe
2008-03-25 00:36 . 2008-03-27 21:36	574	--a------	C:\cleanup.bat
2008-03-24 23:59 . 2008-03-25 00:03 d--------	C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-23 18:35 . 2008-03-23 18:42	2,319	--a------	C:\WINDOWS\unins000.dat
2008-03-20 18:14 . 2008-03-20 18:14 d--------	C:\WINDOWS\ERUNT
2008-03-20 18:03 . 2008-03-29 13:06 d--------	C:\SDFix
2008-03-20 09:50 . 2008-03-20 09:50 d--------	C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-19 00:40 . 2008-03-19 00:40 d--------	C:\Program Files\Security Task Manager
2008-03-19 00:40 . 2008-03-19 00:45 d--------	C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-18 23:25 . 2008-03-18 23:26 d--------	C:\Documents and Settings\Owner\Application Data\MSN6
2008-03-18 23:25 . 2008-03-18 23:25 d--------	C:\Documents and Settings\All Users\Application Data\MSN6
2008-03-18 18:04 . 2008-03-18 18:05 d--------	C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-17 23:20 . 2008-03-17 23:20 d--------	C:\WINDOWS\system32\SuperAdBlocker.com
2008-03-17 15:32 . 2008-03-17 15:32 d--------	C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-17 15:31 . 2008-03-17 15:31 d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-03-17 15:31 . 2008-03-17 15:31 d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-17 15:30 . 2008-03-17 15:30 d--------	C:\Program Files\Common Files\Download Manager
2008-03-17 15:06 . 2007-12-04 09:51	42,912	--a------	C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-17 15:06 . 2007-12-04 09:49	26,624	--a------	C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-17 15:06 . 2007-12-04 09:53	23,152	--a------	C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-17 15:05 . 2007-12-04 07:54	95,608	--a------	C:\WINDOWS\system32\AvastSS.scr
2008-03-17 15:03 . 2007-12-04 09:55	94,544	--a------	C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-17 15:03 . 2007-12-04 09:56	93,264	--a------	C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-17 15:01 . 2007-12-04 08:04	837,496	--a------	C:\WINDOWS\system32\aswBoot.exe
2008-03-17 15:01 . 2004-01-09 04:13	380,928	--a------	C:\WINDOWS\system32\actskin4.ocx
2008-03-17 10:52 . 2008-03-17 11:07	91,700	--a------	C:\WINDOWS\system32\drivers\klin.dat
2008-03-17 10:52 . 2008-03-17 11:07	85,860	--a------	C:\WINDOWS\system32\drivers\klick.dat
2008-03-17 10:51 . 2008-03-17 10:51 d--------	C:\Program Files\Kaspersky Lab
2008-03-17 10:51 . 2008-03-31 15:03 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-17 10:51 . 2008-03-31 19:08	6,691,360	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-17 10:51 . 2008-03-31 19:08	124,704	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-17 10:51 . 2008-03-31 14:40	86,804	--ahs----	C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-17 10:51 . 2008-03-31 14:40	12,476	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.idx
2008-03-17 10:42 . 2008-03-17 10:42 d--------	C:\KAV
2008-03-15 23:31 . 2008-03-18 08:32 d--------	C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-15 23:30 . 2008-03-15 23:30 d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-15 23:29 . 2008-03-20 16:23 d--------	C:\Documents and Settings\All Users\Application Data\avg7
2008-03-15 22:32 . 2003-07-16 16:24	4,224	--a------	C:\WINDOWS\system32\drivers\beep.sys
2008-03-15 22:32 . 2003-07-16 16:24	4,224	--a--c---	C:\WINDOWS\system32\dllcache\beep.sys
2008-03-08 16:04 . 2008-03-08 16:04 d--------	C:\Program Files\iPod
2008-03-08 16:03 . 2008-03-08 16:04 d--------	C:\Program Files\iTunes
2008-03-08 16:01 . 2008-03-08 16:01 d--------	C:\Program Files\Bonjour
2008-03-08 16:00 . 2008-03-08 16:01 d--------	C:\Program Files\QuickTime
2008-02-01 00:13 . 2008-02-01 00:13	90,112	--a------	C:\WINDOWS\system32\QuickTimeVR.qtx
2008-02-01 00:13 . 2008-02-01 00:13	57,344	--a------	C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 19:51	---------	d-----w	C:\Program Files\Common Files\AOL
2008-03-25 04:14	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-03-25 04:14	---------	d-----w	C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-21 03:51	---------	d-----w	C:\Program Files\SUPERAntiSpyware
2008-03-20 20:52	---------	d-----w	C:\Program Files\Webroot
2008-03-20 20:43	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Webroot
2008-03-20 20:43	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-18 03:39	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-03-16 16:48	---------	d-----w	C:\Program Files\Enigma Software Group
2008-03-09 16:41	---------	d-----w	C:\Program Files\Sony
2008-03-04 02:26	---------	d-----w	C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-02-20 02:15	---------	d-----w	C:\Program Files\AIM
2007-12-28 18:27	164	----a-w	C:\install.dat
2007-12-07 01:07	659,456	----a-w	C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38	550,912	----a-w	C:\WINDOWS\system32\oleaut32.dll
2006-07-01 18:42	3,796	-c--a-w	C:\Documents and Settings\Owner\Application Data\FNTCACHE.BIN
2006-04-26 04:11	17,144	-c--a-w	C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2001-07-26 23:58	47	-c--a-w	C:\Program Files\ACMonitor_X73.ini
2001-07-05 19:46	8,116	-c--a-w	C:\Program Files\OSLO3071b2.USB
2001-05-11 18:39	53,248	-c--a-w	C:\Program Files\ACMonitor_X73.exe
2001-05-08 23:36	114,688	-c--a-w	C:\Program Files\lxarscan.dll
2001-04-23 21:22	1,437	-c--a-w	C:\Program Files\gtx73.ini
2001-02-22 16:54	768	-c--a-w	C:\Program Files\x73_lut.dat
.

((((((((((((((((((((((((((((( [email protected]_19.17.21.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-20 22:15:10	3,416,064	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-03-29 16:44:43	3,416,064	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-03-20 22:15:10	155,648	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-29 16:44:43	155,648	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-26 13:13:41	819,200	----a-w	C:\WINDOWS\gmer.dll
+ 2008-03-04 00:29:06	761,856	----a-w	C:\WINDOWS\gmer.exe
+ 2008-03-25 04:00:37	632,320	----a-r	C:\WINDOWS\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}\IconCD95F66110.exe
+ 2008-03-25 04:00:37	29,184	----a-r	C:\WINDOWS\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}\IconCD95F6617.exe
- 2008-03-16 03:14:50	32,768	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-27 02:06:22	32,768	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-16 03:14:50	32,768	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-27 02:06:22	32,768	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-16 03:14:50	49,152	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-27 02:06:22	49,152	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-26 13:13:41	86,097	----a-w	C:\WINDOWS\system32\drivers\gmer.sys
- 2007-07-10 16:01:46	111,784	----a-w	C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-03-24 16:40:01	122,136	----a-w	C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-03-31 19:00:15	16,384	----atw	C:\WINDOWS\TEMP\Perflib_Perfdata_640.dat
+ 2004-01-16 08:00:00	76,946	----a-w	C:\WINDOWS\unins000.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 18:08 67160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 15:51 118784]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 15:55 155648]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 03:42 36864]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 20:54 99480]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 18:52 74672]
"HostManager"="C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe" [2007-10-08 17:50 41824]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 18:56 295856]
"BCMSMMSG"="BCMSMMSG.exe" [2002-12-17 15:03 90112 C:\WINDOWS\BCMSMMSG.exe]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2007-01-29 23:02 200768]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 18:08 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLAspSunset]
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-12-04 08:00 79224 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
--a------ 2007-01-29 23:02 200768 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a--c--- 2005-01-07 04:04 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-29 16:03 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinReanimator]
C:\Program Files\WinReanimator\WinReanimator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\lxczcoms.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2399:TCP"= 2399:TCPxpsp2res.dll,-22004
"60098:TCP"= 60098:TCPxpsp2res.dll,-22004
"10337:TCP"= 10337:TCPxpsp2res.dll,-22004
"30404:TCP"= 30404:TCPxpsp2res.dll,-22004
"5307:TCP"= 5307:TCPxpsp2res.dll,-22004

R2 lxcz_device;lxcz_device;C:\WINDOWS\system32\lxczcoms.exe [2007-02-08 18:50]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-08-09 13:56]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 17:21:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 19:08:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-31 19:13:44
ComboFix-quarantined-files.txt 2008-03-31 23:13:37
ComboFix2.txt 2008-03-25 13:55:28
ComboFix3.txt 2008-03-24 17:07:45
ComboFix4.txt 2008-03-21 18:50:34
ComboFix5.txt 2008-03-21 04:16:38
.
2008-03-12 03:22:20	--- E O F ---


----------



## Jintan (Oct 4, 2007)

Kaspersky may have become corrupted in all the changes made there. You have some startup from it disabled through msconfig (not a good idea - security software should only be disabled through the software's own options/settings), and it is disabled from monitoring in the registry as well. The priority right now is the malware though. The ComboFix log, and especially it's CatchMe scan portion, does not reflect the point initiating that error, which truly tells us the null key remains. Lonely, and missing it's more active functions perhaps, but remaining there for us to address yet.

Run Gmer again, then being sure it is set to the Rootkit/Malware tab, right click inside the Gmer inner window itself (the white area). From that dropdown click to select the following (you will need to repeat that to do all three):
*
IRP hooks
NTAPI registry scan
IRP files scan*

Make no other changes at this time, then click "Scan" to start Gmer scanning your system. I have not trialed this method myself yet, but it is my understanding it will take quite a long time, so be prepared to leave that scan running and do other things to allow it time to complete (perhaps overnight was one remark on that).

When it completes again copy the log back here please. If it is too large again you can also send a zipped copy to me as before.


----------



## Jintan (Oct 4, 2007)

I received the Gmer, log, thanks. Unspectacular, and by my initial assessment only reading normally process functions there. I will pass this to others for review as well as a good second measure. I do see at least two of the systems "hooks" I have overlooked hunting this null key, so let's address what we are seeing then make repairs after as we go. Unfortunately, Ad-Aware chose to install part of it's security procedures in an older boot method, where infection also has made changes. I will not want to second guess the corrections that include leaving Ad-Aware's entries intact, so if you would, uninstall Ad-Aware at this time. If you want you can reinstall it after all repairs are completed. Don't reboot from that though until you complete the following changes as well.

Right click Here and select Save Target As (Firefox Save Link As) and save UnHookExec.inf to your Desktop.

Then right-click on UnHookExec.inf and select Install. You may only see a desktop flicker as the changes are made.

Then reboot, and after rebooting (taking note of any issues as you have been) Go here and download reglooks.exe to your Desktop. Doubleclick on it to run it and when it has finished scanning, a log named result.txt will open in Notepad. Copy the log and post it in this thread.

Then run new HijackThis and Silent Runners scans, and post those logs as well please.


