Jump to content

Brooke

Sponsor
  • Content Count

    15
  • Joined

  • Last visited

Posts posted by Brooke

  1. Uh, duh...Thanks.

    I'll check HJT for leads on dealing with the red items and try to digest the others as well.

    Obviously you've considered adding boilerplate recommendations for these things but decided against including them.

    A little later.......Reading returns from googling your log analysis implies all items (red and blue) should be removed with HJT.

    Please confirm and thanks, again.

  2. Thanks, no, no new issues.

    Those odd files are still in root C: two exes: rhlj and lcfdx, and another -858939365, no extension. The file modified dates are identical and right about when I became infected. Direct virus and spyware scans of them show nothing. Unless you advise otherwise I will delete.

    I was hoping you would look at the jht log file below if you did not look at the one above. But I really don't know what that entails and it is long and I am having no known issues.


    Logfile of HijackThis v1.99.1
    Scan saved at 5:51:48 PM, on 2/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Programs - added\AVG AntiSpyware 7.5\guard.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Programs - added\Picasa2\PicasaMediaDetector.exe
    C:\WINDOWS\system32\WDBtnMgr.exe
    C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
    C:\Programs - added\iTunes 7\iTunesHelper.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Programs - added\DoubleSafety - backup program\DoubleSafety.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Programs - added\AVG AntiSpyware 7.5\avgas.exe
    C:\Programs - added\Folder Size 2.3\FolderSizeSvc.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Programs - added\SWFPrinterPro\swfpagent.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Programs - added\RougeRemoverPRO 1.05\RogueRemoverPRO.exe
    C:\Programs - added\utilities\ProcessLibrary\qaccess.exe
    C:\Program Files\Dantz\Retrospect\retrorun.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
    C:\Programs - added\ClipMate 5\ClipMate5\ClipMt50.exe
    C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
    C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Programs - added\NaviScope\naviscope.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WksCal.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Programs - added\EditPad 5.2\EditPad.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis 1.99.0.1\analyze.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {31065C7D-466B-E9D6-E5D7-01E29F863683} - C:\WINDOWS\System32\zaxkeak.dll
    O2 - BHO: bxNewFolder - {51C8BCA8-2524-4523-BF09-738C4EEBFC58} - C:\PROGRA~2\NEWFOL~1\BXNEWF~1\BXNEWF~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1.4\SDHelper.dll
    O2 - BHO: (no name) - {562D1B44-9B98-D678-E704-01358FB718F6} - C:\WINDOWS\System32\hcvleb.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programs - added\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Programs - added\iTunes 7\iTunesHelper.exe"
    O4 - HKLM\..\Run: [DoubleSafety] "C:\Programs - added\DoubleSafety - backup program\DoubleSafety.exe" /logon
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programs - added\AVG AntiSpyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [SWF Printer Agent] "C:\Programs - added\SWFPrinterPro\swfpagent.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [RogueMonitor] C:\Programs - added\RougeRemoverPRO 1.05\RogueRemoverPRO.exe /monitor
    O4 - HKCU\..\Run: [Uniblue Quick Access] "C:\Programs - added\utilities\ProcessLibrary\qaccess.exe" /startup
    O4 - Startup: naviscope.lnk = C:\Programs - added\NaviScope\naviscope.exe
    O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: ClipMate5.lnk = C:\Programs - added\ClipMate 5\ClipMate5\ClipMt50.exe
    O4 - Global Startup: Dell Control Utility.lnk = ?
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\System32\page.htm
    O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\System32\link.htm
    O8 - Extra context menu item: Download using LeechGet - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\AddUrl.html
    O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\Wizard.html
    O8 - Extra context menu item: Parse with LeechGet - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\Parser.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O15 - Trusted Zone: *.musicmatch.com
    O15 - Trusted Zone: *.musicmatch.com (HKLM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url="http://go.microsoft.com/fwlink/?linkid=39204"]http://go.microsoft.com/fwlink/?linkid=39204[/url]
    O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - [url="https://secure.stamps.com/download/us/registration/2_0_0_755/sdcregie.cab"]https://secure.stamps.com/download/us/regis...55/sdcregie.cab[/url]
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [url="http://www.snapfish.com/SnapfishActivia.cab"]http://www.snapfish.com/SnapfishActivia.cab[/url]
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [url="http://download.bitdefender.com/resources/scan8/oscan8.cab"]http://download.bitdefender.com/resources/scan8/oscan8.cab[/url]
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url="http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107468058468"]http://v5.windowsupdate.microsoft.com/v5co...b?1107468058468[/url]
    O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - [url="http://www.costcophotocenter.com/CostcoUpload.cab"]http://www.costcophotocenter.com/CostcoUpload.cab[/url]
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - [url="https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB"]https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB[/url]
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - [url="http://web1.shutterfly.com/downloads/Uploader.cab"]http://web1.shutterfly.com/downloads/Uploader.cab[/url]
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - [url="http://www.crucial.com/controls/cpcScanner.cab"]http://www.crucial.com/controls/cpcScanner.cab[/url]
    O16 - DPF: {B1953AD6-C50E-11D3-B020-00A0C9251384} (O2C-Player (ELECO Software GmbH)) - [url="http://www.o2c.de/download/o2cplayer.cab"]http://www.o2c.de/download/o2cplayer.cab[/url]
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - [url="http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab"]http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab[/url]
    O16 - DPF: {BF3CD111-6278-11D2-9EA3-00A0C9251384} (O2C-Player Version 1.x) - [url="http://www.o2c.de/download/O2CPlayer.CAB"]http://www.o2c.de/download/O2CPlayer.CAB[/url]
    O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - [url="http://www.photoworks.com/pixami/DragDropUploader.cab"]http://www.photoworks.com/pixami/DragDropUploader.cab[/url]
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - [url="https://www-secure.symantec.com/techsupp/activedata/SymAData.cab"]https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab[/url]
    O16 - DPF: {EF6E7E56-9229-4C73-AAD0-15316405DB95} (Easy Photo Uploader) - [url="http://preview.digiphoart4evergreen.photosite.com/~site/UploadBox/UploadBox_live.cab"]http://preview.digiphoart4evergreen.photos...oadBox_live.cab[/url]
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: bt848rom - bt848rom.dll (file missing)
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programs - added\AVG AntiSpyware 7.5\guard.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Folder Size (FolderSize) - Brio - C:\Programs - added\Folder Size 2.3\FolderSizeSvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
    O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
    O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

