Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 20 of 83 Posts

·
Registered
Joined
·
95 Posts
Discussion Starter · #1 ·
My computer is experiencing the same problem. Persistant Lop.as Trojan detected by the AVG software. How can I manually remove a Lop virus? I don't want to download a Lop remover because that requires turning off the anti-malware products, and every time I do that my computer gets inundated with large amouts of Rootkits, Trojans, Viruses etc... Also I can't start my computer in safe mode any more, the CD/DVD rom drive is no longer accessible, and the sfc dll's have been deleted so system file restoration has been compromised as well. Feels like I'm getting boxed into a corner. Is my only option left to reformat?
 

·
Registered
Joined
·
95 Posts
Discussion Starter · #2 ·
Originally infected with Rootkit.Win32/Agent.cs, one of the Rootkit removing software packages reported it was removed successfully. Then Rootkit.Win32/Agony was detected and removed by the AVG anti-spyware package.

Reports of Trojan Lop.As being detected are popping up every 15 minutes or so. Initial check of access to CD/DVD rom drive shows it to be unaccessible. The computer hangs every time I try and reboot into safe mode. The System Restore function is also no longer working because the sfc_os.dll is missing.

Here is the Hijack this Log:
Logfile of HijackThis v1.99.1
Scan saved at 4:51:00 PM, on 1/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft - AVG Anti-Spyware\guard.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\PROGRA~1\GRISOF~3\avgamsvr.exe
C:\PROGRA~1\GRISOF~3\avgupsvc.exe
C:\PROGRA~1\GRISOF~3\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Acronis\Malware Shield\psh_svc.exe
C:\Program Files\Alias\mentalray3.45\bin\ray345server.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Grisoft - AVG Anti-Spyware\avgas.exe
C:\PROGRA~1\GRISOF~3\avgcc.exe
C:\WINDOWS\system32\swinroed.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos Anti-Rootkit\sargui.exe
J:\Apps - Utilz - Security\Anti Malware - Windows Malicious Software Removal Tool\Windows-KB890830-V1.23.exe
h:\f00eb8114b549f6d94\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
J:\Apps - Utilz - Security\Anti Malware - Tools - HijackThis\HijackThis.exe
C:\WINDOWS\system32\verclsid.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb101\Dealio.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {DC5B2C9E-7845-4C90-873D-44742FB9ED66} - C:\WINDOWS\system32\vtuutuv.dll
O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - C:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O2 - BHO: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing)
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb101\Dealio.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft - AVG Anti-Spyware\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOF~3\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\swinroed.exe OLI001
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\This Computer\Local Settings\Temp\bundle.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\swinroed.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb101\res\DealioSearch.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb101\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Sandboxie Toolbar - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Sandboxie - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095899849828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148481372656
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: vtuutuv - C:\WINDOWS\SYSTEM32\vtuutuv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft - AVG Anti-Spyware\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~3\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~3\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~3\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pixar License Server - Macrovision Corporation - C:\Program Files\Pixar\license-3.0\lmgrd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Acronis Malware Shield Service (psh_svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Malware Shield\psh_svc.exe
O23 - Service: Ray345 Server (Ray345Server) - Unknown owner - C:\Program Files\Alias\mentalray3.45\bin\ray345server.exe
O23 - Service: SPM License Server (SPMLM) - mental images GmbH & Co. KG - C:\WINDOWS\system32\spm\spmd.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)
O23 - Service: XKXIBB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\THISCO~1\LOCALS~1\Temp\XKXIBB.exe

Is there a way to remove the Lop.AS problem specifically? Is there perhaps an underlying Rootkit that is still not being detected?
Any help on this would be appreciated. Thank you for your time and patients.
 

·
Administrator
Joined
·
123,536 Posts
Hi and welcome to TSG,

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
  • Instead of Windows loading as normal, the Advanced Options Menu should appear
  • Select the first option, to run Windows in Safe Mode, then press Enter
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to the clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
 

·
Registered
Joined
·
95 Posts
Discussion Starter · #4 ·
Note:
AVG's Anti-Virus software is still detecting Trojan Loop.AS approximately every 15 minutes or so. Every time I tell it to move the virus to the virus vault it writes a file to my temporary internet folder that can not be accessed or read. If I delete that file, then not long after its been deleted, I get another detection of Trojan Loop.AS and the whole process is repeated.
About every 4th or 5th detection instead of telling me that the virus has been successfully moved to the vault it states that the computer must be restarted in order to complete the process. This of course turns out to be untrue, so I have disabled AVG Anti-Virus until whatever is causing the Lop.AS problem has been resolved.

SDFix Report:
SDFix: Version 1.53
****************

Wed 01/03/2007 - 16:52:16.28

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Stage One - Safe Mode

Checking Services...

Service Name:

File Path:

Starting Registry Repairs...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\WINDOWS\kb823980.log
C:\WINDOWS\system32\msnav32.ax

Backing Up and Removing any Files Found...

Alternate Stream Check:

C:\WINDOWS\system32
No streams found.
Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\SYSTEM32\\USMT\\migwiz.exe"="C:\\WINDOWS\\SYSTEM32\\USMT\\migwiz.exe:*:Disabled:Files and Settings Transfer Wizard"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:mad:xpsp2res.dll,-22019"
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"="C:\\Program Files\\WS_FTP\\WS_FTP95.exe:*:Disabled:WS_FTP 95"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\e-on software\\Vue 5 Infinite\\Application\\Vue 5 Infinite.eon"="C:\\Program Files\\e-on software\\Vue 5 Infinite\\Application\\Vue 5 Infinite.eon:*:Disabled:Vue 5 Infinite"
"C:\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"="C:\\Program Files\\Curious Labs\\Poser 6\\Poser.exe:*:Disabled:poser executable file"
"C:\\Program Files\\CambridgeSoft\\ChemOffice2006\\Chem3D\\Chem3D.exe"="C:\\Program Files\\CambridgeSoft\\ChemOffice2006\\Chem3D\\Chem3D.exe:*:Disabled:Chem3D Ultra 10.0"
"G:\\Games\\HL2\\hl2.exe"="G:\\Games\\HL2\\hl2.exe:*:Disabled:hl2"
"%SystemDir%\\winsecurityxp\\mswinup.exe"="%SystemDir%\\winsecurityxp\\mswinup.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Autodesk\\backburner\\manager.exe"="C:\\Program Files\\Autodesk\\backburner\\manager.exe:*:Disabled:backburner 2.3 manager"
"C:\\Program Files\\Autodesk\\backburner\\monitor.exe"="C:\\Program Files\\Autodesk\\backburner\\monitor.exe:*:Disabled:backburner 2.3 monitor"
"C:\\Program Files\\Autodesk\\backburner\\server.exe"="C:\\Program Files\\Autodesk\\backburner\\server.exe:*:Disabled:backburner 2.3 server"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"C:\\Program Files\\Grisoft - AVG Anti-Virus Pro\\avginet.exe"="C:\\Program Files\\Grisoft - AVG Anti-Virus Pro\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft - AVG Anti-Virus Pro\\avgamsvr.exe"="C:\\Program Files\\Grisoft - AVG Anti-Virus Pro\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft - AVG Anti-Virus Pro\\avgcc.exe"="C:\\Program Files\\Grisoft - AVG Anti-Virus Pro\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft - AVG Anti-Virus Pro\\avgemc.exe"="C:\\Program Files\\Grisoft - AVG Anti-Virus Pro\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe:*:Disabled:Autodesk 3ds Max 8"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Disabled:Azureus"
"C:\\Program Files\\Pixar\\license-3.0\\lmgrd.exe"="C:\\Program Files\\Pixar\\license-3.0\\lmgrd.exe:LocalSubNet:Disabled:lmgrd.exe"
"C:\\Program Files\\Pixar\\license-3.0\\pixard.exe"="C:\\Program Files\\Pixar\\license-3.0\\pixard.exe:LocalSubNet:Disabled:pixard.exe"
"C:\\Program Files\\tsWebEditor\\tswebeditor.exe"="C:\\Program Files\\tsWebEditor\\tswebeditor.exe:LocalSubNet:Disabled:tsWebEditor"
"C:\\Program Files\\Winamp\\winamp.exe"="C:\\Program Files\\Winamp\\winamp.exe:*:Disabled:Winamp"
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:*:Enabled:Framework Service"
"C:\\WINDOWS\\SYSTEM32\\mmc.exe"="C:\\WINDOWS\\SYSTEM32\\mmc.exe:*:Disabled:Microsoft Management Console"
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Disabled:mad:xpsp3res.dll,-20000"
"C:\\WINDOWS\\SYSTEM32\\javaw.exe"="C:\\WINDOWS\\SYSTEM32\\javaw.exe:*:Disabled:Java(TM) 2 Platform Standard Edition binary"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Disabled:µTorrent"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll
C:\Program Files\Canon\Canon Setup Utility 2.3\uinstrsc.dll
C:\WINDOWS\SYSTEM32\vtuutuv.dll
C:\I386\cdplayer.exe.manifest
C:\I386\logonui.exe.manifest
C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe
C:\Program Files\Canon\Canon Setup Utility 2.3\Maint.exe
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\WINDOWS\SYSTEM32\cdplayer.exe.manifest
C:\WINDOWS\SYSTEM32\logonui.exe.manifest
C:\hiberfil.sys
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\Bartroff\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp
C:\Documents and Settings\Bartroff\Application Data\Microsoft\Office\Shortcut Bar\Off2h.tmp
C:\Documents and Settings\Bartroff\Application Data\Microsoft\Office\Shortcut Bar\Off2s.tmp
C:\Documents and Settings\Bartroff\Application Data\Microsoft\Templates\~WRL0002.tmp
C:\Documents and Settings\This Computer\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp
C:\Documents and Settings\This Computer\Application Data\Microsoft\Office\Shortcut Bar\Off2h.tmp
C:\Documents and Settings\This Computer\Application Data\Microsoft\Office\Shortcut Bar\Off2s.tmp
C:\Documents and Settings\This Computer\Application Data\Microsoft\Templates\~WRL0002.tmp

FINISHED!

HiJackThis Report:
Logfile of HijackThis v1.99.1
Scan saved at 5:53:07 PM, on 1/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft - AVG Anti-Spyware\guard.exe
C:\PROGRA~1\GRISOF~3\avgamsvr.exe
C:\PROGRA~1\GRISOF~3\avgupsvc.exe
C:\PROGRA~1\GRISOF~3\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Acronis\Malware Shield\psh_svc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Grisoft - AVG Anti-Spyware\avgas.exe
C:\WINDOWS\system32\swinroed.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
J:\Apps - Utilz - Security\Anti Malware - Tools - HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb101\Dealio.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {DC5B2C9E-7845-4C90-873D-44742FB9ED66} - C:\WINDOWS\system32\vtuutuv.dll
O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - C:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O2 - BHO: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing)
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb101\Dealio.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft - AVG Anti-Spyware\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOF~3\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\swinroed.exe OLI001
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\This Computer\Local Settings\Temp\bundle.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\swinroed.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb101\res\DealioSearch.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb101\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Sandboxie Toolbar - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Sandboxie - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095899849828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148481372656
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: vtuutuv - C:\WINDOWS\SYSTEM32\vtuutuv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft - AVG Anti-Spyware\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~3\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~3\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~3\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pixar License Server - Macrovision Corporation - C:\Program Files\Pixar\license-3.0\lmgrd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Acronis Malware Shield Service (psh_svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Malware Shield\psh_svc.exe
O23 - Service: Ray345 Server (Ray345Server) - Unknown owner - C:\Program Files\Alias\mentalray3.45\bin\ray345server.exe
O23 - Service: SPM License Server (SPMLM) - mental images GmbH & Co. KG - C:\WINDOWS\system32\spm\spmd.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

-------- End of HiJackThis Log --------

Thank you Cookiegal for your help, and patients with this problem so far.
 

·
Registered
Joined
·
95 Posts
Discussion Starter · #5 ·
I'm currently working with an administrator of this group nicked Cookiegal in another message thread to solve the problem on my machine. We are still in the beginning stages of solving the problem so no luck yet, but if you want to follow the progress of the thread do a search for posts by me or search by post title for "Persistant Lop.AS Trojan, Safe Mode reboot not working." Note that I spelled persistent wrong in the title when doing a search for it, sorry about that.

Also want to mention that (at least on my computer) the Trojan Lop.AS is writing files to a temporary internet folder every time its sent to the virus vault by AVG. The files begin with something like lol.1 or lop.1 and are not accessible but they can be deleted, although deleting them seems to trigger another round of detection by AVG and then the files get rewritten. Also there have been a number of key-logging viruses that have been uncovered since discovering the Lop.AS problem. Also notice that every 5th or 6th detection of Lop.AS instead of telling you that it was successfully moved to the virus vault please hit "OK" it states that the computer needs to be restarted please hit "OK". You get so used to clicking on "OK" that you may not notice the one time that its asking you to reboot. I have since disabled my AVG anti-virus program by quitting the control center to avoid those messages all together until I get this problem resolved.