----------



## GTROCKER (Aug 21, 2007)

When I restarted, I got the previous error message:" Error loading c:\windows\system32\jasdkreps.sys. The specified module could not be found".
Here are the RegLooks and HijackThis logfiles:

REGLOOKS logfile

version 0.977
Tue 04/01/2008 23:19:19.59
running from: "C:\Documents and Settings\Owner\Desktop"

--- SSODL regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
only standard or legit regkeys found

--- STS regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
only standard or legit regkeys found

--- USERINIT regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

--- SHELL regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"="Explorer.exe"

--- SYSTEM regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"System"=""

--- APPINIT_DLLS regkey ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
"appinit_dlls"=""

--- NOTIFY regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
"!SASWinLogon" "DllName"="C:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"igfxcui" "DLLName"="igfxsrvc.dll"
"klogon" "DllName"="C:\\WINDOWS\\system32\\klogon.dll"

--- BOOTEXECUTE regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
BootExecute= autocheck autochk *\0stera\0\0

--- SHELLEXECUTEHOOKS regkey ---

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

--- HKLM\Run regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"PrinTray"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"lxczbmgr.exe"="\"C:\\Program Files\\Lexmark 1200 Series\\lxczbmgr.exe\""
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1131511753\\ee\\AOLSoftware.exe"
"AOLDialer"="\"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe\""
"FaxCenterServer"="\"C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
"BCMSMMSG"="BCMSMMSG.exe"
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe\""
[run\optionalcomponents]
[run\optionalcomponents\IMAIL]
"Installed"="1"
[run\optionalcomponents\MAPI]
"Installed"="1"
"NoChange"="1"
[run\optionalcomponents\MSFS]
"Installed"="1"

--- HKLM\RunOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
no HKLM RunOnce keys found

--- HKLM\RunOnceEx regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
no HKLM RunOnceEx keys found

--- HKLM\RunServices regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
no HKLM RunServices keys found

--- HKLM\RunServicesOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
regkey does not exist

--- HKCU\Run regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

--- HKCU\RunOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
no HKCU RunOnce keys found

--- HKCU\RunOnceEx regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
no HKCU RunOnceEx keys found

--- HKCU\RunServices regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
no HKCU RunServices keys found

--- HKCU\RunServicesOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
no HKCU RunServicesOnce keys found

--- HKU\.DEFAULT\Run regkeys - Default user ---

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
no HKU\.DEFAULT\Run keys found

--- HKU\S-1-5-18\Run regkeys - user SYSTEM ---

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
no HKU\S-1-5-18\Run keys found

--- HKU\S-1-5-19\Run regkeys - User Lokale service ---

HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
no HKU\S-1-5-19\Run keys found

--- HKU\S-1-5-20\Run regkeys - User Netwerkservice ---

HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
no HKU\S-1-5-20\Run keys found

--- HKLM\Explorer\Run regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
no HKLM Explorer\Run keys found

--- HKCU\Explorer\Run regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
no HKCU Explorer\Run keys found

--- Image File Execution regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
no debuggers found

--- BROWSER HELPER OBJECTS regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
no bho's found

--- TOOLBAR regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" FILE ="C:\\Program Files\\Yahoo!\\Companion\\Installs\\cpn\\ycomp5_5_7_0.dll"
"{DE9C389F-3316-41A7-809B-AA305ED9D922}" FILE ="C:\\Program Files\\AOL\\AOL Toolbar 2.0\\aoltb.dll"
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" FILE ="c:\\program files\\google\\googletoolbar3.dll"

--- URLSEARCHHOOKS regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
"{EA756889-2338-43DB-8F07-D1CA6FB9C90D}"="" FILE NOT FOUND

--- CONTEXTMENUHANDLERS regkeys ---

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
"avast" CLSID ={472083B0-C522-11CF-8763-00608CC02F24} FILE ="C:\\Program Files\\Alwil Software\\Avast4\\ashShell.dll"
"Kaspersky Anti-Virus" CLSID ={dd230880-495a-11d1-b064-008048ec2fc5} FILE ="C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\ShellEx.dll"
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll 
"Open With" CLSID ={09799AFB-AD67-11d1-ABCD-00C04FC30936} FILE =%SystemRoot%\system32\SHELL32.dll 
"Open With EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll 
"Washer" CLSID ={6EE51AA0-77A0-11D7-B4E1-000347126E46} FILE ="C:\\PROGRA~1\\COMMON~1\\WEBROO~1\\SHELLW~1.DLL"
"WinZip" CLSID ={E0D79304-84BE-11CE-9641-444553540000} FILE ="C:\\Program Files\\WinZip\\wzshlstb.dll"
"{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" Start Menu Pin FILE =%SystemRoot%\system32\SHELL32.dll 
"{CA8ACAFA-5FBB-467B-B348-90DD488DE003}" SUPERAntiSpyware Context Menu FILE ="C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN.DLL"

HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers
"EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll 
"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll 
"Sharing" CLSID ={f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} FILE ="ntshrui.dll"
"Washer" CLSID ={6EE51AA0-77A0-11D7-B4E1-000347126E46} FILE ="C:\\PROGRA~1\\COMMON~1\\WEBROO~1\\SHELLW~1.DLL"
"WinZip" CLSID ={E0D79304-84BE-11CE-9641-444553540000} FILE ="C:\\Program Files\\WinZip\\wzshlstb.dll"
"{CA8ACAFA-5FBB-467B-B348-90DD488DE003}" SUPERAntiSpyware Context Menu FILE ="C:\\Program Files\\SUPERAntiSpyware\\SASCTXMN.DLL"

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers
"avast" CLSID ={472083B0-C522-11CF-8763-00608CC02F24} FILE ="C:\\Program Files\\Alwil Software\\Avast4\\ashShell.dll"
"Kaspersky Anti-Virus" CLSID ={dd230880-495a-11d1-b064-008048ec2fc5} FILE ="C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\ShellEx.dll"
"MBAMShlExt" CLSID ={57CE581A-0CB6-4266-9CA0-19364C90A0B3} FILE ="C:\\Program Files\\Malwarebytes' Anti-Malware\\mbamext.dll"
"WinZip" CLSID ={E0D79304-84BE-11CE-9641-444553540000} FILE ="C:\\Program Files\\WinZip\\wzshlstb.dll"

--- ALTERNATESHELL regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
"AlternateShell"="cmd.exe"

--- SAFEBOOT MINIMAL SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
no unknown services found

--- SAFEBOOT NETWORK SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
no unknown services found

--- SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aeaudio 
system32\drivers\aeaudio.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AOL ACS 
"DisplayName"="AOL Connectivity Service"
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AOLService 
"DisplayName"="AOL Spyware Protection Service"
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BCMModem 
"DisplayName"="BCM V.92 56K Modem"
System32\DRIVERS\BCMSM.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LXARScan 
"DisplayName"="Lexmark X73 MFP Scanner"
System32\Drivers\Lxarscan.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lxcz_device 
"DisplayName"="lxcz_device"
C:\WINDOWS\system32\lxczcoms.exe -service

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETMDUSB 
"DisplayName"="Net MD"
System32\Drivers\NETMDUSB.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OMCI 
"DisplayName"="OMCI"
\SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SABProcEnum 
"DisplayName"="SABProcEnum"
\??\C:\PROGRA~1\MOZILL~1\SABProcEnum.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASDIFSV 
"DisplayName"="SASDIFSV"
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASENUM 
"DisplayName"="SASENUM"
\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASKUTIL 
"DisplayName"="SASKUTIL"
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swwd 
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TSP 
"DisplayName"="TSP"
\??\C:\WINDOWS\system32\drivers\klif.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD 
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wanatw 
"DisplayName"="WAN Miniport (ATW)"
System32\DRIVERS\wanatw4.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WANMiniportService 
"DisplayName"="WAN Miniport (ATW) Service"
"C:\WINDOWS\wanmpsvc.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wwEngineSvc 
"DisplayName"="Window Washer Engine"
C:\Program Files\Webroot\Washer\WasherSvc.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{E834CBA0-9FA1-4CBF-91DD-22BA29891894} 
no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{F77C5FF9-7608-4001-81E5-D18BFBCDA070} 
no imagepath value found

--- SECURITYPROVIDERS regkey ---

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

--- SVCHOST regkey ---

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost
LocalService: Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService: DnsCache\0\0
netsvcs: 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0TermService\0wuauserv\0BITS\0ShellHWDetection\0helpsvc\0xmlprov\0wscsvc\0WmdmPmSN\0\0
rpcss: RpcSs\0\0
imgsvc: StiSvc\0\0
termsvcs: TermService\0\0
HTTPFilter: HTTPFilter\0\0
DcomLaunch: DcomLaunch\0TermService\0\0
WudfServiceGroup: WUDFSvc\0\0

--- WOW-CMDLINE regkeys ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
"cmdline" = %SystemRoot%\system32\ntvdm.exe 
"wowcmdline" = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

--- DNS SERVER regkeys ---

no "NameServer" values found

--- STARTUP FOLDERS ---

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

--- TASK SCHEDULER JOBS ---

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

--- File associations ---

.BAT files: ("%1" %*)
.COM files: ("%1" %*)
.EXE files: ("%1" %*)
.HLP files: (%SystemRoot%\System32\winhlp32.exe %1)
.INF files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.INI files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.JS files: (%SystemRoot%\System32\WScript.exe "%1" %*)
.PIF files: ("%1" %*)
.REG files: (regedit.exe "%1")
.SCR files: ("%1" %*)
.TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*)

FINISHED

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:10 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\aol\1131511753\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\AOL\1131511753\ee\aolsoftware.exe
C:\Program Files\Common Files\AOL\1131511753\ee\anotify.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183763861125
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 7776 bytes


----------



## GTROCKER (Aug 21, 2007)

Here is the Silent Runners log:

"Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"PrinTray" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" ["Lexmark"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"Pure Networks Port Magic" = ""C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run" ["Pure Networks, Inc."]
"lxczbmgr.exe" = ""C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"" ["Lexmark International, Inc."]
"HostManager" = "C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe" ["AOL LLC"]
"AOLDialer" = ""C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"" ["AOL LLC"]
"FaxCenterServer" = ""C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s" [empty string]
"BCMSMMSG" = "BCMSMMSG.exe" ["Broadcom Corporation"]
"AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"" ["Kaspersky Lab"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{6EE51AA0-77A0-11D7-B4E1-000347126E46}" = "Window Washer Shredding Utility"
-> {HKLM...CLSID} = "Window Washer Shredding Utility"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{7CDDBD23-1B50-47b2-B28D-1B84D9A40ED1}" = "Sony Digital Voice File Shell Extention Module"
-> {HKLM...CLSID} = "Sony Digital Voice File Shell Extention Module"
\InProcServer32\(Default) = "IcdShlex.dll" ["Sony Corporation"]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web Anti-Virus statistics"
-> {HKLM...CLSID} = "Web Anti-Virus statistics"
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Aedebug\
<<!>> "Debugger" = ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\vs7jit.exe" -p %ld -e %ld" [MS]

HKLM\SOFTWA	RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Taskman" = "rundll32.exe "C:\WINDOWS\system32\iasdkreps.sys" WLEntryPoint" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"stera" [file not found]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll" ["Kaspersky Lab"]
Washer\(Default) = "{6EE51AA0-77A0-11D7-B4E1-000347126E46}"
-> {HKLM...CLSID} = "Window Washer Shredding Utility"
 \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
Washer\(Default) = "{6EE51AA0-77A0-11D7-B4E1-000347126E46}"
-> {HKLM...CLSID} = "Window Washer Shredding Utility"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll" ["Kaspersky Lab"]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]

Default executables:
--------------------

HKLM\SOFTWARE\Classes\.scr\(Default) = "scrfile"
<<!>> HKLM\SOFTWARE\Classes\scrfile\shell\open\command\(Default) = ""%1" %*" [file not found]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Inc."]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
"{DE9C389F-3316-41A7-809B-AA305ED9D922}" = "AOL Toolbar"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

HKLM\SOFTWARE\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Web Anti-Virus statistics"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]

{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Web Anti-Virus statistics"

{3369AF0D-62E9-4BDA-8103-B4C75499B578}\
"ButtonText" = "AOL Toolbar"
"CLSIDExtension" = "{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" ["AOL LLC"]
Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Bonjour Service, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
lxcz_device, lxcz_device, "C:\WINDOWS\system32\lxczcoms.exe -service" [" "]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Window Washer Engine, wwEngineSvc, "C:\Program Files\Webroot\Washer\WasherSvc.exe" ["Webroot Software, Inc."]