    Thanks very much for your help.

  3. I did the rustbfix since I saw it at TC for a similar (to the ignorant) huy32 issue.

    Current pelog.txt:

    ************************* Rustock.b-fix -- By ejvindh *************************

    Wed 02/07/2007 15:27:09.43

    ******************* Pre-run Status of system *******************

    Rootkit driver huy32 is found. Starting the unload-procedure....

    Rustock.b-ADS attached to the System32-folder:

    :huy32.sys 70570

    Total size: 70570 bytes.

    Attempting to remove ADS...

    system32: deleted 70570 bytes in 1 streams.

    Looking for Rustock.b-files in the System32-folder:

    No Rustock.b-files found in system32

    ******************* Post-run Status of system *******************

    Rustock.b-driver on the system: NONE!

    Rustock.b-ADS attached to the System32-folder:

    No System32-ADS found.

    Looking for Rustock.b-files in the System32-folder:

    No Rustock.b-files found in system32

    ******************************* End of Logfile ********************************

    Current avenger.txt:

    Logfile of The Avenger version 1, by Swandog46

    Running from registry key:

    \Registry\Machine\System\CurrentControlSet\Services\kkecmjqx

    *******************

    Script file located at: \??\C:\Documents and Settings\lkudutco.txt

    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Driver huy32 unloaded successfully.

    Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

    Completed script processing.

    *******************

    Finished! Terminate.

    Current hijackthis log:

    Logfile of HijackThis v1.99.1
    
    Scan saved at 3:49:22 PM, on 2/7/2007
    
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    
    
    Running processes:
    
    C:\WINDOWS\System32\smss.exe
    
    C:\WINDOWS\system32\winlogon.exe
    
    C:\WINDOWS\system32\services.exe
    
    C:\WINDOWS\system32\lsass.exe
    
    C:\WINDOWS\System32\Ati2evxx.exe
    
    C:\WINDOWS\system32\svchost.exe
    
    C:\Program Files\Windows Defender\MsMpEng.exe
    
    C:\WINDOWS\System32\svchost.exe
    
    C:\WINDOWS\system32\Ati2evxx.exe
    
    C:\WINDOWS\Explorer.EXE
    
    C:\WINDOWS\system32\spoolsv.exe
    
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    
    C:\Programs - added\AVG AntiSpyware 7.5\guard.exe
    
    C:\WINDOWS\system32\cisvc.exe
    
    C:\WINDOWS\System32\CTsvcCDA.exe
    
    C:\Programs - added\Folder Size 2.3\FolderSizeSvc.exe
    
    C:\WINDOWS\BCMSMMSG.exe
    
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    
    C:\WINDOWS\System32\DSentry.exe
    
