| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 80857 | 2007-07-07 00:11:00 | Hijacked Comouter | zahmad (8963) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 566694 | 2007-07-07 00:11:00 | Something keeps eating up my internet. I have done a complete scan of my computer using avg and adaware se.....and here is my hijackthis log file...please help! :( Logfile of HijackThis v1.99.1 Scan saved at 9:19:23 a.m., on 7/07/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE C:\WINDOWS\system32\ctfmon.exe C:\COMPAQ\CPQINET\CPQInet.exe C:\Program Files\Internet Download Manager\IDMan.exe C:\Compaq\EAKDRV\EAUSBKBD.EXE C:\Program Files\Avedesk\AVEDESK.EXE C:\Program Files\RK Launcher\RKLauncher.exe C:\Program Files\Styler\Styler.exe C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Khalid\LOCALS~1\Temp\Rar$EX00.512\Hija ckThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7} - C:\WINDOWS\system32\urqnlli.dll (file missing) O2 - BHO: (no name) - {F3CF3968-A263-40C0-8E4E-EC4358017BDE} - C:\WINDOWS\system32\tustq.dll (file missing) O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot O4 - HKCU\..\Run: [AVG] "C:\Program Files\Grisoft\AVG7\avgcc.exe" O4 - Startup: Avedesk.lnk = C:\Program Files\Avedesk\AVEDESK.EXE O4 - Startup: RKLauncher.lnk = C:\Program Files\RK Launcher\RKLauncher.exe O4 - Startup: Styler.lnk = ? O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll O20 - Winlogon Notify: tustq - C:\WINDOWS\system32\tustq.dll (file missing) O20 - Winlogon Notify: urqnlli - urqnlli.dll (file missing) O20 - Winlogon Notify: winzms32 - C:\WINDOWS\SYSTEM32\winzms32.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe |
zahmad (8963) | ||
| 566695 | 2007-07-07 00:28:00 | Put hijackthis in its own folder. Run it tick these entries then tick fix checked. Close browser/s. O2 - BHO: (no name) - {8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7} - C:\WINDOWS\system32\urqnlli.dll (file missing) O2 - BHO: (no name) - {F3CF3968-A263-40C0-8E4E-EC4358017BDE} - C:\WINDOWS\system32\tustq.dll (file missing) O20 - Winlogon Notify: tustq - C:\WINDOWS\system32\tustq.dll (file missing) O20 - Winlogon Notify: urqnlli - urqnlli.dll (file missing) O20 - Winlogon Notify: winzms32 - C:\WINDOWS\SYSTEM32\winzms32.dll I think one of these files belong to Winfixer / Winantivirus which are rogue software programs. Get trojan remover and rogueremover in my sig. Update both then click on scan. And select all options under utilities in trojan remover as well. |
Speedy Gonzales (78) | ||
| 566696 | 2007-07-07 13:24:00 | Thanks, I'll do so as soon as possible...will tell you if they work or not! | zahmad (8963) | ||
| 566697 | 2007-07-08 05:51:00 | I have successfully removed the entries from hijackthis and run both rogue remover and trojan remover.. Rogue remover has found nothing and I have attached the trojan remover file: ***** TROJAN REMOVER HAS RESTARTED THE SYSTEM ***** 8/07/2007 2:54:10 p.m.: Trojan Remover has been restarted Rootkit Driver entry HKLM\SYSTEM\CurrentControlSet\Services\xpdx could not be removed. It may still be stealthed, or it may already have been removed. You should run a new scan to see if malware is still being detected. If you keep seeing this message, you should run the scan in SAFE mode. Trojan Remover forced a System Restart by terminating WINLOGON.EXE. The Cleanup Utility was used to remove locked registry keys. Unable to rename C:\WINDOWS\system32\XPDX.SYS to C:\WINDOWS\system32\XPDX.SYS.ren You may want to run a new scan with Trojan Remover in SAFE mode. 8/07/2007 2:58:50 p.m.: Trojan Remover closed ************************************************** ********** ***** NORMAL SCAN FOR ACTIVE MALWARE ***** Trojan Remover Ver 6.6.1.2477. For information, email simplysupsupport@aol.com [Unregistered version] Scan started at: 8/07/2007 2:46:00 p.m. Using Database v6824 Operating System: Windows XP Professional Service Pack 2 (Build 2600) Using data directory: C:\Documents and Settings\Khalid\Application Data\Simply Super Software\Trojan Remover\ Logfile directory: C:\Documents and Settings\Khalid\My Documents\Simply Super Software\Trojan Remover Logfiles\ Running with Administrator privileges ************************************************** The following Anti-Malware program(s) are loaded: AVG Anti-Virus AVG Anti-Virus AVG Anti-Virus ************************************************** Checking Registry exefile command for modifications Checking Registry comfile command for modifications Checking Registry piffile command for modifications Checking Registry batfile command for modifications Checking Registry regfile command for modifications Checking Registry cmdfile command for modifications Checking Registry scrfile command for modifications ************************************************** 2:46:00 p.m.: Scanning ----------WIN.INI----------- WIN.INI found in C:\WINDOWS ************************************************** 2:46:00 p.m.: Scanning --------SYSTEM.INI--------- SYSTEM.INI found in C:\WINDOWS ************************************************** 2:46:00 p.m.: ----- SCANNING FOR ROOTKIT SERVICES ----- No hidden Services were detected. ************************************************** 2:46:03 p.m.: Scanning -----WINDOWS REGISTRY----- -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon This key's "Shell" value calls the following program(s): Explorer.exe - this entry has been left in place ---------- This key's "Userinit" value calls the following program(s): C:\WINDOWS\system32\userinit.exe - this entry has been left in place ---------- This key's "System" value appears to be blank ---------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Value Name = load The Data Value for this entry appears to be blank -------------------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run This Registry Key attempts to run the following program(s): Value Name = CPQEASYACC Value Data = C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe - this command has been left in place -------------------- Value Name = WCOLOREAL Value Data = C:\Program Files\COMPAQ\Coloreal\coloreal.exe - this command has been left in place -------------------- Value Name = HPDJ Taskbar Utility Value Data = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe - this command has been left in place -------------------- Value Name = AVG7_CC Value Data = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP - this command has been left in place -------------------- Value Name = TrojanScanner Value Data = C:\Program Files\Trojan Remover\Trjscan.exe - this program is Trojan Remover's own scan file -------------------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once This Registry Key appears to be empty -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OnceEx This Registry Key appears to be empty -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run This Registry Key attempts to run the following program(s): Value Name = ctfmon.exe Value Data = C:\WINDOWS\system32\ctfmon.exe - this command has been left in place -------------------- Value Name = IDMan Value Data = C:\Program Files\Internet Download Manager\IDMan.exe /onboot - this command has been left in place -------------------- Value Name = AVG Value Data = C:\Program Files\Grisoft\AVG7\avgcc.exe" - this command has been left in place -------------------- -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once This Registry Key appears to be empty ************************************************** 2:46:05 p.m.: Scanning -----SHELLEXECUTEHOOKS----- ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972} File: shell32.dll - this file is expected and has been left in place ---------- ************************************************** 2:46:05 p.m.: Scanning -----HIDDEN REGISTRY ENTRIES----- Taskdir check completed ---------- No Hidden File-loading Registry Entries found ---------- ************************************************** 2:46:06 p.m.: Scanning -----ACTIVE SCREENSAVER----- ScreenSaver=C:\WINDOWS\system32\logon.scr - this command has been left in place -------------------- ************************************************** 2:46:06 p.m.: Scanning ----- REGISTRY ACTIVE SETUP KEYS ----- Checking the StubPath calls in the Active Setup\Installed Components registry keys: Key=>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} StubPath=C:\WINDOWS\inf\unregmp2.exe - this reference has been left in place ---------- Key=>{26923b43-4d38-484f-9b9e-de460746276c} StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place ---------- Key=>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place ---------- Key={2C7339CF-2B09-4501-B3F3-F3508C9228ED} StubPath=C:\WINDOWS\system32\regsvr32.exe - this reference has been left in place ---------- Key={44BBA840-CC51-11CF-AAFA-00AA00B6015C} StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place ---------- Key={7790769C-0471-11d2-AF11-00C04FA35D02} StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place ---------- Key={89820200-ECBD-11cf-8B85-00AA005B4340} StubPath=regsvr32.exe - this reference has been left in place ---------- Key={89820200-ECBD-11cf-8B85-00AA005B4383} StubPath=C:\WINDOWS\system32\ie4uinit.exe - this reference has been left in place ---------- ************************************************** 2:46:08 p.m.: Scanning ----- SERVICEDLL REGISTRY KEYS ----- Checking DLL files called from the CurrentControlSet\Services Keys: -------------------- Key=Alerter ServiceDLL=%SystemRoot%\system32\alrsvc.dll - this reference has been left in place -------------------- Key=AppMgmt ServiceDLL=%SystemRoot%\System32\appmgmts.dll - this reference has been left in place -------------------- Key=AudioSrv ServiceDLL=%SystemRoot%\System32\audiosrv.dll - this reference has been left in place -------------------- Key=BITS ServiceDLL=C:\WINDOWS\system32\qmgr.dll - this reference has been left in place -------------------- Key=Browser ServiceDLL=%SystemRoot%\System32\browser.dll - this reference has been left in place -------------------- Key=CryptSvc ServiceDLL=%SystemRoot%\System32\cryptsvc.dll - this reference has been left in place -------------------- Key=DcomLaunch ServiceDLL=%SystemRoot%\system32\rpcss.dll - this reference has been left in place -------------------- Key=Dhcp ServiceDLL=%SystemRoot%\System32\dhcpcsvc.dll - this reference has been left in place -------------------- Key=dmserver ServiceDLL=%SystemRoot%\System32\dmserver.dll - this reference has been left in place -------------------- Key=Dnscache ServiceDLL=%SystemRoot%\System32\dnsrslvr.dll - this reference has been left in place -------------------- Key=ERSvc ServiceDLL=%SystemRoot%\System32\ersvc.dll - this reference has been left in place -------------------- Key=EventSystem ServiceDLL=C:\WINDOWS\system32\es.dll - this reference has been left in place -------------------- Key=FastUserSwitchingCompatibility ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place -------------------- Key=helpsvc ServiceDLL=%WINDIR%\PCHealth\HelpCtr\Binaries\pchs vc.dll - this reference has been left in place -------------------- Key=HidServ ServiceDLL=%SystemRoot%\System32\hidserv.dll - this reference has been left in place -------------------- Key=HTTPFilter ServiceDLL=%SystemRoot%\System32\w3ssl.dll - this reference has been left in place -------------------- Key=lanmanserver ServiceDLL=%SystemRoot%\System32\srvsvc.dll - this reference has been left in place -------------------- Key=lanmanworkstation ServiceDLL=%SystemRoot%\System32\wkssvc.dll - this reference has been left in place -------------------- Key=LmHosts ServiceDLL=%SystemRoot%\System32\lmhsvc.dll - this reference has been left in place -------------------- Key=Messenger ServiceDLL=%SystemRoot%\System32\msgsvc.dll - this reference has been left in place -------------------- Key=Netman ServiceDLL=%SystemRoot%\System32\netman.dll - this reference has been left in place -------------------- Key=Nla ServiceDLL=%SystemRoot%\System32\mswsock.dll - this reference has been left in place -------------------- Key=NtmsSvc ServiceDLL=%SystemRoot%\system32\ntmssvc.dll - this reference has been left in place -------------------- Key=RasAuto ServiceDLL=%SystemRoot%\System32\rasauto.dll - this reference has been left in place -------------------- Key=RasMan ServiceDLL=%SystemRoot%\System32\rasmans.dll - this reference has been left in place -------------------- Key=RemoteAccess ServiceDLL=%SystemRoot%\System32\mprdim.dll - this reference has been left in place -------------------- Key=RemoteRegistry ServiceDLL=%SystemRoot%\system32\regsvc.dll - this reference has been left in place -------------------- Key=RpcSs ServiceDLL=%SystemRoot%\system32\rpcss.dll - this reference has been left in place -------------------- Key=Schedule ServiceDLL=%SystemRoot%\system32\schedsvc.dll - this reference has been left in place -------------------- Key=seclogon ServiceDLL=%SystemRoot%\System32\seclogon.dll - this reference has been left in place -------------------- Key=SENS ServiceDLL=%SystemRoot%\system32\sens.dll - this reference has been left in place -------------------- Key=SharedAccess ServiceDLL=%SystemRoot%\System32\ipnathlp.dll - this reference has been left in place -------------------- Key=ShellHWDetection ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place -------------------- Key=srservice ServiceDLL=C:\WINDOWS\system32\srsvc.dll - this reference has been left in place -------------------- Key=SSDPSRV ServiceDLL=%SystemRoot%\System32\ssdpsrv.dll - this reference has been left in place -------------------- Key=stisvc ServiceDLL=%SystemRoot%\system32\wiaservc.dll - this reference has been left in place -------------------- Key=TapiSrv ServiceDLL=%SystemRoot%\System32\tapisrv.dll - this reference has been left in place -------------------- Key=TermService ServiceDLL=%SystemRoot%\System32\termsrv.dll - this reference has been left in place -------------------- Key=Themes ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place -------------------- Key=TrkWks ServiceDLL=%SystemRoot%\system32\trkwks.dll - this reference has been left in place -------------------- Key=upnphost ServiceDLL=%SystemRoot%\System32\upnphost.dll - this reference has been left in place -------------------- Key=W32Time ServiceDLL=C:\WINDOWS\system32\w32time.dll - this reference has been left in place -------------------- Key=WebClient ServiceDLL=%SystemRoot%\System32\webclnt.dll - this reference has been left in place -------------------- Key=winmgmt ServiceDLL=%SystemRoot%\system32\wbem\WMIsvc.dll - this reference has been left in place -------------------- Key=WmdmPmSN ServiceDLL=C:\WINDOWS\system32\MsPMSNSv.dll - this reference has been left in place -------------------- Key=Wmi ServiceDLL=%SystemRoot%\System32\advapi32.dll - this reference has been left in place -------------------- Key=wscsvc ServiceDLL=%SYSTEMROOT%\system32\wscsvc.dll - this reference has been left in place -------------------- Key=wuauserv ServiceDLL=C:\WINDOWS\system32\wuauserv.dll - this reference has been left in place -------------------- Key=WZCSVC ServiceDLL=%SystemRoot%\System32\wzcsvc.dll - this reference has been left in place -------------------- Key=xmlprov ServiceDLL=%SystemRoot%\System32\xmlprov.dll - this reference has been left in place ************************************************** 2:46:18 p.m.: Scanning ----- SERVICES REGISTRY KEYS ----- Checking files called from the CurrentControlSet\Services Keys: Key=ACPI ImagePath=system32\DRIVERS\ACPI.sys - this reference has been left in place ---------- Key=aec ImagePath=system32\drivers\aec.sys - this reference has been left in place ---------- Key=AFD ImagePath=\SystemRoot\System32\drivers\afd.sys - this reference has been left in place ---------- Key=agp440 ImagePath=system32\DRIVERS\agp440.sys - this reference has been left in place ---------- Key=ALG ImagePath=%SystemRoot%\System32\alg.exe - this reference has been left in place ---------- Key=Arp1394 ImagePath=system32\DRIVERS\arp1394.sys - this reference has been left in place ---------- Key=aspnet_state ImagePath=%SystemRoot%\Microsoft.NET\Framework\v2. 