Does any one else experience any of these same details?
 

·
Administrator
Joined
·
123,536 Posts
Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
 

·
Registered
Joined
·
95 Posts
Discussion Starter · #7 ·
Since VundoFix.exe found nothing there is no VundoFix.txt to copy and post back to this thread. However there are still Hooked and Hidden files, processes, code, and memory addresses etc. reported by RootkitUnhooker (which only works for the first operation or button click after that it crashes) that to me do not look like things that should be running on my computer. However since RootkitUnhooker crashes I can't seem to get a complete picture from that program as to whats going on with this computer.

Trojan Lop.AS is of course still posing a threat and is still writing files to the C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files\
Where "\Temporary Internet Files\" is a hidden folder with hidden files in it. Inside that folder is another hidden folder "Content.IE5" (I'm not using IE5). Un-hiding these folder's and files does not make them visible and the only way to see them is if you already know the name of the folder and file your looking for. Since AVG was reporting them to me I was able to find them. Trojan Lop.AS seems to be writing files labeled "Lo1.*" to the first mentioned directory where * represents a further series of seemingly random numbers letters and symbols. The system still runs slow, boots slow, and shuts down even slower.

Here is the latest HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 4:22:52 PM, on 1/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft - AVG Anti-Spyware\guard.exe
C:\PROGRA~1\GRISOF~3\avgamsvr.exe
C:\PROGRA~1\GRISOF~3\avgupsvc.exe
C:\PROGRA~1\GRISOF~3\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Acronis\Malware Shield\psh_svc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Grisoft - AVG Anti-Spyware\avgas.exe
C:\WINDOWS\system32\swinroed.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
J:\Apps - Utilz - Security\Anti Malware - Tools - HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb101\Dealio.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {DC5B2C9E-7845-4C90-873D-44742FB9ED66} - C:\WINDOWS\system32\vtuutuv.dll
O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - C:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O2 - BHO: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing)
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb101\Dealio.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft - AVG Anti-Spyware\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOF~3\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\swinroed.exe OLI001
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\This Computer\Local Settings\Temp\bundle.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\swinroed.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb101\res\DealioSearch.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb101\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Sandboxie Toolbar - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Sandboxie - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095899849828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148481372656
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: vtuutuv - C:\WINDOWS\SYSTEM32\vtuutuv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft - AVG Anti-Spyware\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~3\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~3\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~3\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pixar License Server - Macrovision Corporation - C:\Program Files\Pixar\license-3.0\lmgrd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Acronis Malware Shield Service (psh_svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Malware Shield\psh_svc.exe
O23 - Service: Ray345 Server (Ray345Server) - Unknown owner - C:\Program Files\Alias\mentalray3.45\bin\ray345server.exe
O23 - Service: SPM License Server (SPMLM) - mental images GmbH & Co. KG - C:\WINDOWS\system32\spm\spmd.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)
-------- End of HijackThis Log --------

I'm in school during the day so the only times I can get a chance to check this forum is early in the mornings between 7 and 8:30am and afternoons between 4 and 9pm (PST). What times are good for me to check back for a post from you?

Also, I really appreciate your helping me with this problem, and I'm also thankful for your patients. Thank you Cookiegal.
 

·
Administrator
Joined
·
123,536 Posts
I'm usually on here all day between 7:00 a.m. and 10:00 p.m. with a few breaks here and there.

Download AVG Anti-Spyware from HERE and save that file to your desktop.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.

  1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
  2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  3. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
  4. Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  6. Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
  1. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
  2. Launch AVG Anti-Spyware by double clicking the icon on your desktop.
  3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  4. AVG will now begin the scanning process. Please be patient as this may take a little time.
    Once the scan is complete, do the following:
  5. If you have any infections you will be prompted. Then select "Apply all actions."
  6. Next select the "Reports" icon at the top.
  7. Select the "Save report as" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
  8. Close AVG Anti-Spyware and reboot your system back into Normal Mode.

Please go HERE to run Panda's ActiveScan
  • You need to use IE to run this scan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Download GMER from http://gmer.thespykiller.co.uk/files.php

http://www.majorgeeks.com/download.php?det=5198

Save it somewhere safe & unzip it to desktop.

Double click the gmer.exe to run it and select the rootkit tab, press scan and when it has finished press save and copy the log back here please.

Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans and GMER.
 

·
Registered
Joined
·
95 Posts
Discussion Starter · #9 ·
This morning when I tried to open Internet Explorer I got the following error message:
"This application has failed to start because msvcrl.dll was not found. Re-installing the application may fix this problem."

I will download and install IE7 asap, and report if that fixes the missing dll problem, then continue with the advice given in your previous post.
 

·
Registered
Joined
·
95 Posts
Discussion Starter · #11 ·
Yes that is correct I was not able to run IE at all.
However I have since downloaded a fresh copy of IE7 from Microsoft's IE7 download page and reinstalled it. I then configured it as per the instructions listed in the last "sticky" of this forum titled "General Security Information, How to tighten Security Settings and Warnings".

I then proceeded to search for any critical updates from Microsoft which undid most if not all of the security settings I had made in the previous step. *shrug* No critical updates were found so I reset all the security settings back to what was suggested by the article listed above and exited the program.

Next I updated AVG's Anti-Spyware as well as there Anti-Virus programs. After the Anti-Virus program updated I closed it to keep it from detecting the Lop.AS trojan at intermittent intervals. I changed the settings in AVG Anti-Spyware as you've instructed, restarted in Safe Mode, and did a complete system scan.
Here are the results of that scan:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:29:08 PM 1/5/2007
+ Scan result:
Nothing found.
::Report end

The final objectives remain as priorities. I will report back after completing the rest of the assignment.
 

·
Registered
Joined
·
95 Posts
Discussion Starter · #12 ·
As reported in the previous post:
No new critical updates from Microsoft were available.
The complete scan in safe mode with options set in AVG Anti-Spyware reported nothing found.

