Trojan Generic3.GII Problem(s)

Logfile of HijackThis v1.99.1
Scan saved at 10:31:19 AM, on 3/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink 5.0\etoolbar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Killer.exe\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: (no name) - {2A904E40-731D-4881-83FB-04EFDEE88C3B} - C:\WINDOWS\system32\bhkabhk.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108584393156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: igmzfjhr - C:\WINDOWS\SYSTEM32\bhkabhk.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

Hi Geri,
I had to add this seperately from the Hijacklog because once again it rebooted in the middle of posting the log.

After I unchecked "Load SpySweeper at startup" the other two items "Home Page Shield and Automatically restore default without notification" were not listed as options and maybe that is because the SpySweeper is a free version and not a paid one ???

When Killbox was set up to run, I could not find in the System32 folder "bhkabhk.dll" folder...It was there prior to running Killbox but is not listed now even though the AVG is still detecting it.

Before rebooting the computer, WinPatrol detected an attempt to change the Hosts file by "AVGAS.exe "...The recommendation was to block the change and that is was I selected...Upon rebooting the computer, a black screen appeared "Hardware Profile/Configuration recoverymenu "...The only choice was to select "Profile 1" and F1 for Last known good configuration or F3 to restart computer...I went with F3 and it booted up normally and it was then I was able to submitt the last HijackLog...Not sure what's this is all about but for now I guess it is what it is ???

 

Hi Geri,
Where this particular computer has had so many infections and the on going battle of trying to remove this dll/trojan infection, would the "Hardware Profile Configuration Menu" have any part in the difficulty of removing such ? The reason I am asking is, because that screen popped up unexpectedly today and in searching for more info on it thru google I have come across scores of info that it's a possibility a trojan can hide there...Before I journeyed in that direction I wanted to seek your opinion...

While I have a moment, I also wanted to thank you for your assistance and expertise with a difficult situation as this one...Very much appreciated...

 

Hi,
Just wanted to add another twist to our dilemma...I did an inquiry in Google about an entry in current version (Hkey_Local_Machine), about "dmkch.exe" and up came all the postings on this problem...The file/path that I originally posted "C:\WINDOWS\system32\bhkabhk.dll was now C:\WINDOWS\system32\dmkch.exe...So after seeing that and a little google work I deleted it along with two other entries "d" and "mbjsc "...The sad part is it made no difference in trying to delete C:\WINDOWS\system32\bhkabhk.dll or Trojan Generic3.GII
Before deleting those, I checked the registry on the other two computers I have set up at my house and those entries did not exist...

I also did a complete survey of all listings for BHO and CLSID's at www.castlecops.com for info on: 2A904E40-731D-4881-83FB-04EFDEE88C3B and found nothing...I followed that up with trying to delete such in safe mode thru admininstrator and owner with no luck...

 

Hi Master Green

This is a hard one
As far as the "a black screen appeared "Hardware Profile/Configuration recoverymenu" There is nothing we ran that is that aggressive of a program that would have cause that??

So I am at a loss there.

There is one other program that I would like to run, But I wish to consult a higher power before running it. If OK'ed and that does not work, I will ask someone to take over this, This someone "knows just about everything ".

If this is OK with you, let me know.
I will contact a higher power about the tool I would like to run.

Geri

 

Hi Master Green

The Higher power told me to have you run these two programs first.

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As ", in FF it's "Save Link As ") to download Silent Runners.

• Save it to the desktop.
• Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
• You will receive a prompt:
  • Do you want to skip supplementary searches?
    click NO
• If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
• You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
• Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Then download ComboScan to your desktop.

Close all applications and windows.

• Double-click on comboscan.exe to run it, and follow the prompts.
• When the scan is complete, a text file will open - ComboScan.txt
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread back into this thread for me to view.

A folder, C:ComboScan, will also open. In it will be another text file, Supplementary.txt.
Please attach Supplementary.txt to your post.

Note: Some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

These logs will be long so you may need more then one post.

Thanks
Geri

 

Hi,
Okay, I will run the following as well and post back:

(1) Autoruns
(2) Process Explorer

Before I do so later, I will check back here for any additional information or advice but first want to make sure that ComboScan and ComboFix are not the same ? My reason for asking is, it's posted here at this forum about a possible rootkit infection in the Combofix ? And if I run the ComboScan will I need to run the ComboFix afterwards or is that depended on what it finds ???

 

ComboScan and ComboFix are two entirely different programs. ComboFix automatically removes a specific set of files, folders and registry keys and provides information about specific areas of concern.. ComboScan gives a report on a a very similar set of information points, but does not remove anything.

ComboFix has been 'fixed' to eliminate the rootkit problem, but still has a bug or two in it, so we are erring on the side of caution.

You can proceed with Geri's instructions.