0.50727\aspnet_state.exe - this reference has been left in place ---------- Key=AsyncMac ImagePath=system32\DRIVERS\asyncmac.sys - this reference has been left in place ---------- Key=atapi ImagePath=system32\DRIVERS\atapi.sys - this reference has been left in place ---------- Key=Atmarpc ImagePath=system32\DRIVERS\atmarpc.sys - this reference has been left in place ---------- Key=audstub ImagePath=system32\DRIVERS\audstub.sys - this reference has been left in place ---------- Key=Avg7Alrt ImagePath=C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe - this reference has been left in place ---------- Key=Avg7Core ImagePath=\SystemRoot\System32\Drivers\avg7core.sy s - this reference has been left in place ---------- Key=Avg7RsW ImagePath=\SystemRoot\System32\Drivers\avg7rsw.sys - this reference has been left in place ---------- Key=Avg7RsXP ImagePath=\SystemRoot\System32\Drivers\avg7rsxp.sy s - this reference has been left in place ---------- Key=Avg7UpdSvc ImagePath=C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe - this reference has been left in place ---------- Key=AvgClean ImagePath=\SystemRoot\System32\Drivers\avgclean.sy s - this reference has been left in place ---------- Key=AVGEMS ImagePath=C:\PROGRA~1\Grisoft\AVG7\avgemc.exe - this reference has been left in place ---------- Key=AvgTdi ImagePath=\SystemRoot\System32\Drivers\avgtdi.sys - this reference has been left in place ---------- Key=CCALib8 ImagePath=C:\Program Files\Canon\CAL\CALMAIN.exe - this reference has been left in place ---------- Key=Cdrom ImagePath=system32\DRIVERS\cdrom.sys - this reference has been left in place ---------- Key=CiSvc ImagePath=%SystemRoot%\system32\cisvc.exe - this reference has been left in place ---------- Key=ClipSrv ImagePath=%SystemRoot%\system32\clipsrv.exe - this reference has been left in place ---------- Key=clr_optimization_v2.0.50727_32 ImagePath=C:\WINDOWS\Microsoft.NET\Framework\v2.0. 50727\mscorsvw.exe - this reference has been left in place ---------- Key=COMSysApp ImagePath=C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} - this reference has been left in place ---------- Key=Disk ImagePath=system32\DRIVERS\disk.sys - this reference has been left in place ---------- Key=dmadmin ImagePath=%SystemRoot%\System32\dmadmin.exe /com - this reference has been left in place ---------- Key=dmboot ImagePath=System32\drivers\dmboot.sys - this reference has been left in place ---------- Key=dmio ImagePath=System32\drivers\dmio.sys - this reference has been left in place ---------- Key=dmload ImagePath=System32\drivers\dmload.sys - this reference has been left in place ---------- Key=DMusic ImagePath=system32\drivers\DMusic.sys - this reference has been left in place ---------- Key=drmkaud ImagePath=system32\drivers\drmkaud.sys - this reference has been left in place ---------- Key=EACMOS ImagePath=\SystemRoot\system32\drivers\EACMOS.SYS - this reference has been left in place [file not found to scan] ---------- Key=EAWDMFD ImagePath=\SystemRoot\system32\drivers\EAWDMFD.sys - this reference has been left in place [file not found to scan] ---------- Key=es1371 ImagePath=system32\drivers\es1371mp.sys - this reference has been left in place ---------- Key=Eventlog ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place ---------- Key=Fdc ImagePath=system32\DRIVERS\fdc.sys - this reference has been left in place ---------- Key=Flpydisk ImagePath=system32\DRIVERS\flpydisk.sys - this reference has been left in place ---------- Key=FltMgr ImagePath=system32\DRIVERS\fltMgr.sys - this reference has been left in place ---------- Key=Ftdisk ImagePath=system32\DRIVERS\ftdisk.sys - this reference has been left in place ---------- Key=gameenum ImagePath=system32\DRIVERS\gameenum.sys - this reference has been left in place ---------- Key=Gpc ImagePath=system32\DRIVERS\msgpc.sys - this reference has been left in place ---------- Key=HCF_MSFT ImagePath=system32\DRIVERS\HCF_MSFT.sys - this reference has been left in place ---------- Key=hidusb ImagePath=system32\DRIVERS\hidusb.sys - this reference has been left in place ---------- Key=HTTP ImagePath=System32\Drivers\HTTP.sys - this reference has been left in place ---------- Key=i8042prt ImagePath=system32\DRIVERS\i8042prt.sys - this reference has been left in place ---------- Key=IDriverT ImagePath="C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" - this reference has been left in place ---------- Key=Imapi ImagePath=system32\DRIVERS\imapi.sys - this reference has been left in place ---------- Key=ImapiService ImagePath=C:\WINDOWS\system32\imapi.exe - this reference has been left in place ---------- Key=IntelIde ImagePath=system32\DRIVERS\intelide.sys - this reference has been left in place ---------- Key=Ip6Fw ImagePath=system32\DRIVERS\Ip6Fw.sys - this reference has been left in place ---------- Key=IpFilterDriver ImagePath=system32\DRIVERS\ipfltdrv.sys - this reference has been left in place ---------- Key=IpInIp ImagePath=system32\DRIVERS\ipinip.sys - this reference has been left in place ---------- Key=IpNat ImagePath=system32\DRIVERS\ipnat.sys - this reference has been left in place ---------- Key=IPSec ImagePath=system32\DRIVERS\ipsec.sys - this reference has been left in place ---------- Key=IRENUM ImagePath=system32\DRIVERS\irenum.sys - this reference has been left in place ---------- Key=isapnp ImagePath=system32\DRIVERS\isapnp.sys - this reference has been left in place ---------- Key=Kbdclass ImagePath=system32\DRIVERS\kbdclass.sys - this reference has been left in place ---------- Key=kbdhid ImagePath=system32\DRIVERS\kbdhid.sys - this reference has been left in place ---------- Key=kmixer ImagePath=system32\drivers\kmixer.sys - this reference has been left in place ---------- Key=mnmsrvc ImagePath=C:\WINDOWS\system32\mnmsrvc.exe - this reference has been left in place ---------- Key=Mouclass ImagePath=system32\DRIVERS\mouclass.sys - this reference has been left in place ---------- Key=MRxDAV ImagePath=system32\DRIVERS\mrxdav.sys - this reference has been left in place ---------- Key=MRxSmb ImagePath=system32\DRIVERS\mrxsmb.sys - this reference has been left in place ---------- Key=MSDTC ImagePath=C:\WINDOWS\system32\msdtc.exe - this reference has been left in place ---------- Key=MSIServer ImagePath=C:\WINDOWS\system32\msiexec.exe /V - this reference has been left in place ---------- Key=MSKSSRV ImagePath=system32\drivers\MSKSSRV.sys - this reference has been left in place ---------- Key=MSPCLOCK ImagePath=system32\drivers\MSPCLOCK.sys - this reference has been left in place ---------- Key=MSPQM ImagePath=system32\drivers\MSPQM.sys - this reference has been left in place ---------- Key=mssmbios ImagePath=system32\DRIVERS\mssmbios.sys - this reference has been left in place ---------- Key=NdisTapi ImagePath=system32\DRIVERS\ndistapi.sys - this reference has been left in place ---------- Key=Ndisuio