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    
    C:\WINDOWS\system32\WDBtnMgr.exe
    
    C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
    
    C:\Programs - added\iTunes 7\iTunesHelper.exe
    
    C:\Program Files\Dantz\Retrospect\retrorun.exe
    
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    
    C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
    
    C:\Programs - added\DoubleSafety -  backup program\DoubleSafety.exe
    
    C:\WINDOWS\System32\svchost.exe
    
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
    
    C:\Programs - added\AVG AntiSpyware 7.5\avgas.exe
    
    C:\WINDOWS\System32\MsPMSPSv.exe
    
    C:\Program Files\Windows Defender\MSASCui.exe
    
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    
    C:\Programs - added\RougeRemoverPRO 1.04\RogueRemoverPRO.exe
    
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    
    C:\Programs - added\ClipMate 5\ClipMate5\ClipMt50.exe
    
    C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
    
    C:\Program Files\iPod\bin\iPodService.exe
    
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    
    C:\Programs - added\NaviScope\naviscope.exe
    
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    
    C:\WINDOWS\system32\wuauclt.exe
    
    C:\Programs - added\IrView 3.95\i_view32.exe
    
    C:\WINDOWS\system32\cidaemon.exe
    
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\SurMixer.exe
    
    C:\Programs - added\EditPad 5.2\EditPad.exe
    
    C:\Program Files\HijackThis 1.99.0.1\analyze.exe
    
    
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81
    
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    
    O2 - BHO: (no name) - {31065C7D-466B-E9D6-E5D7-01E29F863683} - C:\WINDOWS\System32\zaxkeak.dll
    
    O2 - BHO: bxNewFolder - {51C8BCA8-2524-4523-BF09-738C4EEBFC58} - C:\PROGRA~2\NEWFOL~1\BXNEWF~1\BXNEWF~1.DLL
    
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1.4\SDHelper.dll
    
    O2 - BHO: (no name) - {562D1B44-9B98-D678-E704-01358FB718F6} - C:\WINDOWS\System32\hcvleb.dll
    
    O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
    
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programs - added\Picasa2\PicasaMediaDetector.exe
    
    O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
    
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
    
    O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
    
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Programs - added\iTunes 7\iTunesHelper.exe"
    
    O4 - HKLM\..\Run: [DoubleSafety] "C:\Programs - added\DoubleSafety -  backup program\DoubleSafety.exe" /logon
    
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programs - added\AVG AntiSpyware 7.5\avgas.exe" /minimized
    
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    
    O4 - HKCU\..\Run: [RogueMonitor] C:\Programs - added\RougeRemoverPRO 1.04\RogueRemoverPRO.exe /monitor
    
    O4 - Startup: naviscope.lnk = C:\Programs - added\NaviScope\naviscope.exe
    
    O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    
    O4 - Global Startup: ClipMate5.lnk = C:\Programs - added\ClipMate 5\ClipMate5\ClipMt50.exe
    
    O4 - Global Startup: Dell Control Utility.lnk = ?
    
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    
    O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\System32\page.htm
    
    O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\System32\link.htm
    
    O8 - Extra context menu item: Download using LeechGet - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\AddUrl.html
    
    O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\Wizard.html
    
    O8 - Extra context menu item: Parse with LeechGet - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\Parser.html
    
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    
    O15 - Trusted Zone: *.musicmatch.com
    
    O15 - Trusted Zone: *.musicmatch.com (HKLM)
    
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url=http://go.microsoft.com/fwlink/?linkid=39204]http://go.microsoft.com/fwlink/?linkid=39204[/url]
    
    O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - [url=https://secure.stamps.com/download/us/registration/2_0_0_755/sdcregie.cab]https://secure.stamps.com/download/us/regis...55/sdcregie.cab[/url]
    
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [url=http://www.snapfish.com/SnapfishActivia.cab]http://www.snapfish.com/SnapfishActivia.cab[/url]
    
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [url=http://download.bitdefender.com/resources/scan8/oscan8.cab]http://download.bitdefender.com/resources/scan8/oscan8.cab[/url]
    
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url=http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107468058468]http://v5.windowsupdate.microsoft.com/v5co...b?1107468058468[/url]
    
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - [url=https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab]https://java.sun.com/products/plugin/autodl...indows-i586.cab[/url]
    
    O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - [url=http://www.costcophotocenter.com/CostcoUpload.cab]http://www.costcophotocenter.com/CostcoUpload.cab[/url]
    