Here are the results from the Online Active Scan from the Panda website:
---------------- Panda Online Active Scan Log Begins ----------------

Incident Status Location

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Bartroff\Cookies\sue [email protected][1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt[.tucows.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt[.target.com/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt[www48.seeq.com/]
Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt[.versiontracker.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt[.c2.gostats.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\This Computer\Application Data\Sandbox\DefaultBox\Device\HarddiskVolume2\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\This Computer\Application Data\Sandbox\DefaultBox\Device\HarddiskVolume2\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt[.tucows.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\This Computer\Application Data\Sandbox\DefaultBox\Device\HarddiskVolume2\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\This Computer\Application Data\Sandbox\DefaultBox\Device\HarddiskVolume2\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt[.target.com/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\This Computer\Application Data\Sandbox\DefaultBox\Device\HarddiskVolume2\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt[www48.seeq.com/]
Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\This Computer\Application Data\Sandbox\DefaultBox\Device\HarddiskVolume2\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt[.versiontracker.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\This Computer\Application Data\Sandbox\DefaultBox\Device\HarddiskVolume2\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\This Computer\Application Data\Sandbox\DefaultBox\Device\HarddiskVolume2\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\This Computer\Application Data\Sandbox\DefaultBox\Device\HarddiskVolume2\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt[.c2.gostats.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\This Computer\Application Data\Sandbox\DefaultBox\Device\HarddiskVolume2\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt.moztmp[.apmebf.com/]
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\This Computer\Application Data\Sandbox\DefaultBox\Device\HarddiskVolume2\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt.moztmp[.tucows.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\This Computer\Application Data\Sandbox\DefaultBox\Device\HarddiskVolume2\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt.moztmp[.xiti.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\This Computer\Application Data\Sandbox\DefaultBox\Device\HarddiskVolume2\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt.moztmp[.target.com/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\This Computer\Application Data\Sandbox\DefaultBox\Device\HarddiskVolume2\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt.moztmp[www48.seeq.com/]
Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\This Computer\Application Data\Sandbox\DefaultBox\Device\HarddiskVolume2\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt.moztmp[.versiontracker.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\This Computer\Application Data\Sandbox\DefaultBox\Device\HarddiskVolume2\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt.moztmp[.club.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\This Computer\Application Data\Sandbox\DefaultBox\Device\HarddiskVolume2\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt.moztmp[.cdfreaks.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\This Computer\Application Data\Sandbox\DefaultBox\Device\HarddiskVolume2\Documents and Settings\This Computer\Application Data\Mozilla\Firefox\Profiles\ftb2fbqv.default\cookies.txt.moztmp[.c2.gostats.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\This Computer\Desktop\Security\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Stunnel Not disinfected C:\Program Files\Stunnel\libeay32.dll
Potentially unwanted tool:Application/Stunnel Not disinfected C:\Program Files\Stunnel\libssl32.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Potentially unwanted tool:Application/Stunnel Not disinfected J:\Apps - Utilz - Security\Encryption - Stunnel\stunnel-4.15-installer.exe[libeay32.dll]
Potentially unwanted tool:Application/Stunnel Not disinfected J:\Apps - Utilz - Security\Encryption - Stunnel\stunnel-4.15-installer.exe[libssl32.dll]

---------------- Panda Online Active Scan Log Ends ----------------

Here are the results of the GMER scan:
12:44 PM 1/6/2007
GMER caused the following Blue Screen Error message:

---------------- Blue Screen Error Message Begins ----------------

A problem has been detected and windows has been shut down to prevent damage to your computer.

The problems seems to be caused by the following file: gmer.sys

PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you've seen this stop error screen, restart your computer.
If this screen appears again follow these steps:

Check to make sure any new hardware or software is properly installed.
If this is a new installation, ask your hardware or software manufacturer for any windows updates you might need.

If problems continue, disable or remove any newly installed hardware or software.
Disable BIOS memory such as caching or shadowing.
If you need to use safe mode to remove or disable components, restart your computer,
press F8 to selected Advanced Startup options, and then select safe mode.

Technical Information:
*** STOP: 0x00000050 (0xE88852CA, 0x00000000, 0xB7336363, 0x00000001)
*** gmer.sys - Address B73363 base at B7335000, Datesamp 456c4622

Beginning dump of physical memory
Physical memory dump complete
Contact your system administrator or technical support group for further assistance.

---------------- Blue Screen Error Message Ends ----------------

I watched as GMER was running for the first few minutes and it appeared to be finding huge list of things to report, however when I returned to my computer the report was never completed because GMER caused a PAGE fault and crashed WinXP/SP2.

Do you have any other idea's or should I try and run GMER again?
 

·
Registered
Joined
·
95 Posts
Discussion Starter · #14 ·
Sorry it took 3 hours for me to respond, I had to run an errand.

---------------- HijackThis Log Begins ----------------

Logfile of HijackThis v1.99.1
Scan saved at 6:04:45 PM, on 1/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft - AVG Anti-Spyware\guard.exe
C:\PROGRA~1\GRISOF~3\avgamsvr.exe
C:\PROGRA~1\GRISOF~3\avgupsvc.exe
C:\PROGRA~1\GRISOF~3\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Acronis\Malware Shield\psh_svc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Grisoft - AVG Anti-Spyware\avgas.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
J:\Apps - Utilz - Security\Anti Malware - Tools - HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb101\Dealio.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {DC5B2C9E-7845-4C90-873D-44742FB9ED66} - C:\WINDOWS\system32\vtuutuv.dll
O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - C:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O2 - BHO: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing)
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb101\Dealio.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft - AVG Anti-Spyware\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOF~3\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\This Computer\Local Settings\Temp\bundle.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\swinroed.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb101\res\DealioSearch.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb101\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Sandboxie Toolbar - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Sandboxie - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095899849828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148481372656
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: vtuutuv - C:\WINDOWS\SYSTEM32\vtuutuv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft - AVG Anti-Spyware\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~3\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~3\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~3\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pixar License Server - Macrovision Corporation - C:\Program Files\Pixar\license-3.0\lmgrd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Acronis Malware Shield Service (psh_svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Malware Shield\psh_svc.exe
O23 - Service: Ray345 Server (Ray345Server) - Unknown owner - C:\Program Files\Alias\mentalray3.45\bin\ray345server.exe
O23 - Service: SPM License Server (SPMLM) - mental images GmbH & Co. KG - C:\WINDOWS\system32\spm\spmd.exe
O23 - Service: WEAZKNJPHPG - Sysinternals - www.sysinternals.com - C:\DOCUME~1\THISCO~1\LOCALS~1\Temp\WEAZKNJPHPG.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

---------------- HijackThis Log Ends ----------------
 

·
Administrator
Joined
·
123,536 Posts
It appears that you have a trojan that edits IE so that it loads a file which is now missing (the one you mentioned which is not a valid dll) which is why you couldn't start IE until you replaced it with IE7. It also alters the system file checker sfc_os.dll and we will have to replace that one from the dll cache.

Download ComboFix to your Desktop.