ImagePath=system32\DRIVERS\ndisuio.sys - this reference has been left in place ---------- Key=NdisWan ImagePath=system32\DRIVERS\ndiswan.sys - this reference has been left in place ---------- Key=NetBIOS ImagePath=system32\DRIVERS\netbios.sys - this reference has been left in place ---------- Key=NetBT ImagePath=system32\DRIVERS\netbt.sys - this reference has been left in place ---------- Key=NetDDE ImagePath=%SystemRoot%\system32\netdde.exe - this reference has been left in place ---------- Key=NetDDEdsdm ImagePath=%SystemRoot%\system32\netdde.exe - this reference has been left in place ---------- Key=Netlogon ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place ---------- Key=NIC1394 ImagePath=system32\DRIVERS\nic1394.sys - this reference has been left in place ---------- Key=NtLmSsp ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place ---------- Key=nv ImagePath=system32\DRIVERS\nv4_mini.sys - this reference has been left in place ---------- Key=NwlnkFlt ImagePath=system32\DRIVERS\nwlnkflt.sys - this reference has been left in place ---------- Key=NwlnkFwd ImagePath=system32\DRIVERS\nwlnkfwd.sys - this reference has been left in place ---------- Key=ohci1394 ImagePath=system32\DRIVERS\ohci1394.sys - this reference has been left in place ---------- Key=ose ImagePath="C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" - this reference has been left in place ---------- Key=Parport ImagePath=system32\DRIVERS\parport.sys - this reference has been left in place ---------- Key=PCI ImagePath=system32\DRIVERS\pci.sys - this reference has been left in place ---------- Key=PlugPlay ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place ---------- Key=PolicyAgent ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place ---------- Key=PptpMiniport ImagePath=system32\DRIVERS\raspptp.sys - this reference has been left in place ---------- Key=Processor ImagePath=system32\DRIVERS\processr.sys - this reference has been left in place ---------- Key=ProtectedStorage ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place ---------- Key=PSched ImagePath=system32\DRIVERS\psched.sys - this reference has been left in place ---------- Key=Ptilink ImagePath=system32\DRIVERS\ptilink.sys - this reference has been left in place ---------- Key=PxHelp20 ImagePath=System32\Drivers\PxHelp20.sys - this reference has been left in place ---------- Key=RasAcd ImagePath=system32\DRIVERS\rasacd.sys - this reference has been left in place ---------- Key=Rasl2tp ImagePath=system32\DRIVERS\rasl2tp.sys - this reference has been left in place ---------- Key=RasPppoe ImagePath=system32\DRIVERS\raspppoe.sys - this reference has been left in place ---------- Key=Raspti ImagePath=system32\DRIVERS\raspti.sys - this reference has been left in place ---------- Key=Rdbss ImagePath=system32\DRIVERS\rdbss.sys - this reference has been left in place ---------- Key=RDPCDD ImagePath=System32\DRIVERS\RDPCDD.sys - this reference has been left in place ---------- Key=rdpdr ImagePath=system32\DRIVERS\rdpdr.sys - this reference has been left in place ---------- Key=RDSessMgr ImagePath=C:\WINDOWS\system32\sessmgr.exe - this reference has been left in place ---------- Key=redbook ImagePath=system32\DRIVERS\redbook.sys - this reference has been left in place ---------- Key=RpcLocator ImagePath=%SystemRoot%\system32\locator.exe - this reference has been left in place ---------- Key=RSVP ImagePath=%SystemRoot%\system32\rsvp.exe - this reference has been left in place ---------- Key=SamSs ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place ---------- Key=sbpci ImagePath=system32\drivers\sbpci.sys - this reference has been left in place ---------- Key=SCardSvr ImagePath=%SystemRoot%\System32\SCardSvr.exe - this reference has been left in place ---------- Key=Secdrv ImagePath=system32\DRIVERS\secdrv.sys - this reference has been left in place ---------- Key=serenum ImagePath=system32\DRIVERS\serenum.sys - this reference has been left in place ---------- Key=Serial ImagePath=system32\DRIVERS\serial.sys - this reference has been left in place ---------- Key=splitter ImagePath=system32\drivers\splitter.sys - this reference has been left in place ---------- Key=Spooler ImagePath=%SystemRoot%\system32\spoolsv.exe - this reference has been left in place ---------- Key=sr ImagePath=system32\DRIVERS\sr.sys - this reference has been left in place ---------- Key=Srv ImagePath=system32\DRIVERS\srv.sys - this reference has been left in place ---------- Key=swenum ImagePath=system32\DRIVERS\swenum.sys - this reference has been left in place ---------- Key=swmidi ImagePath=system32\drivers\swmidi.sys - this reference has been left in place ---------- Key=SwPrv ImagePath=C:\WINDOWS\system32\dllhost.exe /Processid:{10729998-E7EB-4C0D-AA41-ED7CB016C9C9} - this reference has been left in place ---------- Key=sysaudio ImagePath=system32\drivers\sysaudio.sys - this reference has been left in place ---------- Key=SysmonLog ImagePath=%SystemRoot%\system32\smlogsvc.exe - this reference has been left in place ---------- Key=Tcpip ImagePath=system32\DRIVERS\tcpip.sys - this reference has been left in place ---------- Key=TermDD ImagePath=system32\DRIVERS\termdd.sys - this reference has been left in place ---------- Key=TlntSvr ImagePath=C:\WINDOWS\system32\tlntsvr.exe - this reference has been left in place ---------- Key=UMWdf ImagePath=C:\WINDOWS\system32\wdfmgr.exe - this reference has been left in place ---------- Key=Update ImagePath=system32\DRIVERS\update.sys - this reference has been left in place ---------- Key=UPS ImagePath=%SystemRoot%\System32\ups.exe - this reference has been left in place ---------- Key=usbccgp ImagePath=system32\DRIVERS\usbccgp.sys - this reference has been left in place ---------- Key=usbhub ImagePath=system32\DRIVERS\usbhub.sys - this reference has been left in place ---------- Key=usbprint ImagePath=system32\DRIVERS\usbprint.sys - this reference has been left in place ---------- Key=usbscan ImagePath=system32\DRIVERS\usbscan.sys - this reference has been left in place ---------- Key=USBSTOR ImagePath=system32\DRIVERS\USBSTOR.SYS - this reference has been left in place ---------- Key=usbuhci ImagePath=system32\DRIVERS\usbuhci.sys - this reference has been left in place ---------- Key=USB_RNDIS ImagePath=system32\DRIVERS\usb8023.sys - this reference has been left in place ---------- Key=VgaSave ImagePath=\SystemRoot\System32\drivers\vga.sys - this reference has been left in place ---------- Key=VSS ImagePath=%SystemRoot%\System32\vssvc.exe - this reference has been left in place ---------- Key=Wanarp ImagePath=system32\DRIVERS\wanarp.sys - this reference has been left in place ---------- Key=wdmaud ImagePath=system32\drivers\wdmaud.sys - this reference has been left in place ---------- Key=WmiApSrv ImagePath=C:\WINDOWS\system32\wbem\wmiapsrv.exe - this reference has been left in place ---------- Key=WpdUsb ImagePath=System32\Drivers\wpdusb.sys - this reference has been left in place ---------- Key=WS2IFSL ImagePath=\SystemRoot\System32\drivers\ws2ifsl.sys - this reference has been left in place ---------- ************************************************** 2:47:24 p.m.: Scanning -----VXD ENTRIES----- Checking VMM32 VxD files being loaded ************************************************** 2:47:24 p.m.: Scanning ----- WINLOGON\NOTIFY DLLS ----- Checking DLLs called from the Winlogon\Notify key: Key=crypt32chain DLLName=crypt32.dll - this reference has been left in place ---------- Key=cryptnet DLLName=cryptnet.dll - this reference has been left in place ---------- Key=cscdll DLLName=cscdll.dll - this reference has been left in place ---------- Key=ScCertProp