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - [url=https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB]https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB[/url]
    
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - [url=http://web1.shutterfly.com/downloads/Uploader.cab]http://web1.shutterfly.com/downloads/Uploader.cab[/url]
    
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - [url=http://www.crucial.com/controls/cpcScanner.cab]http://www.crucial.com/controls/cpcScanner.cab[/url]
    
    O16 - DPF: {B1953AD6-C50E-11D3-B020-00A0C9251384} (O2C-Player (ELECO Software GmbH)) - [url=http://www.o2c.de/download/o2cplayer.cab]http://www.o2c.de/download/o2cplayer.cab[/url]
    
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - [url=http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab]http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab[/url]
    
    O16 - DPF: {BF3CD111-6278-11D2-9EA3-00A0C9251384} (O2C-Player Version 1.x) - [url=http://www.o2c.de/download/O2CPlayer.CAB]http://www.o2c.de/download/O2CPlayer.CAB[/url]
    
    O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - [url=http://www.photoworks.com/pixami/DragDropUploader.cab]http://www.photoworks.com/pixami/DragDropUploader.cab[/url]
    
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - [url=https://www-secure.symantec.com/techsupp/activedata/SymAData.cab]https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab[/url]
    
    O16 - DPF: {EF6E7E56-9229-4C73-AAD0-15316405DB95} (Easy Photo Uploader) - [url=http://preview.digiphoart4evergreen.photosite.com/~site/UploadBox/UploadBox_live.cab]http://preview.digiphoart4evergreen.photos...oadBox_live.cab[/url]
    
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    
    O20 - Winlogon Notify: bt848rom - bt848rom.dll (file missing)
    
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programs - added\AVG AntiSpyware 7.5\guard.exe
    
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    
    O23 - Service: Folder Size (FolderSize) - Brio - C:\Programs - added\Folder Size 2.3\FolderSizeSvc.exe
    
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    
    O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    
    O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
    
    O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
    
    O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

    Through due diligence, perhaps a brighter tomorrow.

  4. Will do.

    Gmer finished the second time.

    Log:



    GMER 1.0.12.12027 - [url="http://www.gmer.net"]http://www.gmer.net[/url]
    Rootkit scan 2007-02-07 13:43:36
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.12 ----

    SSDT \??\C:\Programs - added\AVG AntiSpyware 7.5\guard.sys ZwOpenProcess
    SSDT \??\C:\Programs - added\AVG AntiSpyware 7.5\guard.sys ZwTerminateProcess

    INT 0x06 \??\C:\WINDOWS\System32\drivers\Haspnt.sys A944416D
    INT 0x0E \??\C:\WINDOWS\System32\drivers\Haspnt.sys A9443FC2

    SYSENTER \??\C:\WINDOWS\System32:huy32.sys A9D66BCC

    Code \??\C:\WINDOWS\System32:huy32.sys pIofCallDriver

    ---- Kernel code sections - GMER 1.0.12 ----

    .text ntoskrnl.exe!Kei386EoiHelper + 4E0 804DF53C 3 Bytes [ BD, C5, 6C ]
    .text tcpip.sys!IPTransmit + 10B7 A9C48CFA 6 Bytes CALL A9D68995 \??\C:\WINDOWS\System32:huy32.sys
    .text tcpip.sys!IPTransmit + 24D9 A9C4A11C 6 Bytes CALL A9D68995 \??\C:\WINDOWS\System32:huy32.sys
    .text tcpip.sys!IPTransmit + 4662 A9C4C2A5 6 Bytes CALL A9D68995 \??\C:\WINDOWS\System32:huy32.sys
    .text wanarp.sys BA76F3FD 7 Bytes CALL A9D6899F \??\C:\WINDOWS\System32:huy32.sys

    ---- User code sections - GMER 1.0.12 ----

    .text C:\WINDOWS\explorer.exe[1768] SHELL32.dll!SHFileOperationW 7CA6FB3E 5 Bytes JMP 00B31102 C:\Program Files\Unlocker\UnlockerHook.dll

    ---- Devices - GMER 1.0.12 ----

    Device \Driver\aksusb \Device000007f IRP_MJ_CREATE [A9AE825F] AKSCLASS.SYS
    Device \Driver\aksusb \Device000007f IRP_MJ_CLOSE [A9AE825F] AKSCLASS.SYS
    Device \Driver\aksusb \Device000007f IRP_MJ_DEVICE_CONTROL [A9AE73FD] AKSCLASS.SYS
    Device \Driver\aksusb \Device000007f IRP_MJ_INTERNAL_DEVICE_CONTROL [A9AE7573] AKSCLASS.SYS
    Device \Driver\aksusb \Device000007f IRP_MJ_POWER [A9AE847F] AKSCLASS.SYS
    Device \Driver\aksusb \Device000007f IRP_MJ_SYSTEM_CONTROL [A9AE8061] AKSCLASS.SYS
    Device \Driver\aksusb \Device000007f IRP_MJ_PNP [A9AE8F15] AKSCLASS.SYS