Reboot to Safe mode:

Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done properly a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Perform the following actions in Safe Mode.
  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a new HijackThis log in your next reply
Note: Do not mouseclick combofix's window while it's running as that may cause it to stall
 

·
Registered
Joined
·
95 Posts
Discussion Starter · #16 ·
I just got home, I will implement your suggestions immediately and report back with the logs you've requested.

Note: Before I started this thread the free version of AVG which automatically cleans infected files without a way to stop it from doing so, marked sfc_os.dll as something that needed to be quarantined. It wasn't until a few reboots later that I realized that file was necessary for restoring the system files and when I went to look for it in the quarantine bin, it was gone along with other dll's as well, and I can't remember which dll's those were. After attempting to replace sfc_os.dll from an online dll archive to restore the system files, I noticed it was too old a version to work. Instead of deleting it I just left it alone.
 

·
Registered
Joined
·
95 Posts
Discussion Starter · #18 ·
Side Notes: During reboots into safe mode the OS asks me if I would like to continue loading SPTD.SYS or press ESC to cancel. Also ½ way into the ComboFix scan the following message appeared: "No Disk in drive, [Cancel] [Retry] [Continue]"
Placing a disk in any drive did nothing when selecting retry, all disks were removed and Continue was selected.
I wasn't sure if you wanted me to do the HijackThis log in safe mode or normal mode so I've done both. Because of the imposed 30000 character limit I will post the Hijack this logs in the next post.

Here is the report from ComboFix:
---------------- ComboFix.Log Begins ----------------
"This Computer" - 07-01-07 12:51:39 Service Pack 2
ComboFix 07-01-06W-BetaE2 - Running from: "C:\Documents and Settings\This Computer\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\THISCO~1\Desktop\Internet Explorer.lnk

((((((((((((((((((((((((((((((( Files Created from 2006-12-07 to 2007-01-07 ))))))))))))))))))))))))))))))))))