DLLName=wlnotify.dll - this reference has been left in place ---------- Key=Schedule DLLName=wlnotify.dll - this reference has been left in place ---------- Key=sclgntfy DLLName=sclgntfy.dll - this reference has been left in place ---------- Key=SensLogn DLLName=WlNotify.dll - this reference has been left in place ---------- Key=termsrv DLLName=wlnotify.dll - this reference has been left in place ---------- Key=winzms32 DLLName=winzms32.dll - appears to contain DIALER.GENERIC DLLName=winzms32.dll - this call has been removed C:\WINDOWS\system32\winzms32.dll has been renamed to: C:\WINDOWS\system32\winzms32.dll.ren C:\WINDOWS\system32\winzms32.dll will also be marked for renaming during PC restart, in case it is re-created ---------- Key=wlballoon DLLName=wlnotify.dll - this reference has been left in place ---------- ************************************************** 2:47:41 p.m.: Scanning ----- CONTEXTMENUHANDLERS ----- Key = AVG7 Shell Extension CLSID = {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} C:\Program Files\Grisoft\AVG7\avgse.dll - this ContextMenuHandler has been left in place ---------- Key = Offline Files CLSID = {750fdf0e-2a26-11d1-a3ea-080036587f03} %SystemRoot%\System32\cscui.dll - this ContextMenuHandler has been left in place ---------- Key = Open With CLSID = {09799AFB-AD67-11d1-ABCD-00C04FC30936} %SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place ---------- Key = Open With EncryptionMenu CLSID = {A470F8CF-A1E8-4f65-8335-227475AA5C46} %SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place ---------- Key = Trojan Remover CLSID = {52B87208-9CCF-42C9-B88E-069281105805} C:\PROGRA~1\TROJAN~1\Trshlex.dll - this ContextMenuHandler has been left in place ---------- Key = WinRAR CLSID = {B41DB860-8EE4-11D2-9906-E49FADC173CA} C:\Program Files\WinRAR\rarext.dll - this ContextMenuHandler has been left in place ---------- Key = {a2a9545d-a0c2-42b4-9708-a0b2badd77c8} %SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place ---------- ************************************************** 2:47:43 p.m.: Scanning ----- FOLDER\COLUMNHANDLERS ----- Key = {0D2E74C4-3C34-11d2-A27E-00C04FC30871} %SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place ---------- Key = {24F14F01-7B1C-11d1-838f-0000F80461CF} %SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place ---------- Key = {24F14F02-7B1C-11d1-838f-0000F80461CF} %SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place ---------- Key = {66742402-F9B9-11D1-A202-0000F81FEDEE} %SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place ---------- Key = {F9DB5320-233E-11D1-9F84-707F02C10627} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll - this Folder\ColumnHandler has been left in place ---------- ************************************************** 2:47:43 p.m.: Scanning ----- BROWSER HELPER OBJECTS ----- Key = {0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Program Files\Internet Download Manager\IDMIECC.dll - this Browser Helper Object has been left in place ---------- Key = {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - this Browser Helper Object has been left in place ---------- ************************************************** 2:47:44 p.m.: Scanning ----- SHELLSERVICEOBJECTS ----- Key = PostBootReminder CLSID = {7849596a-48ea-486e-8937-a2a3009f31a9} %SystemRoot%\system32\SHELL32.dll - this ShellServiceObject has been left in place ---------- Key = CDBurn CLSID = {fbeb8a05-beee-4442-804e-409d6c4515e9} %SystemRoot%\system32\SHELL32.dll - this ShellServiceObject has been left in place ---------- Key = WebCheck CLSID = {E6FB5E20-DE35-11CF-9C87-00AA005127ED} %SystemRoot%\system32\webcheck.dll - this ShellServiceObject has been left in place ---------- Key = SysTray CLSID = {35CEC8A3-2BE6-11D2-8773-92E220524153} C:\WINDOWS\system32\stobject.dll - this ShellServiceObject has been left in place ---------- ************************************************** 2:47:44 p.m.: Scanning ----- SHAREDTASKSCHEDULER ENTRIES ----- Value = {438755C2-A8BA-11D1-B96B-00A0C90312E1} Comment = Browseui preloader File: %SystemRoot%\system32\browseui.dll - this SharedTaskScheduler entry has been left in place ---------- Value = {8C7461EF-2B13-11d2-BE35-3078302C2030} Comment = Component Categories cache daemon File: %SystemRoot%\system32\browseui.dll - this SharedTaskScheduler entry has been left in place ---------- ************************************************** 2:47:45 p.m.: Scanning ----- IMAGEFILE DEBUGGERS ----- No "Debugger" entries found. ************************************************** 2:47:45 p.m.: Scanning ----- APPINIT_DLLS ----- The AppInit_DLLs value is blank ************************************************** 2:47:45 p.m.: Scanning ----- SECURITY PROVIDER DLLS ----- msapsspc.dll - this entry has been left in place ---------- schannel.dll - this entry has been left in place ---------- digest.dll - this entry has been left in place ---------- msnsspc.dll - this entry has been left in place ---------- ************************************************** 2:47:45 p.m.: Scanning ------ COMMON STARTUP GROUP ------ [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] The Common Startup Group attempts to load the following file(s) at boot time: desktop.ini - this file is expected and has been left in place -------------------- ************************************************** 2:47:45 p.m.: Scanning ------ USER STARTUP GROUPS ------ -------------------- Checking Startup Group for Home [C:\Documents and Settings\Home\START MENU\PROGRAMS\STARTUP] The Startup Group for Home attempts to load the following file(s): desktop.ini - this file is expected and has been left in place -------------------- Checking Startup Group for Khalid [C:\Documents and Settings\Khalid\START MENU\PROGRAMS\STARTUP] The Startup Group for Khalid attempts to load the following file(s): Avedesk.lnk - this links to C:\Program Files\Avedesk\AVEDESK.EXE and has been left in place desktop.ini - this file is expected and has been left in place RKLauncher.lnk - this links to C:\Program Files\RK Launcher\RKLauncher.exe and has been left in place Styler.lnk - this links to C:\Documents and Settings\Khalid\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_7b12541d.exe and has been left in place ************************************************** 2:47:47 p.m.: Scanning ----- SCHEDULED TASKS ----- No Scheduled Tasks found to scan ************************************************** 2:47:47 p.m.: ----- ADDITIONAL CHECKS ----- C:\WINDOWS\system32\XPDX.SYS - unable to take ownsership/change permissions C:\WINDOWS\system32\XPDX.SYS has been marked for renaming when the PC is restarted (if it exists) The [xpdx] driver has been marked for deletion when the PC is restarted. PE386 rootkit checks completed ---------- Winlogon registry rootkit checks completed ---------- Heuristic checks for hidden files/drivers completed ---------- ************************************************** 2:47:56 p.m.: Scanning ------ DOWNLOADED PROGRAM FILES ------ The following files are located in the DOWNLOADED PROGRAM FILES directory: C:\WINDOWS\Downloaded Program Files\desktop.ini - this file is expected and has been left in place ************************************************** 2:47:56 p.m.: Scanning ----- RUNNING PROCESSES ----- C:\WINDOWS\System32\smss.exe -------------------- C:\WINDOWS\system32\csrss.exe -------------------- C:\WINDOWS\system32\winlogon.exe -------------------- C:\WINDOWS\system32\services.exe -------------------- C:\WINDOWS\system32\lsass.exe -------------------- C:\WINDOWS\system32\svchost.exe -------------------- C:\WINDOWS\system32\spoolsv.exe -------------------- C:\WINDOWS\System32\SCardSvr.exe -------------------- C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe -------------------- C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe -------------------- C:\PROGRA~1\Grisoft\AVG7\avgemc.exe -------------------- C:\WINDOWS\system32\wdfmgr.exe -------------------- C:\Program Files\Canon\CAL\CALMAIN.exe -------------------- C:\WINDOWS\System32\alg.exe -------------------- C:\WINDOWS\Explorer.EXE -------------------- C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe -------------------- C:\WINDOWS\system32\wuauclt.exe -------------------- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe -------------------- C:\PROGRA~1\Grisoft\AVG7\avgcc.exe -------------------- C:\WINDOWS\system32\ctfmon.exe -------------------- C:\Program Files\Internet Download Manager\IDMan.exe -------------------- C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE -------------------- C:\COMPAQ\CPQINET\CPQInet.exe -------------------- C:\Compaq\EAKDRV\EAUSBKBD.EXE -------------------- C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe -------------------- C:\Program Files\Avedesk\AVEDESK.EXE -------------------- C:\Program Files\RK Launcher\RKLauncher.exe -------------------- C:\Program Files\Styler\Styler.exe -------------------- C:\WINDOWS\NOTEPAD.EXE -------------------- C:\Documents and Settings\Khalid\Application Data\Simply Super Software\Trojan Remover\sxxD9.exe FileSize: 1,876,544 [This is a Trojan Remover component] -------------------- ************************************************** 2:48:04 p.m.: Checking AUTOEXEC.BAT file AUTOEXEC.BAT found in C:\ No malicious entries were found in the AUTOEXEC.BAT file ************************************************** 2:48:04 p.m.: Checking AUTOEXEC.NT file AUTOEXEC.NT found in C:\WINDOWS\system32 No malicious entries were found in the AUTOEXEC.NT file ************************************************** 2:48:04 p.m.: Checking HOSTS file No malicious entries were found in the HOSTS file ************************************************** ------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------ HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Start Page": www.microsoft.com HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Local Page": %SystemRoot%\system32\blank.htm HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Search Page": www.microsoft.com HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL": www.microsoft.com HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL": www.microsoft.com HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch": ie.search.msn.com HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"SearchAssistant": ie.search.msn.com HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page": www.microsoft.com HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Local Page": C:\WINDOWS\system32\blank.htm HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Page": www.microsoft.com ************************************************** === CHANGES WERE MADE TO THE WINDOWS REGISTRY === Scan completed at: 8/07/2007 2:48:04 p.m. ------------------------------------------------------------------------- One or more files could not be moved or renamed as requested. They may be in use by Windows, so Trojan Remover needs to restart the system in order to deal with these files. The restart has been cancelled, but Trojan Remover has been set to deal with the file(s) the next time the system is restarted. ************************************************** ********** ***** TROJAN REMOVER HAS RESTARTED THE SYSTEM ***** 8/07/2007 2:37:18 p.m.: Trojan Remover has been restarted Rootkit Driver entry HKLM\SYSTEM\CurrentControlSet\Services\xpdx could not be removed. It may still be stealthed, or it may already have been removed. You should run a new scan to see if malware is still being detected. If you keep seeing this message, you should run the scan in SAFE mode. Unable to rename C:\WINDOWS\system32\XPDX.SYS to C:\WINDOWS\system32\XPDX.SYS.ren You may want to run a new scan with Trojan Remover in SAFE mode. 8/07/2007 2:39:20 p.m.: Trojan Remover closed ************************************************** ********** ***** NORMAL SCAN FOR ACTIVE MALWARE ***** Trojan Remover Ver 6.6.1.2477. For information, email simplysupsupport@aol.com [Unregistered version] Scan started at: 8/07/2007 2:30:49 p.m. Using Database v6824 Operating System: Windows XP Professional Service Pack 2 (Build 2600) Using data directory: C:\Documents and Settings\Khalid\Application Data\Simply Super Software\Trojan Remover\ Logfile directory: C:\Documents and Settings\Khalid\My Documents\Simply Super Software\Trojan Remover Logfiles\ Running with Administrator privileges ************************************************** The following Anti-Malware program(s) are loaded: AVG Anti-Virus AVG Anti-Virus AVG Anti-Virus ************************************************** Checking Registry exefile command for modifications Checking Registry comfile command for modifications Checking Registry piffile command for modifications Checking Registry batfile command for modifications Checking Registry regfile command for modifications Checking Registry cmdfile command for modifications Checking Registry scrfile command for modifications ************************************************** 2:30:49 p.m.: Scanning ----------WIN.INI----------- WIN.INI found in C:\WINDOWS ************************************************** 2:30:49 p.m.: Scanning --------SYSTEM.INI--------- SYSTEM.INI found in C:\WINDOWS ************************************************** 2:30:49 p.m.: ----- SCANNING FOR ROOTKIT SERVICES ----- No hidden Services were detected. ************************************************** 2:30:51 p.m.: Scanning -----WINDOWS REGISTRY----- -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon This key's "Shell" value calls the following program(s): Explorer.exe - this entry has been left in place ---------- This key's "Userinit" value calls the following program(s): C:\WINDOWS\system32\userinit.exe - this entry has been left in place ---------- This key's "System" value appears to be blank ---------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows -------------------- Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Value Name = load The Data Value for this entry appears to be blank -------------------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run This Registry Key attempts to run the following program(s): Value Name = CPQEASYACC Value Data = C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe - this command has been left in place -------------------- Value Name = WCOLOREAL Value Data = C:\Program Files\COMPAQ\Coloreal\coloreal.exe - this command has been left in place -------------------- Value Name = HPDJ Taskbar Utility Value Data = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe - this command has been left in place -------------------- Value Name = AVG7_CC Value Data = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP - this command has been left in place -------------------- Value Name = TrojanScanner Value Data = C:\Program Files\Trojan Remover\Trjscan.exe - this program is Trojan Remover's own scan file -------------------- -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once This Registry Key appears to be empty -------------------- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OnceEx This Registry Key appears to be empty -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run This Registry Key attempts to run the following program(s): Value Name = ctfmon.exe Value Data = C:\WINDOWS\system32\ctfmon.exe - this command has been