0

Greetings,
I've searched for 2 weekends now on solutions to the problem I am having with my son's relatively new computer (arrived 9/10/07).
I've tried numerous suggestions from numerous sites (mainly this one) and I'm still unable to get a desktop in normal start up mode. I can in Safe Mode.
I did the cleanup methods described in the forum starter notes. There were 3 downloaders and a trojan present on the computer that I had hoped AVG would take complete care of, but my system is still not loading the desktop in normal startup mode.

I ran HiJackThis and have this log:

Logfile of HijackThis v1.99.1
Scan saved at 8:59:05 PM, on 10/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://65.243.103.62/go/?cmp=vm_mg_ff_h&nid=ku&uid=fc3d5f0e697a11dca01df68113fdffff&guid=e7584f48f37d436f8f5e89c9ef6e8930&affid=68113&lid=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,C:\WINDOWS\system32\c++.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2A5E9D6E-869C-4140-9C09-C3FA34134658} - C:\WINDOWS\system32\basesr.dll
O2 - BHO: (no name) - {2EC79B5F-4971-4D75-8584-38C1A3E88F69} - C:\WINDOWS\system32\awtqq.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63B1FF69-CB46-4C0C-9A74-3C92045FEFB8} - (no file)
O2 - BHO: (no name) - {7378296C-1FA1-46CC-927A-059E501AFAE4} - C:\Program Files\Elphciot\ggpzxaxn.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: (no name) - {837B45D6-BF85-457D-AABF-6D2E7815F791} - C:\WINDOWS\system32\hggdawx.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\nxvhghvo.dll
O2 - BHO: Microsoft copyright - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - tcprp.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {E10F6E65-D697-49CF-81A4-84BBC5C46D62} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [xupsfufa] rundll32.exe "C:\Program Files\xupsfufa\jyxwnqpi.dll",Init
O4 - HKLM\..\Run: [mjylybgh] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mjylybgh.dll"
O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\mnljktui.dll",sitypnow
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
O4 - Global Startup: 1.exe
O4 - Global Startup: 2.exe~
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159453796765
O20 - Winlogon Notify: acdaccbfba - C:\WINDOWS\system32\acdaccbfba.dll
O20 - Winlogon Notify: hggdawx - C:\WINDOWS\SYSTEM32\hggdawx.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbfi32 - winbfi32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Volume Shadow Copy VSSThemes (VSSThemes) - Unknown owner - C:\WINDOWS\system32\4dbb33d0t.exe

At this point I am not sure what else to try doing. Suggestions? Your help is very much appreciated!

4
Contributors
24
Replies
25
Views
10 Years
Discussion Span
Last Post by jissk
Featured Replies
0

did u install any new program or hardware recently

the following items below are all suspect.
ENSURE YOU BACK UP ANY REG KEY BEFORE EDITING.
seeing that you can start in safe mode remove all these items, do search for the file name, remove reg entries, then run adaware, spybot and any malware program u have in safe mode. then do a bootlog startup, if this is not not able to help check the log and see where the error is. if after u still can't boot to normal mode you might have to do a repair of windows,

BHO: (no name) - {2A5E9D6E-869C-4140-9C09-C3FA34134658} - C:\WINDOWS\system32\basesr.dll
O2 - BHO: (no name) - {2EC79B5F-4971-4D75-8584-38C1A3E88F69} - C:\WINDOWS\system32\awtqq.dll
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://65.243.103.62/go/?cmp=vm_mg_f...fid=68113&lid=

2 - BHO: (no name) - {63B1FF69-CB46-4C0C-9A74-3C92045FEFB8} - (no file)
O2 - BHO: (no name) - {7378296C-1FA1-46CC-927A-059E501AFAE4} - C:\Program Files\Elphciot\ggpzxaxn.dll
O2 - BHO: (no name) - {837B45D6-BF85-457D-AABF-6D2E7815F791} - C:\WINDOWS\system32\hggdawx.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\nxvhghvo.dll
O2 - BHO: Microsoft copyright - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - tcprp.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {E10F6E65-D697-49CF-81A4-84BBC5C46D62} - (no file)
O4 - HKLM\..\Run: [xupsfufa] rundll32.exe "C:\Program Files\xupsfufa\jyxwnqpi.dll",Init
O4 - HKLM\..\Run: [mjylybgh] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mjylybgh.dll"
O4 - Global Startup: 1.exe
O4 - Global Startup: 2.exe~
O20 - Winlogon Notify: acdaccbfba - C:\WINDOWS\system32\acdaccbfba.dll
O20 - Winlogon Notify: hggdawx - C:\WINDOWS\SYSTEM32\hggdawx.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbfi32 - winbfi32.dll (file missing)
C:\WINDOWS\system32\4dbb33d0t.exe

0

My son just got the computer a few weeks ago and has been loading all sorts of games and software on it. He also does online RPGs -- I suspect that may be where the nasties may have originated.

Thanks very much for your suggestions. I'm in the process of scanning after removing the items you listed.

Holy cows! AVG is still plugging away and has found 686 (so far) instances of files infected with win32/virut. The AVG spyware scanner found 49 instances of trojans, downloaders, rootkits, etc. I haven't even started AdAware or SpyBot yet.

The PC came running OEM WinXP and the disk sent with the system is for Windows Vista. We don't want to install Vista because it is incompatible all the games he wants to run. System restore refused to work (probably because of the infections). I may have to research making an XP boot disk next.

I'll let you know what happens once all these scans d their thing.
Thank you!

0

Ugh -- the scans literally took hours.

Results -- 49+ trojans, downloaders, backdoors, and 8886 Win32/Virut infected files. I was sure AVG was going to make the PC self-ooze a plastic hermetic shield to quarantine the infections.

Interestingly, the virus did not show up until after deleting some of the suspicious entries in the HiJackThis log. I had already done multiple scans with AVG and SpyBot and other tools.

Unfortunately, even after fixing with AVG's Win32/Virut remover, there are still "uncleaned" files, and the nasties in the posted HJT log keep showing back up despite deletion. The "restore" was totally infested.

Since it is the "workweek" now and between work (2 jobs) and class I don't have a lot of time at my machine or others, I will devote myself more to ridding the PC of these pesky nasties Friday through Sunday. Woohoo -- another weekend of nerdy fun.... It is really a challenge -- I hope I win it!

I am still able to boot in safe mode but unable to in normal mode. (I get to the desktop, but no icons, task manager will not actually load, etc.)

If anyone has further suggestions, I'd appreciate them!
Thank you!

0

with some of the files listed in windows or windows/system32 they have a nasty way of coming back even when you delete them so the only way around it to do the spyware/awadare scans. also delete any instance of a restore point and turn it off for now as any thing that saved will be infected too. make sure to manually delet all cookies and temp files. i know it can be painstakingly long, i had to deal with it once took me 2 days but back then i had time. keep at it did u try righ click on the desktop and show desktop icon

PS did u get a set of restore cd with the PC?