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
1200 Series Port\Driver = "lxczlmpm.dll" [" "]
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Lexmark Print-2-Fax Port\Driver = "LXPRMON.DLL" [empty string]

---------- (launch time: 2008-04-01 23:26:11)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 85 seconds, including 12 seconds for message boxes)


----------



## Jintan (Oct 4, 2007)

That shows more details we can change now - as we make these corrections you can be sure we are also dismantling the things this malware used/uses.


```
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):61,00,75,00,74,00,6f,00,63,00,68,00,65,00,63,00,6b,00,20,\
  00,61,00,75,00,74,00,6f,00,63,00,68,00,6b,00,20,00,2a,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]
"Debugger"="drwtsn32 -p %ld -e %ld -g"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\open\command]
@="\"%1\" /S"
```
Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it morefix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.

-------------------------------

Then click on Avenger.exe again to open that display.

Okay the warning. When the Avenger display opens copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system.


```
Files to delete:
C:\WINDOWS\system32\iasdkreps.sys
Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Taskman
```
Your system may reboot twice to complete the repairs. After the reboot a text will open - copy/paste those contents back here please. The log can also be found at C:\avenger.txt.

After the reboot run a new Gmer scan again, but for this scan, under the Rootkits/Malware Tab just click the Scan button to start that. Post the results, or again send them if too large .

Then with that run and post back new ComboFix and Silent Runners scan logs please.


----------



## GTROCKER (Aug 21, 2007)

Here is the Avenger logfile:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file "C:\WINDOWS\system32\iasdkreps.sys" not found!
Deletion of file "C:\WINDOWS\system32\iasdkreps.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Taskman" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


----------



## GTROCKER (Aug 21, 2007)

ComboFix 08-03-25.4 - Owner 2008-04-02 13:17:50.9 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\matt.exe.exe
* Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-04-02 13:08 . 2008-04-02 13:08 d--------	C:\larry.com
2008-03-26 09:13 . 2008-04-02 12:26	345	--a------	C:\WINDOWS\gmer.ini
2008-03-24 23:59 . 2008-03-25 00:03 d--------	C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-23 18:35 . 2008-03-23 18:42	2,319	--a------	C:\WINDOWS\unins000.dat
2008-03-20 18:14 . 2008-03-20 18:14 d--------	C:\WINDOWS\ERUNT
2008-03-20 18:03 . 2008-03-29 13:06 d--------	C:\SDFix
2008-03-20 09:50 . 2008-03-20 09:50 d--------	C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-19 00:40 . 2008-03-19 00:40 d--------	C:\Program Files\Security Task Manager
2008-03-19 00:40 . 2008-03-19 00:45 d--------	C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-18 23:25 . 2008-03-18 23:26 d--------	C:\Documents and Settings\Owner\Application Data\MSN6
2008-03-18 23:25 . 2008-03-18 23:25 d--------	C:\Documents and Settings\All Users\Application Data\MSN6
2008-03-18 18:04 . 2008-03-18 18:05 d--------	C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-17 23:20 . 2008-03-17 23:20 d--------	C:\WINDOWS\system32\SuperAdBlocker.com
2008-03-17 15:32 . 2008-03-17 15:32 d--------	C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-17 15:31 . 2008-03-17 15:31 d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-03-17 15:31 . 2008-03-17 15:31 d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-17 15:30 . 2008-03-17 15:30 d--------	C:\Program Files\Common Files\Download Manager
2008-03-17 15:06 . 2007-12-04 09:51	42,912	--a------	C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-17 15:06 . 2007-12-04 09:49	26,624	--a------	C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-17 15:06 . 2007-12-04 09:53	23,152	--a------	C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-17 15:05 . 2007-12-04 07:54	95,608	--a------	C:\WINDOWS\system32\AvastSS.scr
2008-03-17 15:03 . 2007-12-04 09:55	94,544	--a------	C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-17 15:03 . 2007-12-04 09:56	93,264	--a------	C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-17 15:01 . 2007-12-04 08:04	837,496	--a------	C:\WINDOWS\system32\aswBoot.exe
2008-03-17 15:01 . 2004-01-09 04:13	380,928	--a------	C:\WINDOWS\system32\actskin4.ocx
2008-03-17 10:52 . 2008-03-17 11:07	91,700	--a------	C:\WINDOWS\system32\drivers\klin.dat
2008-03-17 10:52 . 2008-03-17 11:07	85,860	--a------	C:\WINDOWS\system32\drivers\klick.dat
2008-03-17 10:51 . 2008-03-17 10:51 d--------	C:\Program Files\Kaspersky Lab
2008-03-17 10:51 . 2008-04-02 13:00 d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-17 10:51 . 2008-04-02 13:21	7,126,816	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-17 10:51 . 2008-04-02 13:21	139,552	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-17 10:51 . 2008-04-02 12:57	96,092	--ahs----	C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-17 10:51 . 2008-04-02 12:57	13,916	--ahs----	C:\WINDOWS\system32\drivers\fidbox2.idx
2008-03-17 10:42 . 2008-03-17 10:42 d--------	C:\KAV
2008-03-15 23:31 . 2008-03-18 08:32 d--------	C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-15 23:30 . 2008-03-15 23:30 d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-15 23:29 . 2008-03-20 16:23 d--------	C:\Documents and Settings\All Users\Application Data\avg7
2008-03-15 22:32 . 2003-07-16 16:24	4,224	--a------	C:\WINDOWS\system32\drivers\beep.sys
2008-03-15 22:32 . 2003-07-16 16:24	4,224	--a--c---	C:\WINDOWS\system32\dllcache\beep.sys
2008-03-08 16:04 . 2008-03-08 16:04 d--------	C:\Program Files\iPod
2008-03-08 16:03 . 2008-03-08 16:04 d--------	C:\Program Files\iTunes
2008-03-08 16:01 . 2008-03-08 16:01 d--------	C:\Program Files\Bonjour
2008-03-08 16:00 . 2008-03-08 16:01 d--------	C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 02:56	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-04-02 02:55	---------	d-----w	C:\Program Files\Lavasoft
2008-03-25 19:51	---------	d-----w	C:\Program Files\Common Files\AOL
2008-03-25 04:14	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-03-25 04:14	---------	d-----w	C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-21 03:51	---------	d-----w	C:\Program Files\SUPERAntiSpyware
2008-03-20 20:52	---------	d-----w	C:\Program Files\Webroot
2008-03-20 20:43	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Webroot
2008-03-20 20:43	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-16 16:48	---------	d-----w	C:\Program Files\Enigma Software Group
2008-03-09 16:41	---------	d-----w	C:\Program Files\Sony
2008-03-04 02:26	---------	d-----w	C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-02-20 02:15	---------	d-----w	C:\Program Files\AIM
2006-07-01 18:42	3,796	-c--a-w	C:\Documents and Settings\Owner\Application Data\FNTCACHE.BIN
2006-04-26 04:11	17,144	-c--a-w	C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2001-07-26 23:58	47	-c--a-w	C:\Program Files\ACMonitor_X73.ini
2001-07-05 19:46	8,116	-c--a-w	C:\Program Files\OSLO3071b2.USB
2001-05-11 18:39	53,248	-c--a-w	C:\Program Files\ACMonitor_X73.exe
2001-05-08 23:36	114,688	-c--a-w	C:\Program Files\lxarscan.dll
2001-04-23 21:22	1,437	-c--a-w	C:\Program Files\gtx73.ini
2001-02-22 16:54	768	-c--a-w	C:\Program Files\x73_lut.dat
.

((((((((((((((((((((((((((((( [email protected]_19.17.21.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-20 22:15:10	3,416,064	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-03-29 16:44:43	3,416,064	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-03-20 22:15:10	155,648	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-29 16:44:43	155,648	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-26 13:13:41	819,200	----a-w	C:\WINDOWS\gmer.dll
+ 2008-03-04 00:29:06	761,856	----a-w	C:\WINDOWS\gmer.exe
+ 2008-03-25 04:00:37	632,320	----a-r	C:\WINDOWS\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}\IconCD95F66110.exe
+ 2008-03-25 04:00:37	29,184	----a-r	C:\WINDOWS\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}\IconCD95F6617.exe
- 2008-03-16 03:14:50	32,768	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-02 03:07:08	32,768	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-16 03:14:50	32,768	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-02 03:07:08	32,768	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-16 03:14:50	49,152	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-02 03:07:08	49,152	-c--a-w	C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-26 13:13:41	86,097	----a-w	C:\WINDOWS\system32\drivers\gmer.sys
- 2007-07-10 16:01:46	111,784	----a-w	C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-03-24 16:40:01	122,136	----a-w	C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-02 16:58:53	16,384	----atw	C:\WINDOWS\TEMP\Perflib_Perfdata_638.dat
+ 2004-01-16 08:00:00	76,946	----a-w	C:\WINDOWS\unins000.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 18:08 67160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 15:51 118784]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 15:55 155648]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 03:42 36864]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 20:54 99480]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 18:52 74672]
"HostManager"="C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe" [2007-10-08 17:50 41824]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 18:56 295856]
"BCMSMMSG"="BCMSMMSG.exe" [2002-12-17 15:03 90112 C:\WINDOWS\BCMSMMSG.exe]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2007-01-29 23:02 200768]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 18:08 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLAspSunset]
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-12-04 08:00 79224 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
--a------ 2007-01-29 23:02 200768 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a--c--- 2005-01-07 04:04 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-02-29 16:03 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinReanimator]
C:\Program Files\WinReanimator\WinReanimator.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\lxczcoms.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2399:TCP"= 2399:TCPxpsp2res.dll,-22004
"60098:TCP"= 60098:TCPxpsp2res.dll,-22004
"10337:TCP"= 10337:TCPxpsp2res.dll,-22004
"30404:TCP"= 30404:TCPxpsp2res.dll,-22004
"5307:TCP"= 5307:TCPxpsp2res.dll,-22004

R2 lxcz_device;lxcz_device;C:\WINDOWS\system32\lxczcoms.exe [2007-02-08 18:50]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-08-09 13:56]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 17:21:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 13:21:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-02 13:23:28
ComboFix-quarantined-files.txt 2008-04-02 17:23:16
ComboFix2.txt 2008-03-31 23:13:45
ComboFix3.txt 2008-03-25 13:55:28
ComboFix4.txt 2008-03-24 17:07:45
ComboFix5.txt 2008-03-21 18:50:34
.
2008-03-12 03:22:20	--- E O F ---


----------



## GTROCKER (Aug 21, 2007)

"Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"PrinTray" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" ["Lexmark"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"Pure Networks Port Magic" = ""C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run" ["Pure Networks, Inc."]
"lxczbmgr.exe" = ""C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"" ["Lexmark International, Inc."]
"HostManager" = "C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe" ["AOL LLC"]
"AOLDialer" = ""C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"" ["AOL LLC"]
"FaxCenterServer" = ""C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s" [empty string]
"BCMSMMSG" = "BCMSMMSG.exe" ["Broadcom Corporation"]
"AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"" ["Kaspersky Lab"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{6EE51AA0-77A0-11D7-B4E1-000347126E46}" = "Window Washer Shredding Utility"
-> {HKLM...CLSID} = "Window Washer Shredding Utility"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{7CDDBD23-1B50-47b2-B28D-1B84D9A40ED1}" = "Sony Digital Voice File Shell Extention Module"
-> {HKLM...CLSID} = "Sony Digital Voice File Shell Extention Module"
\InProcServer32\(Default) = "IcdShlex.dll" ["Sony Corporation"]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web Anti-Virus statistics"
-> {HKLM...CLSID} = "Web Anti-Virus statistics"
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll" ["Kaspersky Lab"]
Washer\(Default) = "{6EE51AA0-77A0-11D7-B4E1-000347126E46}"
-> {HKLM...CLSID} = "Window Washer Shredding Utility"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
Washer\(Default) = "{6EE51AA0-77A0-11D7-B4E1-000347126E46}"
-> {HKLM...CLSID} = "Window Washer Shredding Utility"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll" ["Kaspersky Lab"]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing, S.L."]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Inc."]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
"{DE9C389F-3316-41A7-809B-AA305ED9D922}" = "AOL Toolbar"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

HKLM\SOFTWARE\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Web Anti-Virus statistics"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]

{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Web Anti-Virus statistics"

{3369AF0D-62E9-4BDA-8103-B4C75499B578}\
"ButtonText" = "AOL Toolbar"
"CLSIDExtension" = "{DE9C389F-3316-41A7-809B-AA305ED9D922}"
-> {HKLM...CLSID} = "AOL Toolbar"
\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" ["America Online, Inc."]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" ["AOL LLC"]
Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Bonjour Service, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
lxcz_device, lxcz_device, "C:\WINDOWS\system32\lxczcoms.exe -service" [" "]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Window Washer Engine, wwEngineSvc, "C:\Program Files\Webroot\Washer\WasherSvc.exe" ["Webroot Software, Inc."]