2007-01-06 11:51 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2007-01-06 08:26 d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-01-04 16:05 d-------- C:\VundoFix Backups
2007-01-03 16:15 d-------- C:\SDFix
2007-01-01 18:33 15,872 --------- C:\WINDOWS\SYSTEM32\SophosBootTasksR.exe
2007-01-01 18:31 d-------- C:\Program Files\RkUnhooker
2007-01-01 10:29 d-------- C:\DOCUME~1\THISCO~1\.housecall6.6
2006-12-30 22:03 140,288 --a------ C:\WINDOWS\SYSTEM32\sfc_os.dll
2006-12-30 21:54 d-------- C:\DOCUME~1\THISCO~1\Application Data\Uniblue
2006-12-30 18:19 932 --a------ C:\WINDOWS\SYSTEM32\winpfz32.sys
2006-12-30 18:19 8,464 --a------ C:\WINDOWS\SYSTEM32\sporder.dll
2006-12-30 18:19 d-------- C:\Program Files\Dealio
2006-12-30 18:18 22,541 ---hs---- C:\WINDOWS\SYSTEM32\vtuutuv.dll
2006-12-30 16:37 d-------- C:\DOCUME~1\THISCO~1\Application Data\Sandbox
2006-12-30 12:53 d-------- C:\Program Files\SolSuite
2006-12-30 12:53 d-------- C:\DOCUME~1\THISCO~1\Application Data\SolSuite
2006-12-30 12:53 d-------- C:\DOCUME~1\ALLUSE~1\Application Data\TreeCardGames
2006-12-30 12:42 d-------- C:\Program Files\Sandboxie
2006-12-30 07:44 816,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
2006-12-30 07:44 4,960 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdi.sys
2006-12-30 07:44 4,224 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys
2006-12-30 07:44 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
2006-12-30 07:44 28,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
2006-12-30 07:44 18,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
2006-12-30 07:43 d-------- C:\Program Files\Grisoft - AVG Anti-Virus Pro
2006-12-30 07:43 d-------- C:\Program Files\Grisoft
2006-12-30 07:43 d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft
2006-12-30 00:41 dr-h----- C:\$VAULT$.AVG
2006-12-29 21:43 d-------- C:\WINDOWS\WBEM
2006-12-29 21:43 d-------- C:\WINDOWS\SYSTEM32\en-US
2006-12-29 21:41 d--h-c--- C:\WINDOWS\ie7
2006-12-29 21:40 121,856 --------- C:\WINDOWS\SYSTEM32\xmllite.dll
2006-12-29 21:39 d-------- C:\WINDOWS\network diagnostic
2006-12-29 21:19 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-12-29 21:19 d-------- C:\Program Files\Grisoft - AVG Anti-Spyware
2006-12-29 21:15 d-------- C:\DOCUME~1\THISCO~1\Application Data\AVG7
2006-12-29 21:15 d-------- C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2006-12-29 21:14 d-------- C:\Program Files\Grisoft - AVG Free
2006-12-29 21:14 d-------- C:\DOCUME~1\ALLUSE~1\Application Data\avg7
2006-12-28 22:42 d-------- C:\WINDOWS\rnapxs
2006-12-28 22:13 d-------- C:\DOCUME~1\THISCO~1\Application Data\F-Secure
2006-12-28 21:53 d-------- C:\Program Files\F-Secure Anti-Virus
2006-12-28 16:07 d-------- C:\Program Files\Sophos Anti-Rootkit
2006-12-28 10:52 d-------- C:\DOCUME~1\THISCO~1\Application Data\Acronis
2006-12-28 10:45 96,320 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\snapman.sys
2006-12-28 10:45 81,984 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\psh_drv.sys
2006-12-28 10:45 d-------- C:\Program Files\Common Files\Acronis
2006-12-28 10:45 d-------- C:\Program Files\Acronis
2006-12-28 10:45 d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Acronis
2006-12-28 10:16 d-------- C:\WINDOWS\SYSTEM32\winsecurityxp
2006-12-26 12:32 d-------- C:\Program Files\Samsung YP-MT6
2006-12-26 07:03 d--hs---- C:\DOCUME~1\THISCO~1\UserData
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\WINDOWS
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\tbskin
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Incomplete
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\ZipGenius
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\XnView
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\Winamp
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\Vidalia
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\uTorrent
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\Tor
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\Thunderbird
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\Talkback
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\Sun
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\SSH
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\Rainlendar
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\Pixar
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\Notepad++
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\MSN6
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\McNeel
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\MayaWebBrowser
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\LimeWire
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\Leadertech
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\Lavasoft
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\ID3 renamer
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\Help
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\GoogleEarth
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\Google
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\gnupg
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\GetRightToGo
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\fltk.org
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\ESRI
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\DivX
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\Design Science
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\CyberLink
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\Azureus
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\Apple Computer
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\AdobeUM
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\Application Data\.tswebeditor
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\apm
2006-12-26 07:03 d-------- C:\DOCUME~1\THISCO~1\.spamato4thunderbird
2006-12-26 07:01 d-------- C:\DOCUME~1\THISCO~1\Application Data\Real
2006-12-26 07:01 d-------- C:\DOCUME~1\THISCO~1\Application Data\Adobe
2006-12-25 12:09 d-------- C:\DOCUME~1\Temp\Application Data\Talkback
2006-12-25 12:05 d-------- C:\DOCUME~1\Temp\Application Data\Adobe
2006-12-25 12:04 d-------- C:\DOCUME~1\Temp\Application Data\Real
2006-12-24 20:41 d-------- C:\Downloads
2006-12-24 20:41 d-------- C:\DOCUME~1\Bartroff\Application Data\GetRightToGo
2006-12-24 06:44 d-------- C:\Program Files\MediaMonkey
2006-12-24 06:36 d-------- C:\Program Files\TagScanner
2006-12-21 21:25 d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2006-12-21 21:24 d-------- C:\WINDOWS\SYSTEM32\AGEIA
2006-12-21 21:24 d-------- C:\Program Files\AGEIA Technologies
2006-12-21 21:23 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-12-21 21:18 73,928 --a------ C:\WINDOWS\SYSTEM32\dmcompod.dll
2006-12-21 21:18 52,424 --a------ C:\WINDOWS\SYSTEM32\dmloaded.dll
2006-12-21 21:18 41,160 --a------ C:\WINDOWS\SYSTEM32\dmbandd.dll
2006-12-21 21:18 359,624 --a------ C:\WINDOWS\SYSTEM32\dinput8d.dll
2006-12-21 21:18 339,736 --a------ C:\WINDOWS\SYSTEM32\d3dref9.dll
2006-12-21 21:18 30,920 --a------ C:\WINDOWS\SYSTEM32\dswaved.dll
2006-12-21 21:18 3,724,568 --a------ C:\WINDOWS\SYSTEM32\d3dx9d_32.dll
2006-12-21 21:18 3,080,472 --a------ C:\WINDOWS\SYSTEM32\d3d9d.dll
2006-12-21 21:18 248,008 --a------ C:\WINDOWS\SYSTEM32\d3dref8.dll
2006-12-21 21:18 240,328 --a------ C:\WINDOWS\SYSTEM32\dmimed.dll
2006-12-21 21:18 134,344 --a------ C:\WINDOWS\SYSTEM32\dmusicd.dll
2006-12-21 21:18 117,448 --a------ C:\WINDOWS\SYSTEM32\dmstyled.dll
2006-12-21 21:18 115,912 --a------ C:\WINDOWS\SYSTEM32\dmscripd.dll
2006-12-21 21:18 112,840 --a------ C:\WINDOWS\SYSTEM32\dmsynthd.dll
2006-12-21 21:18 106,696 --a------ C:\WINDOWS\SYSTEM32\d3dref.dll
2006-12-21 21:18 1,390,792 --a------ C:\WINDOWS\SYSTEM32\d3d8d.dll
2006-12-21 21:17 d-------- C:\Program Files\Common Files\aliaswavefront shared
2006-12-21 21:15 d-------- C:\Program Files\Microsoft DirectX SDK (December 2006)
2006-12-21 14:43 68,888 --a------ C:\WINDOWS\SYSTEM32\xinput1_3.dll
2006-12-21 14:43 62,744 --a------ C:\WINDOWS\SYSTEM32\xinput1_2.dll
2006-12-21 14:43 3,426,072 --a------ C:\WINDOWS\SYSTEM32\d3dx9_32.dll
2006-12-21 14:43 251,672 --a------ C:\WINDOWS\SYSTEM32\xactengine2_5.dll
2006-12-21 14:43 237,848 --a------ C:\WINDOWS\SYSTEM32\xactengine2_4.dll
2006-12-21 14:43 236,824 --a------ C:\WINDOWS\SYSTEM32\xactengine2_3.dll
2006-12-21 14:43 2,414,360 --a------ C:\WINDOWS\SYSTEM32\d3dx9_31.dll
2006-12-21 14:43 15,128 --a------ C:\WINDOWS\SYSTEM32\x3daudio1_1.dll
2006-12-21 13:46 d-------- C:\Program Files\Cg Toolkit
2006-12-21 13:23 d-------- C:\DOCUME~1\Bartroff\Application Data\DivX