0

with some of the files listed in windows or windows/system32 they have a nasty way of coming back even when you delete them so the only way around it to do the spyware/awadare scans. also delete any instance of a restore point and turn it off for now as any thing that saved will be infected too. make sure to manually delet all cookies and temp files. i know it can be painstakingly long, i had to deal with it once took me 2 days but back then i had time. keep at it did u try righ click on the desktop and show desktop icon

PS did u get a set of restore cd with the PC?

I turned off system restore, and after numerous scans and multiple AVG virus fixer programs run in safe mode, I was finally able to boot in normal mode. Once in normal mode I was able to actually run AVG virus scanner which found 47 more instances of viruses, trojans, and downloaders. AVG spyware was finally able to get rid of one of the pesky files that kept reappearing. I'm not going to call it completely cured yet -- I want to run additional scans tomorrow just to be sure -- but I'm thrilled the desktop is finally back and functioning. I'm going to wait till after running additional scans before rehooking to the internet and the home network.

The restore CD that came with the PC is Windows Vista -- I did not want to restore with that. The machine came running Windows XP. That's the OS that my son's games work on -- they will not run on Vista.

Thanks again for your help and guidance!

0

you are welcome, keep running the spyware/antivirus, i know its a log process, but it's worth it. bare in mind also you need to update the scan engine of each program you are running.

0

Note that it is essential that after fixing any 04 entry with hijackthis, that you must delete the related file!! Same goes for the 020 and others.

==

1. Download this file from one of the following links :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply, along with a new hijackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

0

Note that it is essential that after fixing any 04 entry with hijackthis, that you must delete the related file!! Same goes for the 020 and others.

==

1. Download this file from one of the following links :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply, along with a new hijackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Unfortunately CombFix will not run on the machine. It ran fine on my PC, but on my son's (infected) PC it flashes 2 cmd prompt screens too quickly to see then closes. I tried in both normal mode and safe mode.
The nasty files are not letting me manually delete in either safe mode or normal mode. Checking them to be fixed in HiJackThis does nothing -- immediate re-scanning shows they are still there. (Particularly persistant file basesr.dll .)
I'm scanning with Kapersky antivirus right now. I'll re-try HiJackThis and ComboFix once that scan completes. (The scan seems very slow -- stops for many minutes on certain files.)

0

Well, Kapersky found 119 more problems. After cleaning, I still cannot get ComboFix to run.

new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:32 PM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Documents and Settings\Administrator\Desktop\gotcha.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2A5E9D6E-869C-4140-9C09-C3FA34134658} - C:\WINDOWS\system32\basesr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159453796765
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Volume Shadow Copy VSSThemes (VSSThemes) - Unknown owner - C:\WINDOWS\system32\4dbb33d0t.exe (file missing)

--
End of file - 4194 bytes


When I briefly hooked to the home network to transfer the HJT log, Kapersky detected a hidden install and stopped the process.

Some nasty is still residing on the machine, not letting me fix things with HiJackThis nor to manually delete them.

Suggestions?

Thank you!

0

Note that combofix will not (AFAIK) run in safe mode anyway. Hijackthis will not be able to 'fix' any entries as long as you have any instances of Internet Explorer open too.
You need to disable one of those AV's from startup too as it is not recommended to run two at once.

==

Run the file association fixes from here; http://www.dougknox.com/xp/file_assoc.htm

==

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

C:\WINDOWS\system32\basesr.dll

==

Please download VundoFix.exe
to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

==

Update AVG antispyware and boot into safe mode when done.
Have nothing else open while AVG antispyware performs its scan![/b]

  • Run AVG antispyware.
  • Click on scanner at top of AVG antispyware screen.
  • Click on Settings.
  • Under How to Act click on Recommended Action and choose Quarantine.
  • Under How to scan all boxes should be selected.
  • Under Possibly unwanted software all boxes should be selected.
  • On right side under Reports: click on Do not automatically generate report after every scan.
  • Under What to scan select scan every file.
  • Click On scan Tab.
  • Click on Complete system scan.
  • Let the program scan the machine It can take awhile give it time.
  • When scan has finished at bottom of screen click Apply all Actions.
  • Click Save report
  • Click Save Report as (Save as window's screen should pop up.)
  • Click desktop.
  • Click Save.
  • Exit AVG antispyware.

Reboot back to normal mode.
Post the log here.

Please post the contents of C:\vundofix.txt and a new HijackThis log.

0

your list did not seem to change. u still have
O2 - BHO: (no name) - {2A5E9D6E-869C-4140-9C09-C3FA34134658} - C:\WINDOWS\system32\basesr.dll

another tip any program in add remove that your dont recognized remove them any broswer addon/tool bar remove them, all of them any search engines remove them. these can all be added back when you are safe again.

because here is the thing if the program is install and u remove the file associated with it each restart will only bring it back especially the nasties

0

The Jotti and virustotal scans of basesr.dll (which has a file size of 103kb on the PC) gave the following results:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

I still cannot delete it or overwrite it -- access denied.

I scanned suspicious looking basesr.1 file (size 89kb) just above it and got this result at virustotal and similar at Jotti:

Antivirus Version Last Update Result
AhnLab-V3 2007.10.20.0 2007.10.19 -
AntiVir 7.6.0.27 2007.10.20 TR/Dldr.ConHook.Gen
Authentium 4.93.8 2007.10.20 -
Avast 4.7.1051.0 2007.10.20 Win32:Delf-GBT
AVG 7.5.0.488 2007.10.20 -
BitDefender 7.2 2007.10.21 Trojan.Conhook.Y
CAT-QuickHeal 9.00 2007.10.20 -
ClamAV 0.91.2 2007.10.20 -
DrWeb 4.44.0.09170 2007.10.20 Trojan.Iespy
eSafe 7.0.15.0 2007.10.15 Suspicious File
eTrust-Vet 31.2.5225 2007.10.20 -
Ewido 4.0 2007.10.20 -
FileAdvisor 1 2007.10.21 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.20 -
F-Secure 6.70.13030.0 2007.10.19 -
Ikarus T3.1.1.12 2007.10.21 -
Kaspersky 7.0.0.125 2007.10.21 -
Additional information
File size: 88064 bytes
MD5: b2f53f92def15dd6e0203cd4ad114edc
SHA1: b210f098d33a7f37a0ffa4f576721b05934550b0
packers: Morphine, UPX
packers: Morphine

I deleted it.

I did the registry fixes -- had to copy the regedit.exe from my PC on to the infected one to get it to open. Did the .exe and zip registry fixes first (since other registry zip files would not unzip and register), but then went throught the whole list fine.