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
1200 Series Port\Driver = "lxczlmpm.dll" [" "]
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Lexmark Print-2-Fax Port\Driver = "LXPRMON.DLL" [empty string]

---------- (launch time: 2008-04-02 15:05:48)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 67 seconds, including 9 seconds for message boxes)


----------



## Jintan (Oct 4, 2007)

You didn't mention if you received any errors after the Avenger reboot there. I received the newest Gmer log, thanks. Same results - showing expected software/system functions there. These logs are now not reflecting malware changes, which is of course a plus, but we will still need to assess other changes to ensure a complete cleaning. 

Please download the attached sysdump.zip file and unzip it to your desktop. This is a freeware tool, but right now my stored download link for that does not appear to be available any longer. Once you have downloaded it please post back letting me know, so I can remove the attachment. This is just to keep this thread from becoming an alternate download source. 

Temp disable your security software, then in that folder locate and click on sysdump.exe. The scan will run fairly quickly, after which it will create some files in the new sysdump folder. Since the resulting log files will be too large to post back here, locate the sysdump.html.gz and the sysdump.txt files in the sysdump folder, and send them to me as an attachment please. Better to zip that copy of sysdump.txt to avoid any contents in it from being scanned out in the email transfer.


----------



## GTROCKER (Aug 21, 2007)

There were no errors after the Avenger reboot. I just downloaded the Sysdump.zip to my desktop and will post the results back here for your review.


----------



## GTROCKER (Aug 21, 2007)

I sent the sysdump.txt attachment to your email as requested.


----------



## Jintan (Oct 4, 2007)

I received that, thanks, but really would like the sysdump.html.gz file it created. This shows much more detail, and driver info.


----------



## Jintan (Oct 4, 2007)

I did receive your follow-up sysdump.html attachement. Very detailed for processes and services, and from this view looks pretty good. It did locate this malware service using a technique to run an application as a service there, which may allow it to get skipped in some scans.

SPTISRV
││├+SpywareCleanerService
│││├ EventMessageFile REG_EXPAND_SZ C:\WINDOWS\System32\NTSVC.ocx 
│││└ TypesSupported REG_DWORD 0x00000007 (7)

Here using a service normally used by a Sony SPTI Service. Let's check on that before considering actions, and then we will still have the unresolved issue of the null keys there to check. Overall very little malware being located now.


```
sc getdisplayname SPTISRV > c:\locate.txt & start notepad c:\locate.txt
```
Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it servfind.bat

Where it says "Files of Type", select All Files and click on Save and save it to your desktop. Exit Notepad, Then Click on servfind.bat and allow it to run. A text box will open - please copy/paste the contents back here


----------



## GTROCKER (Aug 21, 2007)

Here is the servfind.bat result:

[SC] GetServiceDisplayName SUCCESS Name = Sony SPTI Service


----------



## Jintan (Oct 4, 2007)

That sent me back to the drawing board. The sysdump html output is a bit tough to weed through, But after a detailed look I can see now that in the actual locations of these services, the SPTISRV has no info (so leads right into the next listing, which is SpywareCleanerService). And the listing is not for currently installed services, but only where they were registered to create events (suggesting here a remnant of the past service):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\SpywareCleanerService

To be sure, again at the command prompt type the following (Enter after):

*sc query SpywareCleanerService*

(Exit to close that window)

You should get a service not found error. Go ahead and check that now please. As for removal of this subkey, it is also included buried in the "Source" listing for the Eventlog\Application key, and would not be worth the chance and efforts making corrections there at this point.


----------



## GTROCKER (Aug 21, 2007)

I followed your instructions with the command prompt and the result was :
"The specified service does not exist as an installed software"


----------



## Jintan (Oct 4, 2007)

Not there, so a remnant. The issue of the null key remains, but nothing logs have shown so far. Are there any problems/issues occurring on the system right now?

Go to Start - Run, type *cmd* (and OK). Again at the prompt copy/paste each of the following, Enter after each:


```
swreg null delete HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\0* /n *

swreg null delete HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\1* /n *

swreg null delete HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\2* /n *

swreg null delete HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4}\Storage\3* /n *

swreg delete HKLM\SOFTWARE\Classes\CLSID\{1626500A-805E-23D6-16B7-F057631963E4} > C:\Confirm.txt
```
And exit to close the command console. As you have before just make a mental note of results of the null delete steps, and ost back the results and observations please.


----------



## GTROCKER (Aug 21, 2007)

Right now, I don't see any problems occurring....no error messages either. It does take a while for the system load all the programs (especially Kaspersky) at startup but thats about it. Im going to follow your previous instructions and post back here.


----------



## GTROCKER (Aug 21, 2007)

The result after entering the first four codes was: 
Error: Key: Software\Classes\CLSID\<1626500a-805-23D6-16B7-F057631963e4}\ storage\0 does not exist!. The result after entering the 5th code was: "C:\ Documents and Settings\Owner>".


----------



## Jintan (Oct 4, 2007)

Darn - I was in a hurry. Please repeat that from the root prompt by typing *cd\* (Enter after) first.


----------



## GTROCKER (Aug 21, 2007)

Ok, I typed in cd\ (and then Enter)at the beginning prompt. Then I got the same result as last time. The first four responses said "Error: Key:..........does not exist!" The last one just went back to cd\ .


----------



## Jintan (Oct 4, 2007)

Let me check back with someone who has been providing some of the good ideas on this. I will post back when I that review is done.


----------



## Cretemonster (Jan 29, 2005)

Jintan,

Be certain the reg keys do actually show in gmer.

Go into safe mode and load up gmer.

Once the quickscan is finished,uncheck every box on the right side except Registry and click scan.

Save the log or copy to notepad and save,post back.

Hopefully this will be more revealing.


----------



## Jintan (Oct 4, 2007)

And there is the "someone" - thanks Cretemonster. Cretemonster has been very helpful in providing guidance on these unusual keys.

GTROCKER, as that all indicates, go ahead and reboot into Safe Mode (startup - tap the F8 key) and click gmer.exe to run that tool again. Under the Rootkit/Malware tab uncheck all boxes on the right side, then place a check next to "Registry". Make no other changes, and click the Scan button. When the scan completes again click Copy, and save that to a text file to post back here please.


----------



## GTROCKER (Aug 21, 2007)

I followed your instructions and ran GMER. In the Rootkit/Malware tab, I only checked the "registry" box. At the end of the scan a message appeared: "Gmer has not found any system modification"


----------



## Cretemonster (Jan 29, 2005)

Now normal gmer scan in normal mode.

Just paste or attach whichever works,think you dealing with a snapshot image like tea timer does from spybot.

No way I can review this entire thread but since the 2 of you have worked so hard,take the time to double check things over good.

I can only imagine by now what has piled up in the way of tools,if it were me,Id lose everything but some sort of Internet Security Suite which has Antivirus,Firewall and Intrusion Detection all in one.

Since its fresh in my mind and this escapade has tp be fresh in yours,Id recommend checking out acronis true image 11 home edition,I have tested this app for a full 10 days and am absolutley satisfied with its ability to save my backside when things go wrong.

Once Jintan has you cleaned up,I tossed together some items of interest,dont let your hard work and perseverence go to waste,get that machine cleaned up and secured as you can.

Mind you these are all suggestions and ideas for after the machine is deemed clean.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

*Windows, Internet Explorer and Microsoft Office Updates*

Visit Microsoft's Windows Update Site frequently. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

If you are running Microsoft Office, or any application of it, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed.

If you have trouble with Windows Update, you still can get all the Critical Updates, Security Fixes and Service Packs. Below are a few links to bookmark.

Microsoft Security Bulletins
http://www.microsoft.com/technet/security/current.aspx

Office downloads
http://office.microsoft.com/en-us/officeupdate/default.aspx

Download Center
http://www.microsoft.com/downloads/search.aspx

Microsoft Security Advisories
http://www.microsoft.com/technet/security/advisory/default.mspx

Recently Published
http://www.microsoft.com/technet/security/recent/default.mspx

*Programs that may help you in keeping the PC clean*

*MalwareBytes Anti-Malware* can be found *Here* or *Here*
The full version provides a degree of real-time protection along with other solutions against spyware that is a great addition to any computer.
The free version can be updated and used for scanning your computer weekly for new malware.
*ERUNT*(The Emergency Recovery Utility for NT) can be found *Here* or *Here*
You can use this utility as a primary registry backup utility, apart from System Restore.
Two methods of registry backup ( System Restore and using ERUNT ) is often recommended.
Detailed usage can be found *Here* 
It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See the link below for a listing of some online & their stand-alone antivirus programs.
Computer Safety On line - Anti-Virus
http://forum.malwareremoval.com/viewtopic.php?p=53#53

*Update your Anti Virus Software*

It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

*Use a Firewall*

I can not stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below.
Computer Safety On line - Software Firewalls
http://forum.malwareremoval.com/viewtopic.php?p=56#56
A tutorial on _Understanding and Using Firewalls_ can be found here

*Additional Information*

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link.

A very nice collection of tutorials is available at Bleeping Computer
http://www.bleepingcomputer.com/tutorials/

Finally, after following up on all these recommendations, run Jason Levine's Browser Security Tests ?
They will provide you with an insight on how vulnerable you might still be to a number of common exploits.
http://www.jasons-toolbox.com/BrowserSecurity/

Other Security checks and more sites relating to computer security are listed below, take the time to visit these when you have time.
*Symantec Security Check* 
*Gibson Research Corporation Home Page* (Look for the Hot Spots Section)
*McAfee SiteAdvisor* 
*LinkScanner* 
*GFI Email Security Testing Zone*


----------



## Jintan (Oct 4, 2007)

If you are waiting for my input GTRocker please go ahead with that normal mode Gmer scan, as Crete recommended. Just leave the normally checked items as is when first opening Gmer and under Rootkit/Malware click Scan to run this checkup scan please. And be sure to check out all the info CM provided as well once we complete are repairs.

Along with the Gmer log let's get a good overview to see what remians.

Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

*"%userprofile%\desktop\dss.exe" /config*

When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:

*System Restore*

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)

Cleanup will run during the scan, so be sure to allow that to complete.


----------



## GTROCKER (Aug 21, 2007)

Thank you Jintan and CreteMonster for all your expert advice...it's very much appreciated. I will follow the instructions of your last post and provide you with the results tomorrow evening.


----------



## Jintan (Oct 4, 2007)

In reviewing these many checks I sense the steps here proved to be successful, in that your report back indicates the permissions were changed, and the outcome of the key not being found is a product of the last "swreg delete" step.

If the second command "swreg null delete" proved to be successful, that might fit in with why after that procedure the key has not been seen again.