2006-12-21 13:13 d-------- C:\DOCUME~1\Bartroff\tbskin
2006-12-20 20:52 d-------- C:\Program Files\Feeling Software
2006-12-20 20:50 d-------- C:\Program Files\Feeling Viewer
2006-12-20 16:06 d-------- C:\Program Files\@Last Software
2006-12-20 07:35 d-------- C:\Program Files\Apple Software Update
2006-12-20 07:10 d-------- C:\DOCUME~1\ALLUSE~1\Application Data\NVIDIA
2006-12-17 14:42 1,867,776 --a------ C:\WINDOWS\SYSTEM32\python24.dll
2006-12-17 14:41 d-------- C:\DOCUME~1\Bartroff\Application Data\ESRI
2006-12-17 14:18 d-------- C:\DOCUME~1\ALLUSE~1\Application Data\ESRI
2006-12-17 14:16 d-------- C:\Program Files\Common Files\ESRI
2006-12-17 14:15 d-------- C:\Program Files\Leica Geosystems
2006-12-17 14:10 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2006-12-17 14:09 d-------- C:\Program Files\ArcGIS
2006-12-17 11:45 d-------- C:\Program Files\Rainbow Technologies
2006-12-17 11:40 d-------- C:\Program Files\ESRI
2006-12-17 07:20 339,968 --a------ C:\WINDOWS\SYSTEM32\mpiwin32.dll
2006-12-17 07:20 15,840 --a------ C:\WINDOWS\SYSTEM32\Machnm1.exe
2006-12-17 07:19 d-------- C:\Program Files\Google SketchUp 5
2006-12-17 07:18 d-------- C:\Program Files\SketchUp 5
2006-12-13 16:15 d-------- C:\Program Files\Google SketchUp
2006-12-13 15:26 d-------- C:\Program Files\Google Earth
2006-12-13 14:40 d-------- C:\DOCUME~1\Bartroff\Application Data\GoogleEarth
2006-12-13 14:40 d-------- C:\DOCUME~1\Bartroff\Application Data\Google
2006-12-12 08:30 520,192 --a------ C:\WINDOWS\SYSTEM32\DivXsm.exe
2006-12-12 08:30 3,596,288 --a------ C:\WINDOWS\SYSTEM32\qt-dx331.dll
2006-12-12 08:30 200,704 --a------ C:\WINDOWS\SYSTEM32\ssldivx.dll
2006-12-12 08:30 1,044,480 --a------ C:\WINDOWS\SYSTEM32\libdivx.dll
2006-12-12 08:25 806,912 --a------ C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2006-12-12 08:25 806,912 --a------ C:\WINDOWS\SYSTEM32\divx_xx07.dll
2006-12-12 08:25 790,528 --a------ C:\WINDOWS\SYSTEM32\divx_xx11.dll
2006-12-12 08:25 73,728 --a------ C:\WINDOWS\SYSTEM32\dpl100.dll
2006-12-12 08:25 635,486 --a------ C:\WINDOWS\SYSTEM32\DivX.dll
2006-12-12 08:25 593,920 --a------ C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2006-12-12 08:25 57,344 --a------ C:\WINDOWS\SYSTEM32\dpv11.dll
2006-12-12 08:25 53,248 --a------ C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2006-12-12 08:25 344,064 --a------ C:\WINDOWS\SYSTEM32\dpus11.dll
2006-12-12 08:25 294,912 --a------ C:\WINDOWS\SYSTEM32\dpu11.dll
2006-12-12 08:25 294,912 --a------ C:\WINDOWS\SYSTEM32\dpu10.dll
2006-12-12 08:25 196,608 --a------ C:\WINDOWS\SYSTEM32\dtu100.dll
2006-12-12 08:24 12,288 --a------ C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2006-12-12 08:24 118,784 --a------ C:\WINDOWS\SYSTEM32\DivXCodecUpdateChecker.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-07 12:39 -------- d-------- C:\Program Files\peerguardian2
2007-01-07 12:26 -------- d-------- C:\Program Files\mozilla firefox
2007-01-06 14:14 -------- d-------- C:\Program Files\mozilla thunderbird
2007-01-06 10:18 -------- d-------- C:\Program Files\zipgenius 6
2007-01-06 10:16 -------- d-------- C:\Program Files\star downloader
2007-01-06 10:05 -------- d-------- C:\Program Files\linksys wireless-g pci wireless network monitor
2007-01-06 09:59 -------- d-------- C:\Program Files\eraser
2007-01-01 16:19 -------- d-------- C:\Program Files\java
2006-12-30 07:10 226 --a------ C:\DOCUME~1\THISCO~1\Application Data\mainhst.zgh
2006-12-28 21:58 -------- d-------- C:\Program Files\network associates
2006-12-27 06:52 -------- d---s---- C:\DOCUME~1\THISCO~1\Application Data\microsoft
2006-12-26 12:32 -------- d--h----- C:\Program Files\installshield installation information
2006-12-23 08:09 -------- d-------- C:\Program Files\id3 renamer
2006-12-21 21:17 -------- d-------- C:\Program Files\Common Files\alias shared
2006-12-21 11:09 -------- d-------- C:\Program Files\divx
2006-12-20 16:06 -------- d-------- C:\Program Files\@last software
2006-12-20 07:38 -------- d-------- C:\Program Files\quicktime
2006-12-17 21:33 -------- d-------- C:\Program Files\winamp
2006-12-17 13:59 -------- d-------- C:\Program Files\isobuster
2006-12-17 13:49 -------- d-------- C:\Program Files\support.com
2006-12-07 21:06 -------- d-------- C:\Program Files\kyocera phone desktop
2006-12-01 18:34 53248 --a------ C:\WINDOWS\SYSTEM32\physxloader.dll
2006-11-29 09:03 -------- d-------- C:\Program Files\Common Files\adobe
2006-11-22 11:37 45056 --a------ C:\WINDOWS\SYSTEM32\agcpaneltraditionalchinese.dll
2006-11-22 11:37 45056 --a------ C:\WINDOWS\SYSTEM32\agcpanelswedish.dll
2006-11-22 11:37 45056 --a------ C:\WINDOWS\SYSTEM32\agcpanelspanish.dll
2006-11-22 11:37 45056 --a------ C:\WINDOWS\SYSTEM32\agcpanelsimplifiedchinese.dll
2006-11-22 11:37 45056 --a------ C:\WINDOWS\SYSTEM32\agcpanelportugese.dll
2006-11-22 11:37 45056 --a------ C:\WINDOWS\SYSTEM32\agcpanelkorean.dll
2006-11-22 11:37 45056 --a------ C:\WINDOWS\SYSTEM32\agcpaneljapanese.dll
2006-11-22 11:37 45056 --a------ C:\WINDOWS\SYSTEM32\agcpanelgerman.dll
2006-11-22 11:37 45056 --a------ C:\WINDOWS\SYSTEM32\agcpanelfrench.dll
2006-11-16 19:48 -------- d-------- C:\Program Files\msxml 4.0
2006-11-10 15:48 -------- d-------- C:\Program Files\bitspirit
2006-11-07 21:06 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\SYSTEM32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\SYSTEM32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\SYSTEM32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\SYSTEM32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\SYSTEM32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\SYSTEM32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\SYSTEM32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\SYSTEM32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\SYSTEM32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\SYSTEM32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\SYSTEM32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\SYSTEM32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\SYSTEM32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\SYSTEM32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\SYSTEM32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\SYSTEM32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\SYSTEM32\ieakui.dll
2006-11-04 20:25 1321744 --a------ C:\WINDOWS\SYSTEM32\msxml6.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\SYSTEM32\msxml4.dll
2006-10-19 05:56 713216 --a------ C:\WINDOWS\SYSTEM32\sxs.dll
2006-10-17 12:06 78336 --a------ C:\WINDOWS\SYSTEM32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\SYSTEM32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\SYSTEM32\winfxdocobj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\SYSTEM32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\SYSTEM32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\SYSTEM32\corpol.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\SYSTEM32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\SYSTEM32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\SYSTEM32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\SYSTEM32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\SYSTEM32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\SYSTEM32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\SYSTEM32\ieapfltr.dll
2006-10-13 04:35 65536 --a------ C:\WINDOWS\SYSTEM32\nwwks.dll
2006-10-13 04:35 64000 --a------ C:\WINDOWS\SYSTEM32\nwapi32.dll
2006-10-13 04:35 142336 --a------ C:\WINDOWS\SYSTEM32\nwprovau.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PeerGuardian"="C:\\Program Files\\PeerGuardian2\\pg2.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"Logitech Utility"="Logi_MwX.Exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"CanonMyPrinter"="C:\\Program Files\\Canon\\MyPrinter\\BJMyPrt.exe /logon"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Acronis Scheduler2 Service"="\"C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft - AVG Anti-Spyware\\avgas.exe\" /minimized"
"AVG7_CC"="C:\\PROGRA~1\\GRISOF~3\\avgcc.exe /STARTUP"
"au"="C:\\Program Files\\Dealio\\DealioAU.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{DC5B2C9E-7845-4C90-873D-44742FB9ED66}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\GRISOF~3\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\GRISOF~3\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=dword:00000001
"NoRecentDocsMenu"=dword:00000001
"NoClose"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutuv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_PSH_DRV