Ran VundoFix and got this:

VundoFix V6.5.10
Checking Java version...
Scan started at 8:54:03 PM 10/20/2007
Listing files found while scanning....

C:\windows\system32\drvdezr.dll

Beginning removal...
Attempting to delete C:\windows\system32\drvdezr.dll
C:\windows\system32\drvdezr.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.10
Checking Java version...
Scan started at 10:00:48 PM 10/20/2007
Listing files found while scanning....
No infected files were found.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:47:37 PM 10/20/2007
+ Scan result:
Nothing found.
::Report end

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:04 PM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2A5E9D6E-869C-4140-9C09-C3FA34134658} - C:\WINDOWS\system32\basesr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159453796765
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Volume Shadow Copy VSSThemes (VSSThemes) - Unknown owner - C:\WINDOWS\system32\4dbb33d0t.exe (file missing)

--
End of file - 4199 bytes

Still cannot seem to fix:
O2 - BHO: (no name) - {2A5E9D6E-869C-4140-9C09-C3FA34134658} - C:\WINDOWS\system32\basesr.dll
O23 - Service: Volume Shadow Copy VSSThemes (VSSThemes) - Unknown owner - C:\WINDOWS\system32\4dbb33d0t.exe (file missing)

The PC is certainly performing much better than it had been (not surprising with more than 1000 malwares removed!!)

I still could not get ComboFix to run.

Does it look like I still have more cleaning to do?

Thank you for all your help. And Crunchie, the registry fix site was excellent!

0

u still have that basesr.ll listed as a browser hijack. but u have come a very long way. you are one patient person. good for u and yes u still have more cleaving to do. i suggest u use an online scan leave it to run overnight kapersky has a good one

0


Update AVG antispyware and boot into safe mode when done.
Have nothing else open while AVG antispyware performs its scan![/b]

  • Run AVG antispyware.
  • Click on scanner at top of AVG antispyware screen.
  • Click on Settings.
  • Under How to Act click on Recommended Action and choose Quarantine.
  • Under How to scan all boxes should be selected.
  • Under Possibly unwanted software all boxes should be selected.
  • On right side under Reports: click on Do not automatically generate report after every scan.
  • Under What to scan select scan every file.
  • Click On scan Tab.
  • Click on Complete system scan.
  • Let the program scan the machine It can take awhile give it time.
  • When scan has finished at bottom of screen click Apply all Actions.
  • Click Save report
  • Click Save Report as (Save as window's screen should pop up.)
  • Click desktop.
  • Click Save.
  • Exit AVG antispyware.

Reboot back to normal mode.
Post the log here.

And this bit?

==

Can you please do the following.

===============

Scan with HijackThis and then place a check next to all the following, if present:


O2 - BHO: (no name) - {2A5E9D6E-869C-4140-9C09-C3FA34134658} - C:\WINDOWS\system32\basesr.dll


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

1. Please download The Avenger by Swandog46 to your Desktop.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text (including the 'Files to delete') contained in the code box below to your clipboard by highlighting it and pressing Ctrl+C:

Files to delete:
C:\WINDOWS\system32\basesr.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

==

Try running Combofix as Administrator if you were not already.

0

The safe mode AVG anti-spyware report is in the previous reply just above the HJT log. It found nothing.

Avenger was unable to delete basesr.dll . I tried in normal and safe mode with the same result. HiJackThis was unable to remove the file still too. (Log below.)

I found I could get ComboFix to run by overwriting the cmd.exe and regedit.exe files on the infected PC with ones from my PC. However, at stage 17 the system would blue screen crash and reboot itself. (ComboFix does run in safe mode BTW -- tried it both ways with the same crash at stage 17 result.)

I downloaded and ran Dr.Web CureIt -- the express scan instantly grabbed basesr.dll as trojan.sentinel and moved it. (Said it was incurable.) It also deleted 2 other files as trojan.sentinel. I decided to run the complete scan with it and it found the AVG virus vault stuff and some other infected files on the PC. It cured, quarantined, and deleted as needed.

After that process I was able to run ComboFix without crashing. (Log below.)

I've discovered I am (as Administrator) locked out of the User Center in the Control Panel. Any way to change that?!? Result of the infections, apparently.

I ran HiJackThis again (renamed gotcha.exe) and was still unable to get rid of
O23 - Service: Volume Shadow Copy VSSThemes (VSSThemes) - Unknown owner - C:\WINDOWS\system32\4dbb33d0t.exe (file missing)

That file is not in C:\WINDOWS\system32 , but 4dbb33d0.exe is (no "t" on the end.)
New HJT Log below.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\glrhpixn


*******************


Script file located at: \??\C:\Documents and Settings\okhqcolc.txt
Script file opened successfully.


Script file read successfully


Backups directory opened successfully at C:\Avenger


*******************


Beginning to process script file:


Could not open file C:\WINDOWS\system32\basesr.dll for deletion
Deletion of file C:\WINDOWS\system32\basesr.dll failed!


Could not process line:
C:\WINDOWS\system32\basesr.dll
Status: 0xc0000022


Completed script processing.


ComboFix 07-10-20.6 - Administrator 2007-10-21 12:15:16.4 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\check_LSA7.txt
C:\Program Files\Common Files\mantec~1
C:\Program Files\Common Files\mantec~1\??mantec\
C:\Program Files\SecCenter
C:\WINDOWS\system32\2_exception.nls
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\gln.dll
C:\WINDOWS\system32\ocxloader.exe
C:\WINDOWS\system32\qmopt.dll


.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


.
-------\LEGACY_LANMANDRV
-------\LEGACY_LDRSVC
-------\LEGACY_PROTECT
-------\lanmandrv
-------\ldrsvc
-------\protect



(((((((((((((((((((((((((   Files Created from 2007-09-21 to 2007-10-21  )))))))))))))))))))))))))))))))
.