----------



## GTROCKER (Aug 21, 2007)

Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-11 17:12:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 255 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:28 PM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\common files\aol\1131511753\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\AOL\1131511753\ee\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1131511753\ee\anotify.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183763861125
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 7919 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20070821-132807-121 O4 - HKLM\..\Run: [xcv] C:\WINDOWS\System32\xcv.exe
backup-20070821-132807-216 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
backup-20070821-132807-223 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20070821-132807-725 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aimtoday.aol.com/_ads/adsPopup2.htm?0
backup-20070821-132807-758 O4 - HKLM\..\Policies\Explorer\Run: [tzc] C:\WINDOWS\System32\tzc.exe
backup-20070821-132807-886 O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
backup-20070821-132807-892 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20070821-132807-935 O4 - HKLM\..\Policies\Explorer\Run: [xcv] C:\WINDOWS\System32\xcv.exe
backup-20070821-132807-946 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
backup-20070823-091001-535 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.202 85.255.112.202

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 LXARScan (Lexmark X73 MFP Scanner) - c:\windows\system32\drivers\lxarscan.sys <Not Verified; ; USB Scanner Driver>

S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)
S3 SABProcEnum - c:\progra~1\mozill~1\sabprocenum.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S2 AOLService (AOL Spyware Protection Service) - c:\progra~1\common~1\aol\aolspy~1\\aolserv.exe (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_01471028&REV_02\3&13C0B0C5&0&EF
Manufacturer: 
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_01471028&REV_02\3&13C0B0C5&0&EF
Service:

-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 672)
2007-04-19 12:41:36 294912 --a------ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>

C:\WINDOWS\system32\svchost.exe (pid 1032)
2007-07-24 16:17:08 147456 --a------ C:\Program Files\Bonjour\mdnsNSP.dll <Not Verified; Apple Inc.; Bonjour>

C:\WINDOWS\explorer.exe (pid 1592)
2006-12-20 12:55:48 77824 --a------ C:\Program Files\SUPERAntiSpyware\SASSEH.DLL <Not Verified; SuperAdBlocker.com; SuperAntiSpyware>

-- Scheduled Tasks -------------------------------------------------------------

2008-04-10 13:21:06 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-03-11 and 2008-04-11 -----------------------------

2100-02-23 17:35:34 768 --a----c- C:\Program Files\x73_lut.dat
2100-02-08 19:03:54 53248 --a----c- C:\Program Files\ACMonitor_X73.exe <Not Verified; Silitek Corp.; ACMonitor>
2008-04-10 17:53:44 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-04-02 18:54:53 0 d-------- C:\Program Files\MSECache
2008-04-02 13:16:43 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-04-02 13:16:43 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-04-02 13:16:43 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-04-02 13:16:43 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-02 13:08:28 0 d-------- C:\larry.com
2008-03-24 23:59:30 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-23 18:35:51 2319 --a------ C:\WINDOWS\unins000.dat
2008-03-20 18:14:43 0 d-------- C:\WINDOWS\ERUNT
2008-03-20 09:50:15 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-19 00:40:43 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-19 00:40:33 0 d-------- C:\Program Files\Security Task Manager
2008-03-18 23:25:55 0 d-------- C:\Documents and Settings\Owner\Application Data\MSN6
2008-03-18 23:25:55 0 d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-03-18 18:04:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-17 23:20:17 0 d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2008-03-17 15:32:29 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-17 15:31:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-17 15:31:14 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-17 15:30:39 0 d-------- C:\Program Files\Common Files\Download Manager
2008-03-17 14:24:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-03-17 10:52:46 91700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-03-17 10:52:46 85860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-03-17 10:51:50 0 d-------- C:\Program Files\Kaspersky Lab
2008-03-17 10:51:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-17 10:51:45 203296 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-17 10:51:45 9334560 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-17 10:42:27 0 d-------- C:\KAV
2008-03-15 23:39:13 0 dr-h----- C:\$VAULT$.AVG
2008-03-15 23:31:32 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-15 23:30:53 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-15 23:29:04 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7

-- Find3M Report ---------------------------------------------------------------

2008-04-01 22:56:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 22:55:57 0 d-------- C:\Program Files\Lavasoft
2008-03-25 15:51:11 0 d-------- C:\Program Files\Common Files\AOL
2008-03-25 00:14:23 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-25 00:14:03 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-21 00:01:01 0 d-------- C:\Program Files\Common Files
2008-03-20 23:51:29 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-20 16:52:08 0 d-------- C:\Program Files\Webroot
2008-03-20 16:43:40 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-03-17 23:20:20 2404 --a------ C:\WINDOWS\mozver.dat
2008-03-16 12:48:26 0 d-------- C:\Program Files\Enigma Software Group
2008-03-16 10:37:41 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-03-09 12:41:12 0 d-------- C:\Program Files\Sony
2008-03-08 16:04:34 0 d-------- C:\Program Files\iTunes
2008-03-08 16:04:10 0 d-------- C:\Program Files\iPod
2008-03-08 16:01:47 0 d-------- C:\Program Files\Bonjour
2008-03-08 16:01:14 0 d-------- C:\Program Files\QuickTime
2008-03-03 22:26:15 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-02-19 22:15:33 0 d-------- C:\Program Files\AIM

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [02/10/2004 03:51 PM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [02/10/2004 03:55 PM]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [10/12/2001 03:42 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [02/01/2008 12:13 AM]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [05/07/2004 08:54 PM]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [02/08/2007 06:52 PM]
"HostManager"="C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe" [10/08/2007 05:50 PM]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [10/23/2006 08:50 AM]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [02/08/2007 06:56 PM]
"BCMSMMSG"="BCMSMMSG.exe" [12/17/2002 03:03 PM C:\WINDOWS\BCMSMMSG.exe]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [01/29/2007 11:02 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"AIM"="C:\Program Files\AIM\aim.exe" [08/05/2005 06:08 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLAspSunset]
"C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
"C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinReanimator]
"C:\Program Files\WinReanimator\WinReanimator.exe" /hide

-- End of Deckard's System Scanner: finished at 2008-04-11 17:18:15 ------------


----------



## GTROCKER (Aug 21, 2007)

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.20GHz
Percentage of Memory in Use: 66%
Physical Memory (total/avail): 254.48 MiB / 85.59 MiB
Pagefile Memory (total/avail): 625.48 MiB / 298.55 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1914.55 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 27.93 GiB total, 16.62 GiB free. 
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD300BB-75DEA0 - 27.94 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 27.93 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AV: avast! antivirus 4.7.1098 [VPS 080411-0] v4.7.1098 (ALWIL Software) Disabled
AV: Kaspersky Internet Security v6.0.2.614 () Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*isabled:Firefox"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\WINDOWS\\system32\\lxczcoms.exe"="C:\\WINDOWS\\system32\\lxczcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TARA-WALM075K74
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\TARA-WALM075K74
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=TARA-WALM075K74
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Owner _(admin)_
Administrator _(admin)_

-- Add/Remove Programs ---------------------------------------------------------

--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> 
--> C:\Program Files\LexmarkX73\removeX73.exe
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 6.0 Sprint --> MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
AOL Coach Version 1.0(Build:20040229.1 en) --> C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
AOL Toolbar 2.0 --> "C:\Program Files\AOL\AOL Toolbar 2.0\uninstall.exe"
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
AOL You've Got Pictures Screensaver --> C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
BCM V.92 56K Modem --> C:\WINDOWS\BCMSMU.exe quiet
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Broadcom 440x 10/100 Integrated Controller --> 
Broadcom 440x 10/100 Integrated Controller --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033 
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe" 
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel(R) Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
IPA/SAM Phonetics Fonts --> C:\WINDOWS\unins000.exe
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Kaspersky Internet Security 6.0 --> MsiExec.exe /I{D0DCD54F-C829-41A5-AF32-71E632BB0E2C}
Kaspersky Internet Security 6.0 --> MsiExec.exe /I{D0DCD54F-C829-41A5-AF32-71E632BB0E2C}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Lexmark 1200 Series --> C:\Program Files\Lexmark 1200 Series\Install\x86\Uninst.exe
Lexmark Fax Solutions --> C:\Program Files\Lexmark Fax Solutions\Install\x86\Uninst.exe /R:faxunst
LimeWire 4.14.8 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MD Simple Burner 2.0.03 --> 
MGI PhotoSuite 8.1 (Remove Only) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MGI\PhotoSuite 8.1\Uninst.isu" -c"C:\Program Files\MGI\PhotoSuite 8.1\CustomUninstall.dll"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft FrontPage Client - English --> 
Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual J# .NET Redistributable Package 1.1 --> MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
OpenMG Limited Patch 3.4-04-17-06-01 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix3.4-04-17-06-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 3.4.01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{26C849AB-1865-412D-B87D-B18BC5CB6C60}\setup.exe" -l0x9 UNINSTALL
Pure Networks Port Magic --> C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe -Uninstall -ShowUI
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Task Manager 1.7e --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
SonicStage --> 
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" 
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Visual Studio.NET Baseline - English --> 
WebFldrs XP --> 
WildTangent Web Driver --> C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe
Window Washer --> C:\WINDOWS\Unwash6.exe
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
WordBiz version 1.8 --> "C:\Program Files\WordBiz\unins000.exe"
Yahoo! Toolbar --> rundll32.exe C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YCOMP5~1.DLL,DllCommand ui

-- Application Event Log -------------------------------------------------------

Event Record #/Type2514 / Error
Event Submitted/Written: 04/10/2008 11:44:21 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application gmer.exe, version 1.0.14.14205, faulting module gmer.dll, version 1.0.14.14205, fault address 0x0000c6a4.
Processing media-specific event for [gmer.exe!ws!]

Event Record #/Type2513 / Error
Event Submitted/Written: 04/09/2008 11:24:57 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iTunes.exe, version 7.6.1.9, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2512 / Error
Event Submitted/Written: 04/09/2008 11:24:54 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iTunes.exe, version 7.6.1.9, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2502 / Error
Event Submitted/Written: 04/09/2008 09:34:36 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application WINZIP32.EXE, version 22.0.7466.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2501 / Error
Event Submitted/Written: 04/09/2008 09:34:36 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application WINZIP32.EXE, version 22.0.7466.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type130436 / Warning
Event Submitted/Written: 04/11/2008 04:55:17 PM / 04/11/2008 04:55:18 PM
Event ID/Source: 4 / bcm4sbxp
Event Description:
Broadcom 440x 10/100 Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type130433 / Warning
Event Submitted/Written: 04/11/2008 04:49:48 PM
Event ID/Source: 4 / bcm4sbxp
Event Description:
Broadcom 440x 10/100 Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type130428 / Warning
Event Submitted/Written: 04/11/2008 00:19:08 AM
Event ID/Source: 4 / bcm4sbxp
Event Description:
Broadcom 440x 10/100 Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type130425 / Warning
Event Submitted/Written: 04/10/2008 10:45:00 PM
Event ID/Source: 4 / bcm4sbxp
Event Description:
Broadcom 440x 10/100 Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type130422 / Warning
Event Submitted/Written: 04/10/2008 09:53:03 PM
Event ID/Source: 4 / bcm4sbxp
Event Description:
Broadcom 440x 10/100 Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.

-- End of Deckard's System Scanner: finished at 2008-04-11 17:18:15 ------------


----------



## Jintan (Oct 4, 2007)

That all looks good. Truly time now for some delayed and overdue cleaning up there.

These logs all along have shown the activities of those two antivirus software you have installed. As is this will cause conflicts, and lead to functional problems as well, so you need to choose between Avast and Kaspersky and uninstall one of those. And now the same with having both SUPERAntiSpyware and Malwarebytes' Anti-Malware, so again choose one, uninstall the other.

Make sure to temp disable all security software when doing uninstalls/installs to avoid corrupting those.

In addition to those do the following:

Go to Start  Settings  Control Panel. Click on Add/Remove Programs. *If any of the following programs are listed *there, click on the program to highlight it, and click on Remove.

*Viewpoint Manager (Remove Only)
Viewpoint Media Player * These are associated with ad-related activities, and installed without user knowledge.

*Java(TM) 6 Update 2* Now outdated.

----------------------------------

When all uninstalls are completed reboot, and go here and download and install the latest version of Sun Java *Java Runtime Environment (JRE) 6 Update 5*. The current file name for that is jre-6u5-windows-i586-p.exe.