    ---- Services - GMER 1.0.12 ----

    Service C:\WINDOWS\System32:huy32.sys (*** hidden *** ) [SYSTEM] huy32 <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.12 ----

    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Type 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Start 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ErrorControl 0
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ImagePath \??\C:\WINDOWS\System32:huy32.sys
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@DisplayName Win23 lzx files loader
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Group Base
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ExtParam 0xB0 0xFE 0x46 0x1A ...
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Checked 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Type 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Start 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ErrorControl 0
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ImagePath \??\C:\WINDOWS\System32:huy32.sys
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@DisplayName Win23 lzx files loader
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Group Base
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ExtParam 0xB0 0xFE 0x46 0x1A ...
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Checked 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32\Security
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Type 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Start 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ErrorControl 0
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ImagePath \??\C:\WINDOWS\System32:huy32.sys
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@DisplayName Win23 lzx files loader
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Group Base
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ExtParam 0xB0 0xFE 0x46 0x1A ...
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Checked 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32\Enum
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Type 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Start 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ErrorControl 0
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ImagePath \??\C:\WINDOWS\System32:huy32.sys
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@DisplayName Win23 lzx files loader
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Group Base
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@ExtParam 0xB0 0xFE 0x46 0x1A ...
    Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\huy32@Checked 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Type 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Start 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@ErrorControl 0
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@ImagePath \??\C:\WINDOWS\System32:huy32.sys
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@DisplayName Win23 lzx files loader
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Group Base
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@ExtParam 0xB0 0xFE 0x46 0x1A ...
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Checked 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Type 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Start 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@ErrorControl 0
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@ImagePath \??\C:\WINDOWS\System32:huy32.sys
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@DisplayName Win23 lzx files loader
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Group Base
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@ExtParam 0xB0 0xFE 0x46 0x1A ...
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Checked 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32\Security
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Type 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Start 1
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@ErrorControl 0
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@ImagePath \??\C:\WINDOWS\System32:huy32.sys
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@DisplayName Win23 lzx files loader
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Group Base
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@ExtParam 0xB0 0xFE 0x46 0x1A ...
    Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\huy32@Checked 1
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Type 1
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Start 1
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ErrorControl 0
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ImagePath \??\C:\WINDOWS\System32:huy32.sys
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@DisplayName Win23 lzx files loader
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Group Base
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ExtParam 0xB0 0xFE 0x46 0x1A ...
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Checked 1
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Type 1
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Start 1
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ErrorControl 0
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ImagePath \??\C:\WINDOWS\System32:huy32.sys
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@DisplayName Win23 lzx files loader
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Group Base
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ExtParam 0xB0 0xFE 0x46 0x1A ...
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Checked 1
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32\Security
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Type 1
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Start 1
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ErrorControl 0
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ImagePath \??\C:\WINDOWS\System32:huy32.sys
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@DisplayName Win23 lzx files loader
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Group Base
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ExtParam 0xB0 0xFE 0x46 0x1A ...
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Checked 1
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32\Enum
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Type 1
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Start 1
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ErrorControl 0
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ImagePath \??\C:\WINDOWS\System32:huy32.sys
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@DisplayName Win23 lzx files loader
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Group Base
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@ExtParam 0xB0 0xFE 0x46 0x1A ...
    Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\huy32@Checked 1

    ---- Files - GMER 1.0.12 ----

    ADS C:\WINDOWS\SYSTEM32:huy32.sys <-- ROOTKIT !!!

    ---- EOF - GMER 1.0.12 ----


  5. RootkitRevealer hung twice on cleanup, or appeared to. Second run got further and exited OK. Allowed a log save, as follows:

    HKU\S-1-5-21-4275444482-3655707654-1986034232-1005\RemoteAccess\InternetProfile 8/2/2004 1:16 PM 21 bytes Data mismatch between Windows API and raw hive data.

    HKLM\SECURITY\Policy\Secrets\SAC* 9/3/2002 5:55 PM 0 bytes Key name contains embedded nulls (*)

    HKLM\SECURITY\Policy\Secrets\SAI* 9/3/2002 5:55 PM 0 bytes Key name contains embedded nulls (*)

    HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 2/7/2007 10:26 AM 80 bytes Data mismatch between Windows API and raw hive data.