2007-10-21 10:09    <DIR>    d--------   C:\Documents and Settings\Administrator\DoctorWeb
2007-10-21 10:03    884 --a------   C:\WINDOWS\system32\tmp.reg
2007-10-21 07:55    146,432 --a------   C:\WINDOWS\system32\dllcache\regedit.exe
2007-10-21 07:55    146,432 --a------   C:\WINDOWS\REGEDIT.EXE
2007-10-21 07:54    51,200  --a------   C:\WINDOWS\NirCmd.exe
2007-10-20 21:39    146,432 --a------   C:\WINDOWS\system32\REGEDIT.EXE
2007-10-20 20:54    <DIR>    d--------   C:\VundoFix Backups
2007-10-19 23:07    673 --ahs----   C:\WINDOWS\system32\xybeg.ini2
2007-10-19 19:48    158,432 --a------   C:\WINDOWS\system32\a7ee17a6.sys
2007-10-19 19:48    158,432 --a------   C:\WINDOWS\system32\a6a766d2.sys
2007-10-19 19:31    158,432 --a------   C:\WINDOWS\system32\16b63a6.sys
2007-10-19 19:31    158,432 --a------   C:\WINDOWS\system32\123ed5ea.sys
2007-10-19 18:37    158,432 --a------   C:\WINDOWS\system32\579608b4.sys
2007-10-19 18:37    158,432 --a------   C:\WINDOWS\system32\1a475112.sys
2007-10-19 18:36    <DIR>    d--------   C:\Program Files\Kaspersky Lab
2007-10-19 18:36    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-19 18:36    4,276,256   --ahs----   C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-19 18:36    82,061  --a------   C:\WINDOWS\system32\drivers\klick.dat
2007-10-19 18:36    81,549  --a------   C:\WINDOWS\system32\drivers\klin.dat
2007-10-19 18:36    25,632  --ahs----   C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-19 18:29    <DIR>    d--------   C:\KAV
2007-10-19 15:26    33,280  --a------   C:\WINDOWS\system32\rundll32.exe
2007-10-14 20:50    158,432 --a------   C:\WINDOWS\system32\e5356696.sys
2007-10-14 20:50    158,432 --a------   C:\WINDOWS\system32\e37ebc2c.sys
2007-10-14 12:37    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-14 12:37    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-14 10:14    <DIR>    d--------   C:\Program Files\BHODemon
2007-10-13 18:56    <DIR>    d--------   C:\Program Files\CCleaner
2007-10-07 17:46    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-07 17:46    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-07 17:40    10,872  --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-07 17:39    <DIR>    d--------   C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-07 17:38    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-07 17:38    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\avg7
2007-10-07 14:44    <DIR>    d--------   C:\WINDOWS\ServicePackFiles
2007-10-07 13:40    13,922  --a------   C:\WINDOWS\system32\drivers\EBIOS32.SYS
2007-10-07 13:39    <DIR>    d--------   C:\EbuDllTmpDir
2007-10-07 13:38    <DIR>    d--------   C:\Program Files\Intel
2007-10-07 13:20    158,464 --a------   C:\WINDOWS\system32\cf07e6e.sys
2007-10-07 13:20    158,464 --a------   C:\WINDOWS\system32\ced8d6c.sys
2007-10-07 13:20    158,464 --a------   C:\WINDOWS\system32\cea9f80.sys
2007-10-07 13:19    158,464 --a------   C:\WINDOWS\system32\ce7b752.sys
2007-10-07 13:17    158,464 --a------   C:\WINDOWS\system32\ce47790.sys
2007-10-07 13:05    <DIR>    d--h-----   C:\WINDOWS\system32\GroupPolicy
2007-10-07 13:05    <DIR>    d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-10-07 13:05    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-10-07 13:05    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-10-07 11:47    158,464 --a------   C:\WINDOWS\system32\fe4226ac.sys
2007-10-07 11:46    158,464 --a------   C:\WINDOWS\system32\a4be6ed6.sys
2007-10-07 11:45    158,464 --a------   C:\WINDOWS\system32\be6898f2.sys
2007-10-07 11:45    158,464 --a------   C:\WINDOWS\system32\bca4d3f0.sys
2007-10-07 11:45    158,464 --a------   C:\WINDOWS\system32\30660e58.sys
2007-10-07 10:38    158,464 --a------   C:\WINDOWS\system32\ce5d6f4c.sys
2007-10-07 10:36    158,464 --a------   C:\WINDOWS\system32\e02f36a2.sys
2007-10-07 10:36    158,464 --a------   C:\WINDOWS\system32\d74d842.sys
2007-10-07 10:36    158,464 --a------   C:\WINDOWS\system32\8499006a.sys
2007-10-07 10:36    158,464 --a------   C:\WINDOWS\system32\5fca5e06.sys
2007-10-07 10:36    158,464 --a------   C:\WINDOWS\system32\59229ba8.sys
2007-10-07 10:35    158,464 --a------   C:\WINDOWS\system32\c698a70.sys
2007-10-07 10:35    158,464 --a------   C:\WINDOWS\system32\7167ac60.sys
2007-10-07 10:35    158,464 --a------   C:\WINDOWS\system32\3d6b917e.sys
2007-10-07 10:35    158,464 --a------   C:\WINDOWS\system32\226bba2e.sys
2007-10-07 10:35    158,464 --a------   C:\WINDOWS\system32\2009285a.sys
2007-10-07 10:35    0   --a------   C:\WINDOWS\system32\bc56151a.sys
2007-10-07 09:55    109 --ahs----   C:\WINDOWS\system32\1009854801.dat
2007-10-06 16:51    158,464 --a------   C:\WINDOWS\system32\ff08da8a.sys
2007-10-06 16:51    158,464 --a------   C:\WINDOWS\system32\6b019b9c.sys
2007-10-06 16:51    158,464 --a------   C:\WINDOWS\system32\365bb420.sys
2007-10-06 16:51    0   --a------   C:\WINDOWS\system32\aca3740a.sys
2007-10-06 16:49    158,464 --a------   C:\WINDOWS\system32\c09e91ae.sys
2007-10-06 16:48    158,464 --a------   C:\WINDOWS\system32\fbf1ce.sys
2007-10-06 16:48    158,464 --a------   C:\WINDOWS\system32\92bc4e8c.sys
2007-10-06 16:48    158,464 --a------   C:\WINDOWS\system32\9233357c.sys
2007-10-06 16:48    158,464 --a------   C:\WINDOWS\system32\13e6a3b8.sys
2007-10-06 16:35    158,464 --a------   C:\WINDOWS\system32\b785072e.sys
2007-10-06 16:35    158,464 --a------   C:\WINDOWS\system32\7b5022.sys
2007-10-06 16:35    158,464 --a------   C:\WINDOWS\system32\3abf5fd2.sys
2007-10-06 16:35    158,464 --a------   C:\WINDOWS\system32\32258f70.sys
2007-10-06 16:26    158,464 --a------   C:\WINDOWS\system32\d9ebe688.sys
2007-10-06 16:26    158,464 --a------   C:\WINDOWS\system32\a9a2c1bc.sys
2007-10-06 16:26    158,464 --a------   C:\WINDOWS\system32\6185aae6.sys
2007-10-06 16:26    158,464 --a------   C:\WINDOWS\system32\387f5b58.sys
2007-10-06 16:23    158,464 --a------   C:\WINDOWS\system32\9d363e80.sys
2007-10-06 16:23    158,464 --a------   C:\WINDOWS\system32\3950f6c.sys
2007-10-06 16:23    0   --a------   C:\WINDOWS\system32\857af6c2.sys
2007-10-06 14:51    <DIR>    d--------   C:\Program Files\Intel Audio Studio
2007-10-06 14:51    274,432 --a------   C:\WINDOWS\system32\IASDLL.dll
2007-10-06 14:51    266,240 --a------   C:\WINDOWS\system32\IASMXDLL.dll
2007-10-06 14:51    89,360  --a------   C:\WINDOWS\system32\VB5DB.DLL
2007-10-06 14:51    61,440  --a------   C:\WINDOWS\system32\SFIDLOCK.dll
2007-10-06 14:51    53,248  --a------   C:\WINDOWS\system32\IASBB.dll
2007-10-06 14:51    40,960  --a------   C:\WINDOWS\system32\SFIMLARK.dll
2007-10-06 14:50    43,392  --a------   C:\WINDOWS\system32\drivers\HECI.sys
2007-10-06 14:49    142,976 --a------   C:\WINDOWS\system32\drivers\usbport.sys
2007-10-06 14:49    95,360  --a------   C:\WINDOWS\system32\drivers\atapi.sys
2007-10-06 14:49    74,240  --a------   C:\WINDOWS\system32\usbui.dll
2007-10-06 14:49    57,600  --a------   C:\WINDOWS\system32\drivers\usbhub.sys
2007-10-06 14:49    26,624  --a------   C:\WINDOWS\system32\drivers\usbehci.sys
2007-10-06 14:49    25,088  --a------   C:\WINDOWS\system32\drivers\pciidex.sys
2007-10-06 14:49    20,480  --a------   C:\WINDOWS\system32\drivers\usbuhci.sys