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\ISP signup reminder 1.job

Completion time: 07-01-07 13:04:14
---------------- ComboFix.Log Ends ----------------
 

·
Registered
Joined
·
95 Posts
Discussion Starter · #19 ·
Here is the report from HijackThis in SAFE MODE:
---------------- HijackThis.log Safe Mode Begins ----------------
Logfile of HijackThis v1.99.1
Scan saved at 1:15:16 PM, on 1/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
J:\Apps - Utilz - Security\Anti Malware - Tools - HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb101\Dealio.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {DC5B2C9E-7845-4C90-873D-44742FB9ED66} - C:\WINDOWS\system32\vtuutuv.dll
O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - C:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O2 - BHO: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing)
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb101\Dealio.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft - AVG Anti-Spyware\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOF~3\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\This Computer\Local Settings\Temp\bundle.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\swinroed.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb101\res\DealioSearch.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb101\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Sandboxie Toolbar - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Sandboxie - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095899849828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148481372656
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: vtuutuv - C:\WINDOWS\SYSTEM32\vtuutuv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft - AVG Anti-Spyware\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~3\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~3\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~3\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pixar License Server - Macrovision Corporation - C:\Program Files\Pixar\license-3.0\lmgrd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Acronis Malware Shield Service (psh_svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Malware Shield\psh_svc.exe
O23 - Service: Ray345 Server (Ray345Server) - Unknown owner - C:\Program Files\Alias\mentalray3.45\bin\ray345server.exe
O23 - Service: SPM License Server (SPMLM) - mental images GmbH & Co. KG - C:\WINDOWS\system32\spm\spmd.exe
O23 - Service: WEAZKNJPHPG - Unknown owner - C:\DOCUME~1\THISCO~1\LOCALS~1\Temp\WEAZKNJPHPG.exe (file missing)
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)
---------------- HijackThis.log Safe Mode Ends ----------------

Here is the report from HijackThis in Normal Mode:
---------------- HijackThis.log Normal Mode Begins ----------------
Logfile of HijackThis v1.99.1
Scan saved at 1:38:35 PM, on 1/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft - AVG Anti-Spyware\guard.exe
C:\PROGRA~1\GRISOF~3\avgamsvr.exe
C:\PROGRA~1\GRISOF~3\avgupsvc.exe
C:\PROGRA~1\GRISOF~3\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Acronis\Malware Shield\psh_svc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Grisoft - AVG Anti-Spyware\avgas.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
J:\Apps - Utilz - Security\Anti Malware - Tools - HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb101\Dealio.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {DC5B2C9E-7845-4C90-873D-44742FB9ED66} - C:\WINDOWS\system32\vtuutuv.dll
O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - C:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O2 - BHO: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Sandboxie - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing)
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb101\Dealio.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft - AVG Anti-Spyware\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOF~3\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\This Computer\Local Settings\Temp\bundle.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\swinroed.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb101\res\DealioSearch.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - C:\Program Files\Acronis\PrivacyExpert\Blocker.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb101\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Sandboxie Toolbar - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Sandboxie - {11E506DC-0976-4CDA-BB30-37E60A2F2F46} - C:\Program Files\Sandboxie\SandboxieToolbar.dll (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095899849828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148481372656
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: vtuutuv - C:\WINDOWS\SYSTEM32\vtuutuv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft - AVG Anti-Spyware\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~3\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~3\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\GRISOF~3\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pixar License Server - Macrovision Corporation - C:\Program Files\Pixar\license-3.0\lmgrd.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Acronis Malware Shield Service (psh_svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Malware Shield\psh_svc.exe
O23 - Service: Ray345 Server (Ray345Server) - Unknown owner - C:\Program Files\Alias\mentalray3.45\bin\ray345server.exe
O23 - Service: SPM License Server (SPMLM) - mental images GmbH & Co. KG - C:\WINDOWS\system32\spm\spmd.exe
O23 - Service: WEAZKNJPHPG - Unknown owner - C:\DOCUME~1\THISCO~1\LOCALS~1\Temp\WEAZKNJPHPG.exe (file missing)
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)
---------------- HijackThis.log Normal Mode Ends ----------------

Incidentally WMPG54Gv4.exe is NOT missing and does start correctly every time I boot.
Again thank you for being so patient and attentive to this situation.
 

·
Administrator
Joined
·
123,536 Posts
Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

O2 - BHO: (no name) - {DC5B2C9E-7845-4C90-873D-44742FB9ED66} - C:\WINDOWS\system32\vtuutuv.dll

O4 - Startup: TA_Start.lnk = C:\Documents and Settings\This Computer\Local Settings\Temp\bundle.exe

O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\swinroed.exe

O20 - Winlogon Notify: vtuutuv - C:\WINDOWS\SYSTEM32\vtuutuv.dll


Please download the Killbox by Option^Explicit.

  • Save it to your desktop.
    • Please double-click Killbox.exe to run it.
    • Select:
      • Delete on Reboot
      • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\WINDOWS\SYSTEM32\sfc_os.dll
      C:\WINDOWS\SYSTEM32\winpfz32.sys
      C:\WINDOWS\SYSTEM32\vtuutuv.dll
      C:\WINDOWS\SYSTEM32\swinroed.exe

    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Go to the C:\Windows\system32\dllcache folder.
Find sfc_os.dll and right click on it. Choose Copy from the menu.
Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu. This will replace the file that was overwritten that we deleted.

Go to the following link and upload each of the following files for analysis and let me know what the results are please:

http://virusscan.jotti.org/

C:\DOCUME~1\THISCO~1\LOCALS~1\Temp\WEAZKNJPHPG.exe

Reboot and post a new HijackThis log please.
 
1 - 20 of 83 Posts
Status
Not open for further replies.
Top