left in place -------------------- Value Name = IDMan Value Data = C:\Program Files\Internet Download Manager\IDMan.exe /onboot - this command has been left in place -------------------- Value Name = AVG Value Data = C:\Program Files\Grisoft\AVG7\avgcc.exe" - this command has been left in place -------------------- -------------------- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once This Registry Key appears to be empty ************************************************** 2:30:53 p.m.: Scanning -----SHELLEXECUTEHOOKS----- ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972} File: shell32.dll - this file is expected and has been left in place ---------- ************************************************** 2:30:53 p.m.: Scanning -----HIDDEN REGISTRY ENTRIES----- Taskdir check completed ---------- No Hidden File-loading Registry Entries found ---------- ************************************************** 2:30:54 p.m.: Scanning -----ACTIVE SCREENSAVER----- ScreenSaver=C:\WINDOWS\system32\logon.scr - this command has been left in place -------------------- ************************************************** 2:30:54 p.m.: Scanning ----- REGISTRY ACTIVE SETUP KEYS ----- Checking the StubPath calls in the Active Setup\Installed Components registry keys: Key=>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} StubPath=C:\WINDOWS\inf\unregmp2.exe - this reference has been left in place ---------- Key=>{26923b43-4d38-484f-9b9e-de460746276c} StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place ---------- Key=>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place ---------- Key={2C7339CF-2B09-4501-B3F3-F3508C9228ED} StubPath=C:\WINDOWS\system32\regsvr32.exe - this reference has been left in place ---------- Key={44BBA840-CC51-11CF-AAFA-00AA00B6015C} StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place ---------- Key={7790769C-0471-11d2-AF11-00C04FA35D02} StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place ---------- Key={89820200-ECBD-11cf-8B85-00AA005B4340} StubPath=regsvr32.exe - this reference has been left in place ---------- Key={89820200-ECBD-11cf-8B85-00AA005B4383} StubPath=C:\WINDOWS\system32\ie4uinit.exe - this reference has been left in place ---------- ************************************************** 2:30:57 p.m.: Scanning ----- SERVICEDLL REGISTRY KEYS ----- Checking DLL files called from the CurrentControlSet\Services Keys: -------------------- Key=Alerter ServiceDLL=%SystemRoot%\system32\alrsvc.dll - this reference has been left in place -------------------- Key=AppMgmt ServiceDLL=%SystemRoot%\System32\appmgmts.dll - this reference has been left in place -------------------- Key=AudioSrv ServiceDLL=%SystemRoot%\System32\audiosrv.dll - this reference has been left in place -------------------- Key=BITS ServiceDLL=C:\WINDOWS\system32\qmgr.dll - this reference has been left in place -------------------- Key=Browser ServiceDLL=%SystemRoot%\System32\browser.dll - this reference has been left in place -------------------- Key=CryptSvc ServiceDLL=%SystemRoot%\System32\cryptsvc.dll - this reference has been left in place -------------------- Key=DcomLaunch ServiceDLL=%SystemRoot%\system32\rpcss.dll - this reference has been left in place -------------------- Key=Dhcp ServiceDLL=%SystemRoot%\System32\dhcpcsvc.dll - this reference has been left in place -------------------- Key=dmserver ServiceDLL=%SystemRoot%\System32\dmserver.dll - this reference has been left in place -------------------- Key=Dnscache ServiceDLL=%SystemRoot%\System32\dnsrslvr.dll - this reference has been left in place -------------------- Key=ERSvc ServiceDLL=%SystemRoot%\System32\ersvc.dll - this reference has been left in place -------------------- Key=EventSystem ServiceDLL=C:\WINDOWS\system32\es.dll - this reference has been left in place -------------------- Key=FastUserSwitchingCompatibility ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place -------------------- Key=helpsvc ServiceDLL=%WINDIR%\PCHealth\HelpCtr\Binaries\pchs vc.dll - this reference has been left in place -------------------- Key=HidServ ServiceDLL=%SystemRoot%\System32\hidserv.dll - this reference has been left in place -------------------- Key=HTTPFilter ServiceDLL=%SystemRoot%\System32\w3ssl.dll - this reference has been left in place -------------------- Key=lanmanserver ServiceDLL=%SystemRoot%\System32\srvsvc.dll - this reference has been left in place -------------------- Key=lanmanworkstation ServiceDLL=%SystemRoot%\System32\wkssvc.dll - this reference has been left in place -------------------- Key=LmHosts ServiceDLL=%SystemRoot%\System32\lmhsvc.dll - this reference has been left in place -------------------- Key=Messenger ServiceDLL=%SystemRoot%\System32\msgsvc.dll - this reference has been left in place -------------------- Key=Netman ServiceDLL=%SystemRoot%\System32\netman.dll - this reference has been left in place -------------------- Key=Nla ServiceDLL=%SystemRoot%\System32\mswsock.dll - this reference has been left in place -------------------- Key=NtmlSvc ServiceDLL=C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll - appears to contain SUSPICIOUS.ENTRY ServiceDLL=C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll - this call has been removed C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll has been renamed to: C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll.ren ---------- -------------------- Key=NtmsSvc ServiceDLL=%SystemRoot%\system32\ntmssvc.dll - this reference has been left in place -------------------- Key=RasAuto ServiceDLL=%SystemRoot%\System32\rasauto.dll - this reference has been left in place -------------------- Key=RasMan ServiceDLL=%SystemRoot%\System32\rasmans.dll - this reference has been left in place -------------------- Key=RemoteAccess ServiceDLL=%SystemRoot%\System32\mprdim.dll - this reference has been left in place -------------------- Key=RemoteRegistry ServiceDLL=%SystemRoot%\system32\regsvc.dll - this reference has been left in place -------------------- Key=RpcSs ServiceDLL=%SystemRoot%\system32\rpcss.dll - this reference has been left in place -------------------- Key=Schedule ServiceDLL=%SystemRoot%\system32\schedsvc.dll - this reference has been left in place -------------------- Key=seclogon ServiceDLL=%SystemRoot%\System32\seclogon.dll - this reference has been left in place -------------------- Key=SENS ServiceDLL=%SystemRoot%\system32\sens.dll - this reference has been left in place -------------------- Key=SharedAccess ServiceDLL=%SystemRoot%\System32\ipnathlp.dll - this reference has been left in place -------------------- Key=ShellHWDetection ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place -------------------- Key=srservice ServiceDLL=C:\WINDOWS\system32\srsvc.dll - this reference has been left in place -------------------- Key=SSDPSRV ServiceDLL=%SystemRoot%\System32\ssdpsrv.dll - this reference has been left in place -------------------- Key=stisvc ServiceDLL=%SystemRoot%\system32\wiaservc.dll - this reference has been left in place -------------------- Key=TapiSrv ServiceDLL=%SystemRoot%\System32\tapisrv.dll - this reference has been left in place -------------------- Key=TermService ServiceDLL=%SystemRoot%\System32\termsrv.dll - this reference has been left in place -------------------- Key=Themes ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place -------------------- Key=TrkWks ServiceDLL=%SystemRoot%\system32\trkwks.dll - this reference has been left in place -------------------- Key=upnphost ServiceDLL=%SystemRoot%\System32\upnphost.dll - this reference has been left in place -------------------- Key=W32Time ServiceDLL=C:\WINDOWS\system32\w32time.dll - this reference has been left in place -------------------- Key=WebClient ServiceDLL=%SystemRoot%\System32\webclnt.dll - this reference has been left in place -------------------- Key=winmgmt ServiceDLL=%SystemRoot%\system32\wbem\WMIsvc.dll - this reference has been left in place -------------------- Key=WmdmPmSN ServiceDLL=C:\WINDOWS\system32\MsPMSNSv.dll - this reference has been left in place -------------------- Key=Wmi ServiceDLL=%SystemRoot%\System32\advapi32.dll - this reference has been left in place -------------------- Key=wscsvc ServiceDLL=%SYSTEMROOT%\system32\wscsvc.dll - this reference has been left in place -------------------- Key=wuauserv ServiceDLL=C:\WINDOWS\system32\wuauserv.dll - this reference has been left in place -------------------- Key=WZCSVC ServiceDLL=%SystemRoot%\System32\wzcsvc.dll - this reference has been left in place -------------------- Key=xmlprov ServiceDLL=%SystemRoot%\System32\xmlprov.dll - this reference has been left in place ************************************************** 2:31:41 p.m.: Scanning ----- SERVICES REGISTRY KEYS ----- Checking files called from the CurrentControlSet\Services Keys: Key=ACPI ImagePath=system32\DRIVERS\ACPI.sys - this reference has been left in place ---------- Key=aec ImagePath=system32\drivers\aec.sys - this reference has been left in place ---------- Key=AFD ImagePath=\SystemRoot\System32\drivers\afd.sys - this reference has been left in place ---------- Key=agp440 ImagePath=system32\DRIVERS\agp440.sys - this reference has been left in place ---------- Key=ALG ImagePath=%SystemRoot%\System32\alg.exe - this reference has been left in place ---------- Key=Arp1394 ImagePath=system32\DRIVERS\arp1394.sys - this reference has been left in place ---------- Key=aspnet_state ImagePath=%SystemRoot%\Microsoft.NET\Framework\v2. 0.50727\aspnet_state.exe - this reference has been left in place ---------- Key=AsyncMac ImagePath=system32\DRIVERS\asyncmac.sys - this reference has been left in place ---------- Key=atapi ImagePath=system32\DRIVERS\atapi.sys - this reference has been left in place ---------- Key=Atmarpc ImagePath=system32\DRIVERS\atmarpc.sys - this reference has been left in place ---------- Key=audstub ImagePath=system32\DRIVERS\audstub.sys - this reference has been left in place ---------- Key=Avg7Alrt ImagePath=C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe - this reference has been left in place ---------- Key=Avg7Core ImagePath=\SystemRoot\System32\Drivers\avg7core.sy s - this reference has been left in place ---------- Key=Avg7RsW ImagePath=\SystemRoot\System32\Drivers\avg7rsw.sys - this reference has been left in place ---------- Key=Avg7RsXP ImagePath=\SystemRoot\System32\Drivers\avg7rsxp.sy s - this reference has been left in place ---------- Key=Avg7UpdSvc ImagePath=C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe - this reference has been left in place ---------- Key=AvgClean ImagePath=\SystemRoot\System32\Drivers\avgclean.sy s - this reference has been left in place ---------- Key=AVGEMS ImagePath=C:\PROGRA~1\Grisoft\AVG7\avgemc.exe - this reference has been left in place ---------- Key=AvgTdi ImagePath=\SystemRoot\System32\Drivers\avgtdi.sys - this reference has been left in place ---------- Key=CCALib8 ImagePath=C:\Program Files\Canon\CAL\CALMAIN.exe - this reference has been left in place ---------- Key=Cdrom ImagePath=system32\DRIVERS\cdrom.sys - this reference has been left in place ---------- Key=CiSvc ImagePath=%SystemRoot%\system32\cisvc.exe - this reference has been left in place ---------- Key=ClipSrv ImagePath=%SystemRoot%\system32\clipsrv.exe - this reference has been left in place ---------- Key=clr_optimization_v2.0.50727_32 ImagePath=C:\WINDOWS\Microsoft.NET\Framework\v2.0. 50727\mscorsvw.exe - this reference has been left in place ---------- Key=COMSysApp ImagePath=C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} - this reference has been left in place ---------- Key=Disk ImagePath=system32\DRIVERS\disk.sys - this reference has been left in place ---------- Key=dmadmin ImagePath=%SystemRoot%\System32\dmadmin.exe /com - this reference has been left in place ---------- Key=dmboot ImagePath=System32\drivers\dmboot.sys - this reference has been left in place ---------- Key=dmio ImagePath=System32\drivers\dmio.sys - this reference has been left in place ---------- Key=dmload ImagePath=System32\drivers\dmload.sys - this reference has been left in place ---------- Key=DMusic ImagePath=system32\drivers\DMusic.sys - this reference has been left in place ---------- Key=drmkaud ImagePath=system32\drivers\drmkaud.sys - this reference has been left in place ---------- Key=EACMOS ImagePath=\SystemRoot\system32\drivers\EACMOS.SYS - this reference has been left in |
zahmad (8963) | ||
| 566698 | 2007-07-08 06:06:00 | Yup, do another scan and if it comes up again, select remove the reference from the registry. Did u select all of the options under utilities as well? |
Speedy Gonzales (78) | ||
| 566699 | 2007-07-08 06:25:00 | Yes, I have selected all the options under utilities.....here is what i got in my last scan after restart: ***** TROJAN REMOVER HAS RESTARTED THE SYSTEM ***** 8/07/2007 3:32:19 p.m.: Trojan Remover has been restarted Rootkit Driver entry HKLM\SYSTEM\CurrentControlSet\Services\xpdx could not be removed. It may still be stealthed, or it may already have been removed. You should run a new scan to see if malware is still being detected. If you keep seeing this message, you should run the scan in SAFE mode. Unable to rename C:\WINDOWS\system32\drivers\EACMOS.SYS to C:\WINDOWS\system32\drivers\EACMOS.SYS.ren (C:\WINDOWS\system32\drivers\EACMOS.SYS does not appear to exist) Unable to rename C:\WINDOWS\system32\drivers\EAWDMFD.sys to C:\WINDOWS\system32\drivers\EAWDMFD.sys.ren (C:\WINDOWS\system32\drivers\EAWDMFD.sys does not appear to exist) Unable to rename C:\WINDOWS\system32\XPDX.SYS to C:\WINDOWS\system32\XPDX.SYS.ren You may want to run a new scan with Trojan Remover in SAFE mode. 8/07/2007 3:36:34 p.m.: Trojan Remover closed ************************************************** ********** I will try again now.... What else can I do> |
zahmad (8963) | ||
| 566700 | 2007-07-08 06:37:00 | Did u select remove its reference from the registry?? Do it in safe mode (press and hold down F8) after u reboot, boot into safe mode run trojan remover again. If it comes up again, it should be able to rename it (if u selected remove reference from registry, but it didnt work). Since the service for it shouldnt be running. In safe mode. Or to fix it permanently, (if it still wont disappear). Boot into safe mode, go to start/run type regedit. Go to that entry trojan remover is showing. HKLM\SYSTEM\CurrentControlSet\Services\xpdx (HKLM is HKEY_LOCAL_MACHINE in the registry). Highlight HKLM\SYSTEM\CurrentControlSet\Services\xpdx and delete this key ONLY. Then go to C:\WINDOWS\system32 folder, find XPDX.SYS highlight XPDX.SYS then delete it. And find this C:\WINDOWS\system32\drivers\EACMOS.SYS and delete EACMOS.SYS. And find this C:\WINDOWS\system32\drivers\EAWDMFD.sys and delete this file. Then reboot then do another scan. |
Speedy Gonzales (78) | ||
| 566701 | 2007-07-08 06:59:00 | Oops just noticed in the log u posted EACMOS.SYS and EAWDMFD.sys may not exist. So if u cant find them dont worry about these 2 files. XPDX.sys may still be on your system. |
Speedy Gonzales (78) | ||
| 566702 | 2007-07-08 07:10:00 | I cannot find the xpdx in registry....found xpdx in c, but cannot delete it...."cannot specify path"..... What to do now? |
zahmad (8963) | ||
| 566703 | 2007-07-08 07:34:00 | Anyone? | zahmad (8963) | ||
| 1 2 | |||||