    C:\System Volume Information\catalog.wci0010001.ci 2/7/2007 10:32 AM 44.00 KB Visible in directory index, but not Windows API or MFT.

    C:\System Volume Information\catalog.wci0010001.dir 2/7/2007 10:32 AM 682 bytes Visible in directory index, but not Windows API or MFT.

    C:\System Volume Information\catalog.wci\CiFLfffc.000 2/7/2007 9:46 AM 240 bytes Visible in Windows API, MFT, but not in directory index.

    C:\System Volume Information\catalog.wci\CiFLfffc.001 2/7/2007 9:46 AM 64.00 KB Visible in Windows API, MFT, but not in directory index.

    C:\System Volume Information\catalog.wci\CiFLfffc.002 2/7/2007 9:46 AM 64.00 KB Visible in Windows API, MFT, but not in directory index.

    C:\System Volume Information\catalog.wci\CiFLfffd.000 2/7/2007 10:32 AM 240 bytes Visible in directory index, but not Windows API or MFT.

    C:\System Volume Information\catalog.wci\CiFLfffd.001 2/7/2007 10:32 AM 64.00 KB Visible in directory index, but not Windows API or MFT.

    C:\System Volume Information\catalog.wci\CiFLfffd.002 2/7/2007 10:32 AM 64.00 KB Visible in directory index, but not Windows API or MFT.

    Also ran gmer, which showed huy32sys presence and was scanning when came the blue screen: "BAD_POOL_HEADER"

  6. OK, Back to where I was, fairly clean...still wondering about those c:\ files. They remain.

    Re-deleted offender ctpmon at boot and ran smitfraudfix search and then clean at safe boot. It sems to have edited the hosts file as you advised, so that is done. RougeRemover Pro has been updated and a scan done, both automatically and manually: it says the system is immunized.

    Looking for a rootkit scanner as per smitfraudfix advice: "huy32 detected, use a Rootkit scanner." Thoughts on that one? Searches turn up "gmer." http://www.gmer.net/index.php

  7. Well...I may have re-opened some door. My malady has returned.

    I remembered running smitfraudfix and it having said it found nothing, but I went to root c: to see if I could find its report (rapport.txt). It was not there but two unknown exe files were: rhlj and lcfdx, and another -858939365, no extension.. In the process of searching for info on them I may have dbl clicked one. The file modified dates are identical and right about when I became infected.

    I'll try to get back to where I was moments ago......

  8. My prescription:

    • 1. run smitfraudfix.

    • 2. replace hosts file as below.

    • 3. reimmunize with RogueRemover.

    • 4. edit hosts file, changing all 127.0.0.1 entries to 0.0.0.0 except for the localhost entry.

    Meanwhile, thanks very much, Tarun. I won't gush about the lump in my gut, still present, which this issue has given me, and from which you have at some future point I hope, set me free.

  9. Though Windows search failed to find it (why often so unreliable?), it was there, in: C:\WINDOWS\SYSTEM32

    It's possible the file was hidden or certain search parameters were not able to find it as they may not have been selected. You found it though. :happybday:

    I only mentioned that because I have probs with Windows search. There were no params listed, just find the file.ext on C: looking everywhere. Sometimes I do a search for files modified in some time period up to present, then do some work and do the search again assuming it would return previously listed files plus newly modified ones but it says no files found.. just a wee bit off-topic.

    Fileassassin failed to delete it. (In fact I've got 2 of the icons (white X on red shield) now in my sys tray.) Unlocker found no locking handle.

    Was Unlocker able to delete it?

    Unlocker nailed it on re-boot!!!! I can't find it in the directory; the icon is not there. Whoooppeeee.

    FYI: When I tried to fileassassin it before, it seemed to replicate itself, apparently unnecessarily as it never was assassinated...until reboot.

    What do I do with the hosts file?

    Paste your Hosts file contents here in a codebox using the codebox BBCode.

    I pasted the new hosts file below.

    You will want to run SmitFraudFix which can be found here, along with instructions.

    I had run smitfraudfix before. Did you see recurring signs of smitfraud?