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 16:17    51,164  --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-21 16:17    4,448   --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-20 02:44    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2007-10-14 19:13    ---------   d-----w C:\Program Files\GameSpy Arcade
2007-10-14 19:13    ---------   d-----w C:\Program Files\GameShadow
2007-10-07 17:02    ---------   d-----w C:\Program Files\Google
2007-09-23 16:50    ---------   d-----w C:\Program Files\Firefly Studios
2007-09-23 02:25    ---------   d-----w C:\Program Files\LucasArts
2007-09-22 02:15    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-21 22:46    ---------   d-----w C:\Program Files\Eidos
2007-09-18 21:26    108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-18 21:26    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Firefly Studios
2007-09-18 02:33    ---------   d-----w C:\Program Files\AIM6
2007-09-18 02:33    ---------   d-----w C:\Documents and Settings\Quinn Wolter\Application Data\acccore
2007-09-18 02:33    ---------   d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-18 02:33    ---------   d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-18 02:32    ---------   d-----w C:\Program Files\Viewpoint
2007-09-18 02:32    ---------   d-----w C:\Program Files\Common Files\AOL
2007-09-18 02:32    ---------   d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-18 02:08    ---------   d-----w C:\Program Files\Rockstar Games
2007-09-17 21:43    ---------   d-s---w C:\Program Files\Xfire
2007-09-17 21:37    ---------   d-----w C:\Documents and Settings\Quinn Wolter\Application Data\Xfire
2007-09-17 21:05    ---------   d-----w C:\Program Files\Java
2007-09-17 21:05    ---------   d-----w C:\Program Files\Common Files\Java
2007-09-17 19:49    ---------   d-----w C:\Program Files\Bethesda Softworks
2007-09-07 17:40    ---------   d-----w C:\Documents and Settings\Quinn Wolter\Application Data\CyberLink
2007-09-07 17:40    ---------   d-----w C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-09-07 17:40    ---------   d-----w C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-09-07 14:54    ---------   d-----w C:\Program Files\SigmaTel
2007-09-07 14:54    ---------   d-----w C:\Program Files\Common Files\InstallShield
2007-09-07 14:51    ---------   d-----w C:\Program Files\CyberLink
2007-09-07 14:51    ---------   d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-09-07 14:45    ---------   d-----w C:\Program Files\MSXML 6.0
2007-09-07 14:45    ---------   d-----w C:\Program Files\MSXML 4.0
2007-08-15 16:38    2,562,464   ----a-w C:\WINDOWS\Q936782.EXE
2007-08-15 16:28    708,488 ----a-w C:\WINDOWS\Q936357.EXE
2007-08-15 16:28    15,394,248  ----a-w C:\WINDOWS\Q928365.EXE
2007-08-15 16:26    9,249,736   ----a-w C:\WINDOWS\Q928366.EXE
2007-08-15 12:57    910,728 ----a-w C:\WINDOWS\Q936021.EXE
2007-08-15 12:57    5,652,328   ----a-w C:\WINDOWS\Q936181.EXE
2007-08-15 12:56    4,704,136   ----a-w C:\WINDOWS\Q937143.EXE
2007-08-15 12:55    7,939,032   ----a-w C:\WINDOWS\Q890830.EXE
2007-08-15 12:54    849,800 ----a-w C:\WINDOWS\Q938828.EXE
2007-08-15 12:51    806,792 ----a-w C:\WINDOWS\Q938127.EXE
2007-08-15 12:50    622,984 ----a-w C:\WINDOWS\Q938829.EXE
2007-08-15 12:49    749,448 ----a-w C:\WINDOWS\Q921503.EXE
2007-08-15 12:47    925,544 ----a-w C:\WINDOWS\Q933579.EXE
2007-07-30 23:19    92,504  ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19    92,504  ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19    549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19    549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 23:19    53,080  ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19    53,080  ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19    43,352  ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19    325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19    325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 23:19    203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19    203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 23:19    1,712,984   ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19    1,712,984   ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 23:18    33,624  ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 23:18    33,624  ----a-w C:\WINDOWS\system32\dllcache\wups.dll
.


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 04:15]
"!AVG Anti-Spyware"="C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-20 06:05]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarsOnTaskbar"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)


.
**************************************************************************


catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 12:18:53
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
Completion time: 2007-10-21 12:20:32 - machine was rebooted
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:04 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\gotcha.exe


O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159453796765
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Volume Shadow Copy VSSThemes (VSSThemes) - Unknown owner - C:\WINDOWS\system32\4dbb33d0t.exe (file missing)


--
End of file - 4003 bytes

Edited by happygeek: fixed formatting

0

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktop
You'll see a black screen flash,thats normal.

@echo off
sc stop VSSThemes
sc delete VSSThemes

Restart your PC.

==

I would also do an online scan of any unrecognised files under the Files Created from 2007-09-21 to 2007-10-21 and the Find3M Report in Combofix to make sure there are no nasties.
http://virusscan.jotti.org/ http://www.virustotal.com/en/virustotalf.html

0

The fix.bat got rid of the offending file. Thank you!

Unfortunately, I went online to do the online scans and was "attacked" almost instantly -- remote disabling of Kapersky Anti-virus, files being and modules added -- I had to pull the plug on the internet.
Unfortunately, files/modules seem to have gotten through. :( It was amazing how fast it was.... I'm wary of rebooting (or shutting down at all) for fear of not getting back into the machine.