--------------------------------

Reboot again. Then Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

*"%userprofile%\desktop\dss.exe" /config*

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

*System Restore*
*Temp Cleanup*
*Process Modules*

Then under Extra Log, *uncheck* all the boxes except this one:

*Security Center*

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)


----------



## GTROCKER (Aug 21, 2007)

Should I always only have one of each installed on my computer? What antivirus and spyware programs would you highly recommend? I also have Zone Alarm security suite but never installed it.


----------



## Jintan (Oct 4, 2007)

All the better known AV and AS softwares do good, as long as a person follows guidelines like those Here.



> I also have Zone Alarm security suite but never installed it.


ZoneAlarm Spy Blocker and IAC Search and Media (MyWebSearch). That was their choice; installing ZA now that you know that is your choice.

The security softwares that work best for you, that you understand the use of, and are willing to keep current and scan with are the right ones there. So make your choices then go ahead with the corrections now.


----------



## GTROCKER (Aug 21, 2007)

I removed one antivirus and one spyware program. Here is the lastest log you requested:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-13 01:01:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 255 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:57 AM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\common files\aol\1131511753\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1131511753\ee\aolsoftware.exe
C:\Program Files\Common Files\AOL\1131511753\ee\anotify.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Owner\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183763861125
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 8067 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20070821-132807-121 O4 - HKLM\..\Run: [xcv] C:\WINDOWS\System32\xcv.exe
backup-20070821-132807-216 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
backup-20070821-132807-223 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20070821-132807-725 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aimtoday.aol.com/_ads/adsPopup2.htm?0
backup-20070821-132807-758 O4 - HKLM\..\Policies\Explorer\Run: [tzc] C:\WINDOWS\System32\tzc.exe
backup-20070821-132807-886 O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
backup-20070821-132807-892 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20070821-132807-935 O4 - HKLM\..\Policies\Explorer\Run: [xcv] C:\WINDOWS\System32\xcv.exe
backup-20070821-132807-946 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
backup-20070823-091001-535 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.202 85.255.112.202

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 LXARScan (Lexmark X73 MFP Scanner) - c:\windows\system32\drivers\lxarscan.sys <Not Verified; ; USB Scanner Driver>

S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)
S3 SABProcEnum - c:\progra~1\mozill~1\sabprocenum.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S2 AOLService (AOL Spyware Protection Service) - c:\progra~1\common~1\aol\aolspy~1\\aolserv.exe (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_01471028&REV_02\3&13C0B0C5&0&EF
Manufacturer: 
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_01471028&REV_02\3&13C0B0C5&0&EF
Service:

-- Scheduled Tasks -------------------------------------------------------------

2008-04-10 13:21:06 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-03-13 and 2008-04-13 -----------------------------

2100-02-23 17:35:34 768 --a----c- C:\Program Files\x73_lut.dat
2100-02-08 19:03:54 53248 --a----c- C:\Program Files\ACMonitor_X73.exe <Not Verified; Silitek Corp.; ACMonitor>
2008-04-13 00:57:05 0 d-------- C:\Program Files\Common Files\Java
2008-04-13 00:34:50 170016 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-13 00:29:47 0 d-------- C:\Program Files\ZoneAlarmSB
2008-04-13 00:26:20 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-13 00:26:10 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-13 00:24:02 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-13 00:23:17 0 d-------- C:\WINDOWS\Internet Logs
2008-04-12 18:27:56 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-04-02 18:54:53 0 d-------- C:\Program Files\MSECache
2008-04-02 13:16:43 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-04-02 13:16:43 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-04-02 13:16:43 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-04-02 13:16:43 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-02 13:08:28 0 d-------- C:\larry.com
2008-03-24 23:59:30 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-23 18:35:51 2319 --a------ C:\WINDOWS\unins000.dat
2008-03-20 18:14:43 0 d-------- C:\WINDOWS\ERUNT
2008-03-20 09:50:15 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-19 00:40:43 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-19 00:40:33 0 d-------- C:\Program Files\Security Task Manager
2008-03-18 23:25:55 0 d-------- C:\Documents and Settings\Owner\Application Data\MSN6
2008-03-18 23:25:55 0 d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-03-18 18:04:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-17 23:20:17 0 d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2008-03-17 15:32:29 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-17 15:31:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-17 15:30:39 0 d-------- C:\Program Files\Common Files\Download Manager
2008-03-17 14:24:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-03-17 10:51:50 0 d-------- C:\Program Files\Kaspersky Lab
2008-03-17 10:51:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-17 10:42:27 0 d-------- C:\KAV
2008-03-15 23:39:13 0 dr-h----- C:\$VAULT$.AVG
2008-03-15 23:31:32 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-15 23:30:53 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-15 23:29:04 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7

-- Find3M Report ---------------------------------------------------------------

2008-04-13 00:59:14 0 d-------- C:\Program Files\Java
2008-04-13 00:57:05 0 d-------- C:\Program Files\Common Files
2008-04-12 23:29:13 0 d-------- C:\Program Files\Viewpoint
2008-04-01 22:56:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 22:55:57 0 d-------- C:\Program Files\Lavasoft
2008-03-25 15:51:11 0 d-------- C:\Program Files\Common Files\AOL
2008-03-25 00:14:23 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-25 00:14:03 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-20 23:51:29 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-20 16:52:08 0 d-------- C:\Program Files\Webroot
2008-03-20 16:43:40 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-03-17 23:20:20 2404 --a------ C:\WINDOWS\mozver.dat
2008-03-16 12:48:26 0 d-------- C:\Program Files\Enigma Software Group
2008-03-16 10:37:41 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-03-09 12:41:12 0 d-------- C:\Program Files\Sony
2008-03-08 16:04:34 0 d-------- C:\Program Files\iTunes
2008-03-08 16:04:10 0 d-------- C:\Program Files\iPod
2008-03-08 16:01:47 0 d-------- C:\Program Files\Bonjour
2008-03-08 16:01:14 0 d-------- C:\Program Files\QuickTime
2008-03-03 22:26:15 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-02-19 22:15:33 0 d-------- C:\Program Files\AIM

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
04/13/2008 12:29 AM	262144	--a------	C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [02/10/2004 03:51 PM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [02/10/2004 03:55 PM]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [10/12/2001 03:42 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [02/01/2008 12:13 AM]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [05/07/2004 08:54 PM]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [02/08/2007 06:52 PM]
"HostManager"="C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe" [10/08/2007 05:50 PM]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [10/23/2006 08:50 AM]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [02/08/2007 06:56 PM]
"BCMSMMSG"="BCMSMMSG.exe" [12/17/2002 03:03 PM C:\WINDOWS\BCMSMMSG.exe]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [08/04/2004 03:56 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [08/05/2005 06:08 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLAspSunset]
"C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
"C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinReanimator]
"C:\Program Files\WinReanimator\WinReanimator.exe" /hide

*Newly Created Service* - SRESCAN
*Newly Created Service* - VSMON

-- End of Deckard's System Scanner: finished at 2008-04-13 01:03:20 ------------


----------



## GTROCKER (Aug 21, 2007)

Not sure I if restarted a second time before I ran that last scan.....so here is another log just in case (after a 2nd restart):

Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-13 01:20:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 84% (more than 75%).
Total Physical Memory: 255 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:40 AM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\common files\aol\1131511753\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1131511753\ee\aolsoftware.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\desktop\dss.exe
C:\Program Files\Common Files\AOL\1131511753\ee\anotify.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183763861125
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 8182 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20070821-132807-121 O4 - HKLM\..\Run: [xcv] C:\WINDOWS\System32\xcv.exe
backup-20070821-132807-216 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
backup-20070821-132807-223 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20070821-132807-725 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aimtoday.aol.com/_ads/adsPopup2.htm?0
backup-20070821-132807-758 O4 - HKLM\..\Policies\Explorer\Run: [tzc] C:\WINDOWS\System32\tzc.exe
backup-20070821-132807-886 O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
backup-20070821-132807-892 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20070821-132807-935 O4 - HKLM\..\Policies\Explorer\Run: [xcv] C:\WINDOWS\System32\xcv.exe
backup-20070821-132807-946 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
backup-20070823-091001-535 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.202 85.255.112.202

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 LXARScan (Lexmark X73 MFP Scanner) - c:\windows\system32\drivers\lxarscan.sys <Not Verified; ; USB Scanner Driver>

S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)
S3 SABProcEnum - c:\progra~1\mozill~1\sabprocenum.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S2 AOLService (AOL Spyware Protection Service) - c:\progra~1\common~1\aol\aolspy~1\\aolserv.exe (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_01471028&REV_02\3&13C0B0C5&0&EF
Manufacturer: 
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_01471028&REV_02\3&13C0B0C5&0&EF
Service:

-- Scheduled Tasks -------------------------------------------------------------

2008-04-10 13:21:06 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-03-13 and 2008-04-13 -----------------------------

2100-02-23 17:35:34 768 --a----c- C:\Program Files\x73_lut.dat
2100-02-08 19:03:54 53248 --a----c- C:\Program Files\ACMonitor_X73.exe <Not Verified; Silitek Corp.; ACMonitor>
2008-04-13 00:57:05 0 d-------- C:\Program Files\Common Files\Java
2008-04-13 00:34:50 208928 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-13 00:29:47 0 d-------- C:\Program Files\ZoneAlarmSB
2008-04-13 00:26:20 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-13 00:26:10 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-13 00:24:02 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-13 00:23:17 0 d-------- C:\WINDOWS\Internet Logs
2008-04-12 18:27:56 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-04-02 18:54:53 0 d-------- C:\Program Files\MSECache
2008-04-02 13:16:43 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-04-02 13:16:43 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-04-02 13:16:43 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-04-02 13:16:43 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-02 13:08:28 0 d-------- C:\larry.com
2008-03-24 23:59:30 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-23 18:35:51 2319 --a------ C:\WINDOWS\unins000.dat
2008-03-20 18:14:43 0 d-------- C:\WINDOWS\ERUNT
2008-03-20 09:50:15 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-19 00:40:43 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-19 00:40:33 0 d-------- C:\Program Files\Security Task Manager
2008-03-18 23:25:55 0 d-------- C:\Documents and Settings\Owner\Application Data\MSN6
2008-03-18 23:25:55 0 d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-03-18 18:04:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-17 23:20:17 0 d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2008-03-17 15:32:29 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-17 15:31:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-17 15:30:39 0 d-------- C:\Program Files\Common Files\Download Manager
2008-03-17 14:24:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-03-17 10:51:50 0 d-------- C:\Program Files\Kaspersky Lab
2008-03-17 10:51:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-17 10:42:27 0 d-------- C:\KAV
2008-03-15 23:39:13 0 dr-h----- C:\$VAULT$.AVG
2008-03-15 23:31:32 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-15 23:30:53 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-15 23:29:04 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7

-- Find3M Report ---------------------------------------------------------------

2008-04-13 00:59:14 0 d-------- C:\Program Files\Java
2008-04-13 00:57:05 0 d-------- C:\Program Files\Common Files
2008-04-12 23:29:13 0 d-------- C:\Program Files\Viewpoint
2008-04-01 22:56:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 22:55:57 0 d-------- C:\Program Files\Lavasoft
2008-03-25 15:51:11 0 d-------- C:\Program Files\Common Files\AOL
2008-03-25 00:14:23 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-25 00:14:03 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-20 23:51:29 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-20 16:52:08 0 d-------- C:\Program Files\Webroot
2008-03-20 16:43:40 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-03-17 23:20:20 2404 --a------ C:\WINDOWS\mozver.dat
2008-03-16 12:48:26 0 d-------- C:\Program Files\Enigma Software Group
2008-03-16 10:37:41 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-03-09 12:41:12 0 d-------- C:\Program Files\Sony
2008-03-08 16:04:34 0 d-------- C:\Program Files\iTunes
2008-03-08 16:04:10 0 d-------- C:\Program Files\iPod
2008-03-08 16:01:47 0 d-------- C:\Program Files\Bonjour
2008-03-08 16:01:14 0 d-------- C:\Program Files\QuickTime
2008-03-03 22:26:15 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-02-19 22:15:33 0 d-------- C:\Program Files\AIM

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
04/13/2008 12:29 AM	262144	--a------	C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [02/10/2004 03:51 PM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [02/10/2004 03:55 PM]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [10/12/2001 03:42 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [02/01/2008 12:13 AM]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [05/07/2004 08:54 PM]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [02/08/2007 06:52 PM]
"HostManager"="C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe" [10/08/2007 05:50 PM]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [10/23/2006 08:50 AM]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [02/08/2007 06:56 PM]
"BCMSMMSG"="BCMSMMSG.exe" [12/17/2002 03:03 PM C:\WINDOWS\BCMSMMSG.exe]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.exe" [08/04/2004 03:56 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [08/05/2005 06:08 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLAspSunset]
"C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
"C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinReanimator]
"C:\Program Files\WinReanimator\WinReanimator.exe" /hide

-- End of Deckard's System Scanner: finished at 2008-04-13 01:22:39 ------------


----------



## Jintan (Oct 4, 2007)

ZoneAlarm Spy Blocker

 I was sorta thinking my earlier info would lead folks away from that choice. As long as it is only the firewall component, and not the ZA AV now conflicting with Avast, you are okay with it there.