    Brooke-hosts-01:

     

    127.0.0.1 localhost
    127.0.0.1 bleepingcomputer.com
    127.0.0.1 www.bleepingcomputer.com
    127.0.0.1 boskak.za.net
    127.0.0.1 bullguard.com
    127.0.0.1 www.bullguard.com
    127.0.0.1 castlecops.com
    127.0.0.1 www.castlecops.com
    127.0.0.1 cleanup.stevengould.org
    127.0.0.1 compu-docs.com
    127.0.0.1 www.compu-docs.com

    127.0.0.1 depannetonpc.net
    127.0.0.1 www.depannetonpc.net
    127.0.0.1 download.bleepingcomputer.com
    127.0.0.1 ewido.net
    127.0.0.1 www.ewido.net
    127.0.0.1 fileinfo.prevx.com
    127.0.0.1 forum.arovax.com
    127.0.0.1 forum.idg.pl
    127.0.0.1 forums.digitaltrends.com
    127.0.0.1 forums.spybot.info

    127.0.0.1 forums.techguy.org
    127.0.0.1 forums.tomcoyote.org
    127.0.0.1 forums.us.dell.com
    127.0.0.1 greyknight17.com
    127.0.0.1 www.greyknight17.com
    127.0.0.1 help.lockergnome.com
    127.0.0.1 infos-du-net.com
    127.0.0.1 www.infos-du-net.com
    127.0.0.1 innovative-sol.com
    127.0.0.1 www.innovative-sol.com

    127.0.0.1 mytechsupport.ca
    127.0.0.1 www.mytechsupport.ca

    127.0.0.1 research.sunbelt-software.com
    127.0.0.1 siri.urz.free.fr
    127.0.0.1 spywareinfo.dk
    127.0.0.1 www.spywareinfo.dk
    127.0.0.1 stevengould.org
    127.0.0.1 www.stevengould.org
    127.0.0.1 superantispyware.com
    127.0.0.1 www.superantispyware.com

    127.0.0.1 www.techsupportforum.com

    #RogueRemover PRO Immunization Start

    # [b]about 1409 entries here [/b]#

    #RogueRemover PRO Immunization End
    # Start of entries inserted by Spybot - Search & Destroy
    # End of entries inserted by Spybot - Search & Destroy

  10. DONE - uninstall AVG Free Anti-Virus.

    YES - you've run all of the scans in the Anti-Malware package?

    This file could be a source of problems. O4 - HKCU\..\Run: [ctpmon] ctpmon.exe

    Though Windows search failed to find it (why often so unreliable?), it was there, in: C:\WINDOWS\SYSTEM32

    Do a search for ctpmon and once found you should delete it. If you are unable to delete it; you should use a program like Unlocker or FileASSASSIN.

    Fileassassin failed to delete it. (In fact I've got 2 of the icons (white X on red shield) now in my sys tray.) Unlocker found no locking handle.

    You should also check your Hosts file. it can be found in %SystemRoot%\system32\drivers\etc\ and you may need to right-click it and remove the Read-Only status.

    What do I do with the hosts file?

  11. Tarun, Since I followed your procedures rather than those prescribed at Malwarebytes, I'm posting here. My thread there is http://www.malwarebytes.org/forums/index.p...&#entry2172.

    (Would you prefer these logfiles as attachments?)

    Logfile of HijackThis v1.99.1

    Scan saved at 8:52:01 AM, on 2/6/2007

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\System32\Ati2evxx.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Program Files\Windows Defender\MsMpEng.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

    C:\Program Files\Alwil Software\Avast4\ashServ.exe

    C:\Programs - added\AVG AntiSpyware 7.5\guard.exe

    C:\PROGRA~2\AVG7~1.5AN\avgamsvr.exe

    C:\PROGRA~2\AVG7~1.5AN\avgupsvc.exe

    C:\PROGRA~2\AVG7~1.5AN\avgemc.exe

    C:\WINDOWS\system32\cisvc.exe

    C:\WINDOWS\System32\CTsvcCDA.exe

    C:\WINDOWS\system32\Ati2evxx.exe

    C:\Programs - added\Folder Size 2.3\FolderSizeSvc.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    C:\Program Files\Dantz\Retrospect\retrorun.exe