I'll start again with the scans and clean up. I'll post a new HJT log (hopefully) by Wednesday evening.
*sigh*

0

I ran all sorts of scans.
I updated the scanners that I could, but the nasties have disabled Firefox and IE is MIA. Some of the update processes simply say "no connection detected" and fail. SOmetimes when I (very quickly) plug into the internet connection, the entire display screen turns sickly yellow/green, so I've been avoiding plugging in as much as possible.

New HJT, Silent Runner, and ComboFix logs below.

New HJT log
(I have the logs in Safe Mode also, but I'll post the Normal mode ones -- let me know if you want to see the Safe Mode versions.)
BTW, the Google updater service (gusvc) is suspicious -- the folder is not on the machine and HJT cannot "fix" the 023 service entry.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:10 PM, on 10/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\gotcha.exe


O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159453796765
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe


--
End of file - 3967 bytes
**************************
ComboFix 07-10-20.6 - Administrator 2007-10-23 22:06:18.6 - NTFSx86 NETWORK
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.600 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.


(((((((((((((((((((((((((   Files Created from 2007-09-24 to 2007-10-24  )))))))))))))))))))))))))))))))
.


2007-10-23 16:16    0   --a------   C:\WINDOWS\system32\SBRC.dat
2007-10-23 16:16    0   --a------   C:\WINDOWS\system32\SBFC.dat
2007-10-23 16:14    15,544  --a------   C:\WINDOWS\system32\drivers\sbhr.sys
2007-10-23 16:13    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-10-23 16:13    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2007-10-23 16:13    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2007-10-23 16:12    <DIR>    d--------   C:\Program Files\Sunbelt Software
2007-10-21 10:09    <DIR>    d--------   C:\Documents and Settings\Administrator\DoctorWeb
2007-10-21 10:03    870 --a------   C:\WINDOWS\system32\tmp.reg
2007-10-21 07:55    146,432 --a------   C:\WINDOWS\system32\dllcache\regedit.exe
2007-10-21 07:55    146,432 --a------   C:\WINDOWS\REGEDIT.EXE
2007-10-21 07:54    51,200  --a------   C:\WINDOWS\NirCmd.exe
2007-10-20 21:39    146,432 --a------   C:\WINDOWS\system32\REGEDIT.EXE
2007-10-20 20:54    <DIR>    d--------   C:\VundoFix Backups
2007-10-19 23:07    673 --ahs----   C:\WINDOWS\system32\xybeg.ini2
2007-10-19 19:48    158,432 --a------   C:\WINDOWS\system32\a7ee17a6.sys
2007-10-19 19:48    158,432 --a------   C:\WINDOWS\system32\a6a766d2.sys
2007-10-19 19:31    158,432 --a------   C:\WINDOWS\system32\16b63a6.sys
2007-10-19 19:31    158,432 --a------   C:\WINDOWS\system32\123ed5ea.sys
2007-10-19 18:37    158,432 --a------   C:\WINDOWS\system32\579608b4.sys
2007-10-19 18:37    158,432 --a------   C:\WINDOWS\system32\1a475112.sys
2007-10-19 18:36    <DIR>    d--------   C:\Program Files\Kaspersky Lab
2007-10-19 18:36    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-19 18:36    4,313,376   --ahs----   C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-19 18:36    82,061  --a------   C:\WINDOWS\system32\drivers\klick.dat
2007-10-19 18:36    81,549  --a------   C:\WINDOWS\system32\drivers\klin.dat
2007-10-19 18:36    32,032  --ahs----   C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-19 18:29    <DIR>    d--------   C:\KAV
2007-10-19 15:26    33,280  --a------   C:\WINDOWS\system32\rundll32.exe
2007-10-14 20:50    158,432 --a------   C:\WINDOWS\system32\e5356696.sys
2007-10-14 20:50    158,432 --a------   C:\WINDOWS\system32\e37ebc2c.sys
2007-10-14 12:37    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-14 12:37    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-14 10:14    <DIR>    d--------   C:\Program Files\BHODemon
2007-10-13 18:56    <DIR>    d--------   C:\Program Files\CCleaner
2007-10-07 17:46    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-07 17:46    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-07 17:40    10,872  --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-07 17:39    <DIR>    d--------   C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-07 17:39    <DIR>    d--------   C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-07 17:39    <DIR>    d--------   C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-07 17:38    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-07 17:38    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\avg7
2007-10-07 14:44    <DIR>    d--------   C:\WINDOWS\ServicePackFiles
2007-10-07 13:40    13,922  --a------   C:\WINDOWS\system32\drivers\EBIOS32.SYS
2007-10-07 13:39    <DIR>    d--------   C:\EbuDllTmpDir
2007-10-07 13:38    <DIR>    d--------   C:\Program Files\Intel
2007-10-07 13:20    158,464 --a------   C:\WINDOWS\system32\cf07e6e.sys
2007-10-07 13:20    158,464 --a------   C:\WINDOWS\system32\ced8d6c.sys
2007-10-07 13:20    158,464 --a------   C:\WINDOWS\system32\cea9f80.sys
2007-10-07 13:19    158,464 --a------   C:\WINDOWS\system32\ce7b752.sys
2007-10-07 13:17    158,464 --a------   C:\WINDOWS\system32\ce47790.sys
2007-10-07 13:05    <DIR>    d--h-----   C:\WINDOWS\system32\GroupPolicy
2007-10-07 13:05    <DIR>    d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-10-07 13:05    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-10-07 13:05    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-10-07 11:47    158,464 --a------   C:\WINDOWS\system32\fe4226ac.sys
2007-10-07 11:46    158,464 --a------   C:\WINDOWS\system32\a4be6ed6.sys
2007-10-07 11:45    158,464 --a------   C:\WINDOWS\system32\be6898f2.sys
2007-10-07 11:45    158,464 --a------   C:\WINDOWS\system32\bca4d3f0.sys
2007-10-07 11:45    158,464 --a------   C:\WINDOWS\system32\30660e58.sys
2007-10-07 10:38    158,464 --a------   C:\WINDOWS\system32\ce5d6f4c.sys
2007-10-07 10:36    158,464 --a------   C:\WINDOWS\system32\e02f36a2.sys
2007-10-07 10:36    158,464 --a------   C:\WINDOWS\system32\d74d842.sys
2007-10-07 10:36    158,464 --a------   C:\WINDOWS\system32\8499006a.sys
2007-10-07 10:36    158,464 --a------   C:\WINDOWS\system32\5fca5e06.sys
2007-10-07 10:36    158,464 --a------   C:\WINDOWS\system32\59229ba8.sys
2007-10-07 10:35    158,464 --a------   C:\WINDOWS\system32\c698a70.sys
2007-10-07 10:35    158,464 --a------   C:\WINDOWS\system32\7167ac60.sys
2007-10-07 10:35    158,464 --a------   C:\WINDOWS\system32\3d6b917e.sys
2007-10-07 10:35    158,464 --a------   C:\WINDOWS\system32\226bba2e.sys
2007-10-07 10:35    158,464 --a------   C:\WINDOWS\system32\2009285a.sys
2007-10-07 10:35    0   --a------   C:\WINDOWS\system32\bc56151a.sys
2007-10-07 09:55    109 --ahs----   C:\WINDOWS\system32\1009854801.dat
2007-10-06 16:51    158,464 --a------   C:\WINDOWS\system32\ff08da8a.sys
2007-10-06 16:51    158,464 --a------   C:\WINDOWS\system32\6b019b9c.sys
2007-10-06 16:51    158,464 --a------   C:\WINDOWS\system32\365bb420.sys
2007-10-06 16:51    0   --a------   C:\WINDOWS\system32\aca3740a.sys
2007-10-06 16:49    158,464 --a------   C:\WINDOWS\system32\c09e91ae.sys
2007-10-06 16:48    158,464 --a------   C:\WINDOWS\system32\fbf1ce.sys
2007-10-06 16:48    158,464 --a------   C:\WINDOWS\system32\92bc4e8c.sys
2007-10-06 16:48    158,464 --a------   C:\WINDOWS\system32\9233357c.sys
2007-10-06 16:48    158,464 --a------   C:\WINDOWS\system32\13e6a3b8.sys
2007-10-06 16:35    158,464 --a------   C:\WINDOWS\system32\b785072e.sys
2007-10-06 16:35    158,464 --a------   C:\WINDOWS\system32\7b5022.sys
2007-10-06 16:35    158,464 --a------   C:\WINDOWS\system32\3abf5fd2.sys
2007-10-06 16:35    158,464 --a------   C:\WINDOWS\system32\32258f70.sys
2007-10-06 16:26    158,464 --a------   C:\WINDOWS\system32\d9ebe688.sys
2007-10-06 16:26    158,464 --a------   C:\WINDOWS\system32\a9a2c1bc.sys
2007-10-06 16:26    158,464 --a------   C:\WINDOWS\system32\6185aae6.sys
2007-10-06 16:26    158,464 --a------   C:\WINDOWS\system32\387f5b58.sys
2007-10-06 16:23    158,464 --a------   C:\WINDOWS\system32\9d363e80.sys
2007-10-06 16:23    158,464 --a------   C:\WINDOWS\system32\3950f6c.sys
2007-10-06 16:23    0   --a------   C:\WINDOWS\system32\857af6c2.sys
2007-10-06 14:51    <DIR>    d--------   C:\Program Files\Intel Audio Studio
2007-10-06 14:51    274,432 --a------   C:\WINDOWS\system32\IASDLL.dll
2007-10-06 14:51    266,240 --a------   C:\WINDOWS\system32\IASMXDLL.dll
2007-10-06 14:51    89,360  --a------   C:\WINDOWS\system32\VB5DB.DLL
2007-10-06 14:51    61,440  --a------   C:\WINDOWS\system32\SFIDLOCK.dll
2007-10-06 14:51    53,248  --a------   C:\WINDOWS\system32\IASBB.dll