So far so good. You have quite a few startups disabled through msconfig, so in order for us to do a complete cleaning these will need to be re-enabled at least once. We'll take out the known badware one now though.


```
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinReanimator]
```
Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it wingo.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.

----------------------------

Then Go to Start - Run, type *msconfig* (and Enter).

Under the Startup and Services tabs, click Enable All, then Apply/OK to close msconfig. Allow the reboot at this time. You can expect to receive alerts/error messages at reboot after this, but we will be addressing all this during the repairs.

-------------------------------

Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

*"%userprofile%\desktop\dss.exe" /config*

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

*System Restore*
*Temp Cleanup*
*Process Modules*

Then under Extra Log, *uncheck* all the boxes except this one:

*Security Center*

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)


----------



## GTROCKER (Aug 21, 2007)

Yes, I only installed the firewall component of Zone Alarm and so far it seems to be working well. Here is the DSS log you requested:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-14 00:07:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 255 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:54 AM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
c:\program files\common files\aol\1131511753\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1131511753\ee\aolsoftware.exe
C:\Documents and Settings\Owner\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AOLAspSunset] "C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183763861125
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 9099 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20070821-132807-121 O4 - HKLM\..\Run: [xcv] C:\WINDOWS\System32\xcv.exe
backup-20070821-132807-216 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
backup-20070821-132807-223 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20070821-132807-725 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aimtoday.aol.com/_ads/adsPopup2.htm?0
backup-20070821-132807-758 O4 - HKLM\..\Policies\Explorer\Run: [tzc] C:\WINDOWS\System32\tzc.exe
backup-20070821-132807-886 O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
backup-20070821-132807-892 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20070821-132807-935 O4 - HKLM\..\Policies\Explorer\Run: [xcv] C:\WINDOWS\System32\xcv.exe
backup-20070821-132807-946 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
backup-20070823-091001-535 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.202 85.255.112.202

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 LXARScan (Lexmark X73 MFP Scanner) - c:\windows\system32\drivers\lxarscan.sys <Not Verified; ; USB Scanner Driver>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)
S3 SABProcEnum - c:\progra~1\mozill~1\sabprocenum.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S2 AOLService (AOL Spyware Protection Service) - c:\progra~1\common~1\aol\aolspy~1\\aolserv.exe (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_01471028&REV_02\3&13C0B0C5&0&EF
Manufacturer: 
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_01471028&REV_02\3&13C0B0C5&0&EF
Service:

-- Scheduled Tasks -------------------------------------------------------------

2008-04-10 13:21:06 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-03-14 and 2008-04-14 -----------------------------

2100-02-23 17:35:34 768 --a----c- C:\Program Files\x73_lut.dat
2100-02-08 19:03:54 53248 --a----c- C:\Program Files\ACMonitor_X73.exe <Not Verified; Silitek Corp.; ACMonitor>
2008-04-13 13:42:40 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-04-13 00:57:05 0 d-------- C:\Program Files\Common Files\Java
2008-04-13 00:34:50 645152 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-13 00:29:47 0 d-------- C:\Program Files\ZoneAlarmSB
2008-04-13 00:26:20 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-13 00:26:10 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-13 00:24:02 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-13 00:23:17 0 d-------- C:\WINDOWS\Internet Logs
2008-04-02 18:54:53 0 d-------- C:\Program Files\MSECache
2008-04-02 13:16:43 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-04-02 13:16:43 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-04-02 13:16:43 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-04-02 13:16:43 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-02 13:08:28 0 d-------- C:\larry.com
2008-03-24 23:59:30 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-23 18:35:51 2319 --a------ C:\WINDOWS\unins000.dat
2008-03-20 18:14:43 0 d-------- C:\WINDOWS\ERUNT
2008-03-20 09:50:15 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-19 00:40:43 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-19 00:40:33 0 d-------- C:\Program Files\Security Task Manager
2008-03-18 23:25:55 0 d-------- C:\Documents and Settings\Owner\Application Data\MSN6
2008-03-18 23:25:55 0 d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-03-18 18:04:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-17 23:20:17 0 d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2008-03-17 15:32:29 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-17 15:31:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-17 15:30:39 0 d-------- C:\Program Files\Common Files\Download Manager
2008-03-17 14:24:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-03-17 10:51:50 0 d-------- C:\Program Files\Kaspersky Lab
2008-03-17 10:51:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-17 10:42:27 0 d-------- C:\KAV
2008-03-15 23:39:13 0 dr-h----- C:\$VAULT$.AVG
2008-03-15 23:31:32 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-15 23:30:53 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-15 23:29:04 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7

-- Find3M Report ---------------------------------------------------------------

2008-04-13 00:59:14 0 d-------- C:\Program Files\Java
2008-04-13 00:57:05 0 d-------- C:\Program Files\Common Files
2008-04-12 23:29:13 0 d-------- C:\Program Files\Viewpoint
2008-04-01 22:56:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 22:55:57 0 d-------- C:\Program Files\Lavasoft
2008-03-25 15:51:11 0 d-------- C:\Program Files\Common Files\AOL
2008-03-25 00:14:23 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-25 00:14:03 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-20 23:51:29 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-20 16:52:08 0 d-------- C:\Program Files\Webroot
2008-03-20 16:43:40 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-03-17 23:20:20 2404 --a------ C:\WINDOWS\mozver.dat
2008-03-16 12:48:26 0 d-------- C:\Program Files\Enigma Software Group
2008-03-16 10:37:41 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-03-09 12:41:12 0 d-------- C:\Program Files\Sony
2008-03-08 16:04:34 0 d-------- C:\Program Files\iTunes
2008-03-08 16:04:10 0 d-------- C:\Program Files\iPod
2008-03-08 16:01:47 0 d-------- C:\Program Files\Bonjour
2008-03-08 16:01:14 0 d-------- C:\Program Files\QuickTime
2008-03-03 22:26:15 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-02-19 22:15:33 0 d-------- C:\Program Files\AIM

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
04/13/2008 12:29 AM	262144	--a------	C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [04/13/2008 12:29 AM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [02/10/2004 03:51 PM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [02/10/2004 03:55 PM]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [10/12/2001 03:42 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [02/01/2008 12:13 AM]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [05/07/2004 08:54 PM]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [02/08/2007 06:52 PM]
"HostManager"="C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe" [10/08/2007 05:50 PM]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [10/23/2006 08:50 AM]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [02/08/2007 06:56 PM]
"BCMSMMSG"="BCMSMMSG.exe" [12/17/2002 03:03 PM C:\WINDOWS\BCMSMMSG.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 08:00 AM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" []
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" []
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" []
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [01/07/2005 04:04 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 02:10 PM]
"AOLAspSunset"="C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [08/05/2005 06:08 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 5:01:04 AM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2/8/2008 11:10:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

-- End of Deckard's System Scanner: finished at 2008-04-14 00:09:27 ------------


----------



## Jintan (Oct 4, 2007)

Looks much improved.

Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select "Fix Checked" and close HijackThis. These startups show as remnants, but be sure they are all uninstalled before using HijackThis now to remove these:

*O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"
O4 - HKLM\..\Run: [AOLAspSunset] "C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe"
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)*

Reboot after, and just post back an update on how things are running now please.


----------



## GTROCKER (Aug 21, 2007)

I ran Hijack this and checked off those 5 items. After restarting, I only got one message that said "This application failed to start because aswCmnOS.dll was not found. Reinstalling the application may fix this problem". Otherwise things seem to be running smoothly.


----------



## Jintan (Oct 4, 2007)

Avast file. That sure doesn't seem to be related to those just-removed startups first glance. Not really sure, but check if it is physically there first - a web search suggests this location:

c:\program files\alwil software\avast4\aswcmnos.dl

Let me know before we go off on a tangent hunting the alert source.


----------



## GTROCKER (Aug 21, 2007)

I checked and do not see it there. Could I solve the problem by completely uninstalling Avast and then reinstalling it.


----------



## Jintan (Oct 4, 2007)

Given the changes there that would be a good idea. Too many opportunities in all the activities of malware and repairing that to cause corruption to your Avast install.


----------



## GTROCKER (Aug 21, 2007)

I tried to uninstall from the add/remove programs but it did not work. A message appeared saying: "Error Loading C:\PROGRAM~1\ALWILS~1\AVAST4\Setup\setface.dll. The specified module could not be found"


----------



## Jintan (Oct 4, 2007)

That does support the idea it became corrupted. Kaspersky, on install, always informs the user they must uninstall other AV software to have it installed.

Fortunately the better security softwares provide an uninstaller program. Download Avast's from here, disable it and any other security software, then run the uninstaller.

Then reboot twice, and before reinstalling that or any other software run and post back a new Deckards scan. Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):

*"%userprofile%\desktop\dss.exe" /config*

When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:

*System Restore*
*Temp Cleanup*
*Process Modules*

Then under Extra Log, *uncheck* all the boxes except this one:

*Security Center*

Don't make any other changes at this time. Then click the "Scan!" button to start the scan.

Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)


----------



## GTROCKER (Aug 21, 2007)

Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-16 22:40:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 255 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:06 PM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1131511753\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1131511753\ee\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\AOL\1131511753\ee\anotify.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183763861125
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 8055 bytes

-- Files created between 2008-03-16 and 2008-04-16 -----------------------------

2100-02-23 17:35:34 768 --a----c- C:\Program Files\x73_lut.dat
2100-02-08 19:03:54 53248 --a----c- C:\Program Files\ACMonitor_X73.exe <Not Verified; Silitek Corp.; ACMonitor>
2008-04-15 18:05:54 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-04-13 00:57:05 0 d-------- C:\Program Files\Common Files\Java
2008-04-13 00:34:50 1849376 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-13 00:29:47 0 d-------- C:\Program Files\ZoneAlarmSB
2008-04-13 00:26:20 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-13 00:26:10 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-13 00:24:02 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-13 00:23:17 0 d-------- C:\WINDOWS\Internet Logs
2008-04-02 18:54:53 0 d-------- C:\Program Files\MSECache
2008-04-02 13:16:43 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-04-02 13:16:43 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-04-02 13:16:43 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-04-02 13:16:43  73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-02 13:08:28 0 d-------- C:\larry.com
2008-03-24 23:59:30 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-23 18:35:51 2319 --a------ C:\WINDOWS\unins000.dat
2008-03-20 18:14:43 0 d-------- C:\WINDOWS\ERUNT
2008-03-20 09:50:15 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-19 00:40:43 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-19 00:40:33 0 d-------- C:\Program Files\Security Task Manager
2008-03-18 23:25:55 0 d-------- C:\Documents and Settings\Owner\Application Data\MSN6
2008-03-18 23:25:55 0 d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-03-18 18:04:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-17 23:20:17 0 d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2008-03-17 15:32:29 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-17 15:31:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-17 15:30:39 0 d-------- C:\Program Files\Common Files\Download Manager
2008-03-17 14:24:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-03-17 10:51:50 0 d-------- C:\Program Files\Kaspersky Lab
2008-03-17 10:51:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-17 10:42:27 0 d-------- C:\KAV

-- Find3M Report ---------------------------------------------------------------

2008-04-15 23:43:06 0 d-------- C:\Program Files\Alwil Software
2008-04-13 00:59:14 0 d-------- C:\Program Files\Java
2008-04-13 00:57:05 0 d-------- C:\Program Files\Common Files
2008-04-12 23:29:13 0 d-------- C:\Program Files\Viewpoint
2008-04-01 22:56:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 22:55:57 0 d-------- C:\Program Files\Lavasoft
2008-03-25 15:51:11 0 d-------- C:\Program Files\Common Files\AOL
2008-03-25 00:14:23 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-25 00:14:03 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-20 23:51:29 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-20 16:52:08 0 d-------- C:\Program Files\Webroot
2008-03-20 16:43:40 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-03-18 08:32:42 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-17 23:20:20 2404 --a------ C:\WINDOWS\mozver.dat
2008-03-16 12:48:26 0 d-------- C:\Program Files\Enigma Software Group
2008-03-16 10:37:41 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-03-09 12:41:12 0 d-------- C:\Program Files\Sony
2008-03-08 16:04:34 0 d-------- C:\Program Files\iTunes
2008-03-08 16:04:10 0 d-------- C:\Program Files\iPod
2008-03-08 16:01:47 0 d-------- C:\Program Files\Bonjour
2008-03-08 16:01:14 0 d-------- C:\Program Files\QuickTime
2008-03-03 22:26:15 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-02-19 22:15:33 0 d-------- C:\Program Files\AIM

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
04/13/2008 12:29 AM	262144	--a------	C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [04/13/2008 12:29 AM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [02/10/2004 03:51 PM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [02/10/2004 03:55 PM]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [10/12/2001 03:42 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [02/01/2008 12:13 AM]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [05/07/2004 08:54 PM]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [02/08/2007 06:52 PM]
"HostManager"="C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe" [10/08/2007 05:50 PM]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [10/23/2006 08:50 AM]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [02/08/2007 06:56 PM]
"BCMSMMSG"="BCMSMMSG.exe" [12/17/2002 03:03 PM C:\WINDOWS\BCMSMMSG.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [01/07/2005 04:04 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 02:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [08/05/2005 06:08 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 5:01:04 AM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2/8/2008 11:10:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

-- End of Deckard's System Scanner: finished at 2008-04-16 22:42:03 ------------


----------



## GTROCKER (Aug 21, 2007)

Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-16 22:48:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 255 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:10 PM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1131511753\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1131511753\ee\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\AOL\1131511753\ee\anotify.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Owner\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1183763861125
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 8079 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20070821-132807-121 O4 - HKLM\..\Run: [xcv] C:\WINDOWS\System32\xcv.exe
backup-20070821-132807-216 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
backup-20070821-132807-223 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20070821-132807-725 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aimtoday.aol.com/_ads/adsPopup2.htm?0
backup-20070821-132807-758 O4 - HKLM\..\Policies\Explorer\Run: [tzc] C:\WINDOWS\System32\tzc.exe
backup-20070821-132807-886 O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
backup-20070821-132807-892 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20070821-132807-935 O4 - HKLM\..\Policies\Explorer\Run: [xcv] C:\WINDOWS\System32\xcv.exe
backup-20070821-132807-946 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
backup-20070823-091001-535 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.202 85.255.112.202
backup-20080414-141057-167 O4 - HKLM\..\Run: [AOLAspSunset] "C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe"
backup-20080414-141057-240 O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
backup-20080414-141057-353 O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe"
backup-20080414-141057-957 O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
backup-20080414-141057-989 O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 LXARScan (Lexmark X73 MFP Scanner) - c:\windows\system32\drivers\lxarscan.sys <Not Verified; ; USB Scanner Driver>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)
S3 SABProcEnum - c:\progra~1\mozill~1\sabprocenum.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S2 AOLService (AOL Spyware Protection Service) - c:\progra~1\common~1\aol\aolspy~1\\aolserv.exe (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_01471028&REV_02\3&13C0B0C5&0&EF
Manufacturer: 
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_8086&DEV_24CD&SUBSYS_01471028&REV_02\3&13C0B0C5&0&EF
Service:

-- Scheduled Tasks -------------------------------------------------------------

2008-04-10 13:21:06 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-03-16 and 2008-04-16 -----------------------------

2100-02-23 17:35:34 768 --a----c- C:\Program Files\x73_lut.dat
2100-02-08 19:03:54 53248 --a----c- C:\Program Files\ACMonitor_X73.exe <Not Verified; Silitek Corp.; ACMonitor>
2008-04-15 18:05:54 0 dr-h----- C:\Documents and Settings\Owner\Recent
2008-04-13 00:57:05 0 d-------- C:\Program Files\Common Files\Java
2008-04-13 00:34:50 1853472 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-13 00:29:47 0 d-------- C:\Program Files\ZoneAlarmSB
2008-04-13 00:26:20 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-13 00:26:10 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-13 00:24:02 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-04-13 00:23:17 0 d-------- C:\WINDOWS\Internet Logs
2008-04-02 18:54:53 0 d-------- C:\Program Files\MSECache
2008-04-02 13:16:43 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-04-02 13:16:43 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-04-02 13:16:43 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-04-02 13:16:43 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-02 13:08:28 0 d-------- C:\larry.com
2008-03-24 23:59:30 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-23 18:35:51 2319 --a------ C:\WINDOWS\unins000.dat
2008-03-20 18:14:43 0 d-------- C:\WINDOWS\ERUNT
2008-03-20 09:50:15 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-19 00:40:43 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-19 00:40:33 0 d-------- C:\Program Files\Security Task Manager
2008-03-18 23:25:55 0 d-------- C:\Documents and Settings\Owner\Application Data\MSN6
2008-03-18 23:25:55 0 d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-03-18 18:04:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-03-17 23:20:17 0 d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2008-03-17 15:32:29 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-17 15:31:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-17 15:30:39 0 d-------- C:\Program Files\Common Files\Download Manager
2008-03-17 14:24:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-03-17 10:51:50 0 d-------- C:\Program Files\Kaspersky Lab
2008-03-17 10:51:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-17 10:42:27 0 d-------- C:\KAV

-- Find3M Report ---------------------------------------------------------------

2008-04-15 23:43:06 0 d-------- C:\Program Files\Alwil Software
2008-04-13 00:59:14 0 d-------- C:\Program Files\Java
2008-04-13 00:57:05 0 d-------- C:\Program Files\Common Files
2008-04-12 23:29:13 0 d-------- C:\Program Files\Viewpoint
2008-04-01 22:56:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-01 22:55:57 0 d-------- C:\Program Files\Lavasoft
2008-03-25 15:51:11 0 d-------- C:\Program Files\Common Files\AOL
2008-03-25 00:14:23 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-25 00:14:03 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-20 23:51:29 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-20 16:52:08 0 d-------- C:\Program Files\Webroot
2008-03-20 16:43:40 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-03-18 08:32:42 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-17 23:20:20 2404 --a------ C:\WINDOWS\mozver.dat
2008-03-16 12:48:26 0 d-------- C:\Program Files\Enigma Software Group
2008-03-16 10:37:41 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-03-09 12:41:12 0 d-------- C:\Program Files\Sony
2008-03-08 16:04:34 0 d-------- C:\Program Files\iTunes
2008-03-08 16:04:10 0 d-------- C:\Program Files\iPod
2008-03-08 16:01:47 0 d-------- C:\Program Files\Bonjour
2008-03-08 16:01:14 0 d-------- C:\Program Files\QuickTime
2008-03-03 22:26:15 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-02-19 22:15:33 0 d-------- C:\Program Files\AIM

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
04/13/2008 12:29 AM	262144	--a------	C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [04/13/2008 12:29 AM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [02/10/2004 03:51 PM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [02/10/2004 03:55 PM]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [10/12/2001 03:42 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [02/01/2008 12:13 AM]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [05/07/2004 08:54 PM]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [02/08/2007 06:52 PM]
"HostManager"="C:\Program Files\Common Files\AOL\1131511753\ee\AOLSoftware.exe" [10/08/2007 05:50 PM]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [10/23/2006 08:50 AM]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [02/08/2007 06:56 PM]
"BCMSMMSG"="BCMSMMSG.exe" [12/17/2002 03:03 PM C:\WINDOWS\BCMSMMSG.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 11:11 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [01/07/2005 04:04 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 02:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [08/05/2005 06:08 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/29/2008 04:03 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 5:01:04 AM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2/8/2008 11:10:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

-- End of Deckard's System Scanner: finished at 2008-04-16 22:49:31 ------------


----------



## Jintan (Oct 4, 2007)

Only unanswered issue in those views is that AOL Spyware Protection Service. I have not trialed any recent versions of AOL's differing branded security software, so am not sure about the uninstall for that. Do you know if this is still installed or not?

Go ahead with your Avast reinstall now, or course being sure to reboot after. Then for now just post back if any issues remain we need to address. You have done well, and at this point the system looks near spiffy clean.


----------



## GTROCKER (Aug 21, 2007)

I downloaded Avast and restarted. The computer seems to be working fine...no issues. As far as the AOL Spyware goes, I can't seem to find an uninstall for it in the add/delete programs.
Would it be ok to leave AOL Spyware on the computer?


----------



## Jintan (Oct 4, 2007)

Not good to leave unused security software. AOL tends to stick their uninstall options inside other options. Here are steps I see provided by AOL Canada - perhaps they apply.

1.Click the Start button, then click Control Panel.
2.Click the Add or Remove Programs icon.
3.Click AOL Uninstaller once to select it, then click the Change/Remove button.
4.Click the box next to Spyware Protection to put a chekmark in it, then click the Uninstall button, and follow the on-screen prompts to complete the process.


----------



## GTROCKER (Aug 21, 2007)

I uninstalled AOL Spyware successfully. The computer seems to be running smoothly (a little slow but I guess I need more RAM) and no error messages on start up.


----------



## Jintan (Oct 4, 2007)

Really excellent things are back on course there - I completely forgot our cleaning up processes still remaining to complete the job.

You can uninstall third party software used, like Kaspersky, through Add/Remove Programs.

ComboFix, as part of it's security changes, alters some little used logon script values, to keep logon scripts from showing at startup. I would not know what the pre-existing values were now, but doing the following will put these at what are considered default values.

```
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] 
"RunLogonScriptSync"=dword:00000000
"RunStartupScriptSync"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] 
"RunLogonScriptSync"=dword:00000000
"RunStartupScriptSync"=dword:00000000
```
Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it scriptfix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.

----------------------------

The autoplay functions there were blocked as part of the procedures we did here. You can return those to the Windows default settings at this time by doing the following step, if you wish. This will allow autoplay for all drives such as CD-ROM and external drives.


```
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveAutoRun"=dword:0000000
"NoDriveTypeAutoRun"=dword:00000095
```
Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it autofix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.

-----------------------------------

You can delete any files/folders we created there. To assist with some of that, download OTMoveIt2 and save the file to your desktop.

Please double-click OTMoveIt.exe to run it and click on Cleanup. When you do this list of malware removal programs will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has downloaded, you'll be asked if you want to begin cleanup process? Select Yes.

OTMoveIt will search for and delete/uninstall all the tools that we have used to fix your problems and all their backup folders and then delete itself when you next reboot.

----------------------

And a last measure is to reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.

In addition, I like to recommend reviewing the information Here to make sure you stay malware free.


----------