    C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\System32\MsPMSPSv.exe

    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

    C:\WINDOWS\BCMSMMSG.exe

    C:\WINDOWS\System32\DSentry.exe

    C:\Program Files\Microsoft IntelliPoint\point32.exe

    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

    C:\Programs - added\Picasa2\PicasaMediaDetector.exe

    C:\WINDOWS\system32\WDBtnMgr.exe

    C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe

    C:\Programs - added\iTunes 7\iTunesHelper.exe

    C:\Program Files\iPod\bin\iPodService.exe

    C:\Programs - added\DoubleSafety - backup program\DoubleSafety.exe

    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

    C:\PROGRA~2\AVG7~1.5AN\avgcc.exe

    C:\Programs - added\AVG AntiSpyware 7.5\avgas.exe

    C:\Program Files\Windows Defender\MSASCui.exe

    C:\WINDOWS\system32\ctpmon.exe

    C:\Programs - added\RougeRemoverPRO 1.04\RogueRemoverPRO.exe

    C:\WINDOWS\system32\ctpmon.exe

    C:\Programs - added\ClipMate 5\ClipMate5\ClipMt50.exe

    C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe

    C:\Program Files\TM1184\ControlUtility\ControlUtility.exe

    C:\WINDOWS\system32\taskmgr.exe

    C:\Program Files\Google\Google Updater\GoogleUpdater.exe

    C:\Programs - added\NaviScope\naviscope.exe

    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

    C:\WINDOWS\system32\cidaemon.exe

    C:\Programs - added\SpyBot Search and Destroy 1.4\SpybotSD.exe

    C:\PROGRA~2\AVG7~1.5AN\avgw.exe

    C:\Program Files\HijackThis 1.99.0.1\analyze.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

    O2 - BHO: (no name) - {31065C7D-466B-E9D6-E5D7-01E29F863683} - C:\WINDOWS\System32\zaxkeak.dll

    O2 - BHO: bxNewFolder - {51C8BCA8-2524-4523-BF09-738C4EEBFC58} - C:\PROGRA~2\NEWFOL~1\BXNEWF~1\BXNEWF~1.DLL

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1.4\SDHelper.dll

    O2 - BHO: (no name) - {562D1B44-9B98-D678-E704-01358FB718F6} - C:\WINDOWS\System32\hcvleb.dll

    O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

    O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

    O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programs - added\Picasa2\PicasaMediaDetector.exe

    O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [iTunesHelper] "C:\Programs - added\iTunes 7\iTunesHelper.exe"

    O4 - HKLM\..\Run: [DoubleSafety] "C:\Programs - added\DoubleSafety - backup program\DoubleSafety.exe" /logon

    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\AVG7~1.5AN\avgcc.exe /STARTUP

    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programs - added\AVG AntiSpyware 7.5\avgas.exe" /minimized

    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

    O4 - HKCU\..\Run: [ctpmon] ctpmon.exe

    O4 - HKCU\..\Run: [RogueMonitor] C:\Programs - added\RougeRemoverPRO 1.04\RogueRemoverPRO.exe /monitor

    O4 - Startup: naviscope.lnk = C:\Programs - added\NaviScope\naviscope.exe

    O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O4 - Global Startup: ClipMate5.lnk = C:\Programs - added\ClipMate 5\ClipMate5\ClipMt50.exe

    O4 - Global Startup: Dell Control Utility.lnk = ?

    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

    O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\System32\page.htm

    O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\System32\link.htm

    O8 - Extra context menu item: Download using LeechGet - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\AddUrl.html

    O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\Wizard.html

    O8 - Extra context menu item: Parse with LeechGet - file://C:\Programs - added\LeechGet 1.1\LeechGet 2004\\Parser.html

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

    O15 - Trusted Zone: *.musicmatch.com

    O15 - Trusted Zone: *.musicmatch.com (HKLM)

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/regis...55/sdcregie.cab

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107468058468

    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl...indows-i586.cab

    O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab

    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB

    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

    O16 - DPF: {B1953AD6-C50E-11D3-B020-00A0C9251384} (O2C-Player (ELECO Software GmbH)) - http://www.o2c.de/download/o2cplayer.cab

    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab

    O16 - DPF: {BF3CD111-6278-11D2-9EA3-00A0C9251384} (O2C-Player Version 1.x) - http://www.o2c.de/download/O2CPlayer.CAB

    O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab

    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

    O16 - DPF: {EF6E7E56-9229-4C73-AAD0-15316405DB95} (Easy Photo Uploader) - http://preview.digiphoart4evergreen.photos...oadBox_live.cab

    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    O20 - Winlogon Notify: bt848rom - bt848rom.dll (file missing)

    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programs - added\AVG AntiSpyware 7.5\guard.exe

    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\AVG7~1.5AN\avgamsvr.exe

    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\AVG7~1.5AN\avgupsvc.exe

    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~2\AVG7~1.5AN\avgemc.exe

    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

    O23 - Service: Folder Size (FolderSize) - Brio - C:\Programs - added\Folder Size 2.3\FolderSizeSvc.exe

    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

    O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

    O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

    O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe

    O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

×
×
  • Create New...