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 21:08    51,164  --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-23 21:08    4,952   --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-20 02:44    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2007-10-14 19:13    ---------   d-----w C:\Program Files\xupsfufa
2007-10-14 19:13    ---------   d-----w C:\Program Files\GameSpy Arcade
2007-10-14 19:13    ---------   d-----w C:\Program Files\GameShadow
2007-10-14 16:17    ---------   d-----w C:\Program Files\Elphciot
2007-09-23 22:36    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-23 16:50    ---------   d-----w C:\Program Files\Firefly Studios
2007-09-23 13:55    ---------   d-----w C:\Program Files\Dreamcatcher
2007-09-23 03:32    9,059   ----a-w C:\WINDOWS\system32\iefpmod.dll
2007-09-23 02:44    ---------   d-----w C:\Documents and Settings\Quinn Wolter\Application Data\Petroglyph
2007-09-23 02:43    ---------   d-----w C:\Documents and Settings\Quinn Wolter\Application Data\LucasArts
2007-09-23 02:25    ---------   d-----w C:\Program Files\LucasArts
2007-09-23 02:13    ---------   d-----w C:\Program Files\Microsoft Games
2007-09-22 22:16    ---------   d--h--r C:\Documents and Settings\Quinn Wolter\Application Data\SecuROM
2007-09-22 22:04    ---------   d-----w C:\Program Files\EA GAMES
2007-09-22 02:15    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-21 22:46    ---------   d-----w C:\Program Files\Eidos
2007-09-18 21:26    108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-18 21:26    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Firefly Studios
2007-09-18 02:33    ---------   d-----w C:\Program Files\AIM6
2007-09-18 02:33    ---------   d-----w C:\Documents and Settings\Quinn Wolter\Application Data\acccore
2007-09-18 02:33    ---------   d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-09-18 02:33    ---------   d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-18 02:32    ---------   d-----w C:\Program Files\Viewpoint
2007-09-18 02:32    ---------   d-----w C:\Program Files\Common Files\AOL
2007-09-18 02:32    ---------   d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-18 02:08    ---------   d-----w C:\Program Files\Rockstar Games
2007-09-17 21:43    ---------   d-s---w C:\Program Files\Xfire
2007-09-17 21:37    ---------   d-----w C:\Documents and Settings\Quinn Wolter\Application Data\Xfire
2007-09-17 21:05    ---------   d-----w C:\Program Files\Java
2007-09-17 21:05    ---------   d-----w C:\Program Files\Common Files\Java
2007-09-17 19:49    ---------   d-----w C:\Program Files\Bethesda Softworks
2007-09-07 17:40    ---------   d-----w C:\Documents and Settings\Quinn Wolter\Application Data\CyberLink
2007-09-07 17:40    ---------   d-----w C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-09-07 17:40    ---------   d-----w C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-09-07 14:54    ---------   d-----w C:\Program Files\SigmaTel
2007-09-07 14:54    ---------   d-----w C:\Program Files\Common Files\InstallShield
2007-09-07 14:51    ---------   d-----w C:\Program Files\CyberLink
2007-09-07 14:51    ---------   d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-09-07 14:45    ---------   d-----w C:\Program Files\MSXML 6.0
2007-09-07 14:45    ---------   d-----w C:\Program Files\MSXML 4.0
2007-08-27 15:26    27,120  ----a-w C:\WINDOWS\system32\SBBD.exe
2007-08-15 16:38    2,562,464   ----a-w C:\WINDOWS\Q936782.EXE
2007-08-15 16:28    708,488 ----a-w C:\WINDOWS\Q936357.EXE
2007-08-15 16:28    15,394,248  ----a-w C:\WINDOWS\Q928365.EXE
2007-08-15 16:26    9,249,736   ----a-w C:\WINDOWS\Q928366.EXE
2007-08-15 12:57    910,728 ----a-w C:\WINDOWS\Q936021.EXE
2007-08-15 12:57    5,652,328   ----a-w C:\WINDOWS\Q936181.EXE
2007-08-15 12:56    4,704,136   ----a-w C:\WINDOWS\Q937143.EXE
2007-08-15 12:55    7,939,032   ----a-w C:\WINDOWS\Q890830.EXE
2007-08-15 12:54    849,800 ----a-w C:\WINDOWS\Q938828.EXE
2007-08-15 12:51    806,792 ----a-w C:\WINDOWS\Q938127.EXE
2007-08-15 12:50    622,984 ----a-w C:\WINDOWS\Q938829.EXE
2007-08-15 12:49    749,448 ----a-w C:\WINDOWS\Q921503.EXE
2007-08-15 12:47    925,544 ----a-w C:\WINDOWS\Q933579.EXE
2007-07-30 23:19    92,504  ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19    92,504  ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19    549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19    549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 23:19    53,080  ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19    53,080  ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19    43,352  ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19    325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19    325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 23:19    203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19    203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 23:19    1,712,984   ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19    1,712,984   ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 23:18    33,624  ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 23:18    33,624  ----a-w C:\WINDOWS\system32\dllcache\wups.dll
.


(((((((((((((((((((((((((((((   snapshot@2007-10-21_12.19.07.79   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-23 20:13:10   19,230  ----a-r C:\WINDOWS\Installer\{A5CC3E6E-CAC7-4D47-A5C8-743E549890D5}\ARPPRODUCTICON.exe
+ 2006-12-28 21:13:52   516,832 ----a-w C:\WINDOWS\system32\capicom.dll
- 2004-08-04 04:56:50   98,304  ----a-w C:\WINDOWS\system32\cscript.exe
+ 2004-08-10 19:00:00   98,304  ----a-w C:\WINDOWS\system32\cscript.exe
+ 2004-08-10 19:00:00   98,304  ----a-w C:\WINDOWS\system32\dllcache\cscript.exe
+ 2006-10-30 15:30:30   10,032  ----a-w C:\WINDOWS\system32\drivers\SBTEDrv.sys
- 2007-09-07 14:49:51   90,296  ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-10-23 18:49:38   95,072  ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2005-11-02 15:39:14   131,072 ----a-w C:\WINDOWS\system32\MD5.dll
+ 2005-11-02 15:39:16   24,924  ----a-w C:\WINDOWS\system32\openports.dll
+ 2003-02-21 11:16:08   49,152  ----a-w C:\WINDOWS\system32\REGTLIB.EXE
+ 2005-11-02 15:39:16   40,960  ----a-w C:\WINDOWS\system32\SDelete.dll
+ 2006-06-22 19:40:28   493,400 ----a-w C:\WINDOWS\system32\XceedZip.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-20 06:05]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09]


R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys
R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
S1 4ee09577.sys;4ee09577.sys;\??\C:\WINDOWS\system32\drivers\4ee09577.sys
S1 72ec21ad.sys;72ec21ad.sys;\??\C:\WINDOWS\system32\drivers\72ec21ad.sys
S1 8f746ec6.sys;8f746ec6.sys;\??\C:\WINDOWS\system32\drivers\8f746ec6.sys
S1 94409c70.sys;94409c70.sys;\??\C:\WINDOWS\system32\drivers\94409c70.sys
S1 edc23d3f.sys;edc23d3f.sys;\??\C:\WINDOWS\system32\drivers\edc23d3f.sys
S1 f0ee9811.sys;f0ee9811.sys;\??\C:\WINDOWS\system32\drivers\f0ee9811.sys
S2 EBIOS32;EBIOS32 - NT Driver;C:\WINDOWS\system32\Drivers\EBIOS32.SYS
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 SBAPIFS;SBAPIFS;\??\C:\WINDOWS\system32\drivers\sbapifs.sys


.
**************************************************************************


catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-23 22:06:49
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
Completion time: 2007-10-23 22:07:21
C:\ComboFix2.txt ... 2007-10-23 21:30
C:\ComboFix3.txt ... 2007-10-21 12:20
.
--- E O F ---
***********************
"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:
---------------------------------


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"SBCSTray" = "C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" ["Sunbelt Software"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete"
-> {HKLM...CLSID} = "IE Microsoft AutoComplete"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web Anti-Virus statistics"
-> {HKLM...CLSID} = "Web Anti-Virus statistics"
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll" ["Kaspersky Lab"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\ShellEx.dll" ["Kaspersky Lab"]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\ShellEx.dll" ["Kaspersky Lab"]



Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:
-----------------------------


Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Bliss.bmp"



Winsock2 Service Provider DLLs:
-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:
------------------------------------


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Web Anti-Virus statistics"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll" ["Kaspersky Lab"]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_12"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll" ["Sun Microsystems, Inc."]


{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Web Anti-Virus statistics"


{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]



Miscellaneous IE Hijack Points
------------------------------


C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")


Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome


Missing lines (compared with English-language version):
[Strings]: 1 line



Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------


AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]
AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
Kaspersky Anti-Virus 7.0, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r" ["Kaspersky Lab"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
SigmaTel Audio Service, STacSV, "C:\WINDOWS\system32\STacSV.exe" ["SigmaTel, Inc."]
Sunbelt CounterSpy Antispyware, SBCSSvc, ""C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe"" ["Sunbelt Software"]



---------- (launch time: 2007-10-23 22:16:04)
<<!>>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 36 seconds, including 7 seconds for message boxes)
**************************

I guess I need to disable (again) some of the anti-virus scanners (or maybe uninstall?) They appear to all be starting despite being turned off....

Is it possible to clean up this mess?
Thank you for you time and input. I hope we can trump the bad 'uns!

Edited by happygeek: fixed formatting

0

I tried scanning a bunch of those and kept getting a result of "0 kb file, malware may be preventing you from uploading the file". I did not get through the entire list because of the attacks. I'll try reinstalling Firefox and scanning again. (I suspect most of the list is bad stuff unfortunately :( .)

0

Sometimes it is hard to sort out the good from the bad too as a lot of legitimate files have gobbledegook names too :(

0

Thanks to assistance from crunchie and bobbyraw, and extreme patience and dilligent scanning and careful elimination of "nasties", the issue has been solved without reformating and resinatallation of Win XP.
When you get the newest mutations of viruses and trojans, it sometimes just takes patience and diligent updating and continuous scanning with the tools available to conquer the bugs a PC can pick up.
Thank you for the assistance and tools to rescue my son's machine!

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.