 

Okay, thanks...The team work in this forum is very impressive and have always enjoyed the association we created with this particular posting and the many I have posted in the past...Will post back in a little while with the info Geri has requested...

 

"Silent Runners.vbs ", revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = " "C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" [ "Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" [ "Intel Corporation"]
"PCMService" = " "C:\Program Files\Dell\Media Experience\PCMService.exe" " [ "CyberLink Corp."]
"ConMgr.exe" = " "C:\Program Files\EarthLink 5.0\ConMgr.exe" " [ "EarthLink, Inc."]
"AVG7_CC" = " "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP" [ "GRISOFT, s.r.o."]
"!AVG Anti-Spyware" = " "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" [ "Anti-Malware Development a.s."]
"WinPatrol" = " "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" " [ "BillP Studios"]
"SunJavaUpdateSched" = " "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" " [ "Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0549E6CB-9985-42F6-8FD6-4EC017E6AAE1}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PopThis BHO "
\InProcServer32\(Default) = "C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll" [ "www.surfapps.com"]
{2A904E40-731D-4881-83FB-04EFDEE88C3B}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\bhkabhk.dll" [null data]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection "
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper "
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [ "Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" [ "Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper "
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" [ "Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
-> {HKLM...CLSID} = "Display Panning CPL Extension "
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" [ "Hilgraeve, Inc."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess "
-> {HKLM...CLSID} = "DriveLetterAccess "
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" [ "Sonic Solutions"]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler "
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension "
-> {HKLM...CLSID} = "AVG7 Shell Extension Class "
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" [ "GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension "
-> {HKLM...CLSID} = "AVG7 Find Extension Class "
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" [ "GRISOFT, s.r.o."]
"{596AB062-B4D2-4215-9F74-E9109B0A8153}" = "Previous Versions Property Page "
-> {HKLM...CLSID} = "Previous Versions Property Page "
\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{9DB7A13C-F208-4981-8353-73CC61AE2783}" = "Previous Versions "
-> {HKLM...CLSID} = "Previous Versions "
\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension "
-> {HKLM...CLSID} = "Trojan Remover Shell Extension "
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [ "Simply Super Software"]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration "
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration "
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" [ "Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler "
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5 "
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object "
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [ "Anti-Malware Development a.s."]
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class "
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [ "SuperAdBlocker.com"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" [ "SUPERAntiSpyware.com"]
<<!>> igfxcui\DLLName = "igfxsrvc.dll" [ "Intel Corporation"]
<<!>> igmzfjhr\DLLName = "bhkabhk.dll" [null data]
<<!>> WRNotifier\DLLName = "WRLogonNTF.dll" [ "Webroot Software, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920} "
-> {HKLM...CLSID} = "CContextScan Object "
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" [ "Anti-Malware Development a.s."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} "
-> {HKLM...CLSID} = "AVG7 Shell Extension Class "
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" [ "GRISOFT, s.r.o."]
Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805} "
-> {HKLM...CLSID} = "Trojan Remover Shell Extension "
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [ "Simply Super Software"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920} "
-> {HKLM...CLSID} = "CContextScan Object "
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" [ "Anti-Malware Development a.s."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} "
-> {HKLM...CLSID} = "AVG7 Shell Extension Class "
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" [ "GRISOFT, s.r.o."]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B} "
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration "
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" [ "Webroot Software, Inc."]
Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805} "
-> {HKLM...CLSID} = "Trojan Remover Shell Extension "
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [ "Simply Super Software"]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B} "
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration "
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" [ "Webroot Software, Inc."]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

"Connwiz Admin Lock" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp "

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp "


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"EarthLink ToolBar 5.0" -> shortcut to: "C:\Program Files\EarthLink 5.0\etoolbar.exe" [ "EarthLink, Inc."]


Enabled Scheduled Tasks:
------------------------

"wrSpySweeperTrialSweep" -> launches: "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /ScheduleSweep=wrSpySweeperTrialSweep" [ "Webroot Software, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F} "
-> {HKLM...CLSID} = "&Google "
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" [ "Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google "
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" [ "Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console "
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} "
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_11 "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" [ "Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_11 "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll" [ "Sun Microsystems, Inc."]

{91663649-416A-42A5-8E54-B63C1ECA0548}\
"MenuText" = "PopThis! Options... "
"CLSIDExtension" = "{91663649-416A-42A5-8E54-B63C1ECA0548} "
-> {HKLM...CLSID} = "PopThis! Options "
\InProcServer32\(Default) = "C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll" [ "www.surfapps.com"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger "
"MenuText" = "Windows Messenger "
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe" [ "America Online, Inc."]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" [ "Anti-Malware Development a.s."]
AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" [ "GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" [ "GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" [ "GRISOFT, s.r.o."]
WAN Miniport (ATW) Service, WANMiniportService, " "C:\WINDOWS\wanmpsvc.exe" " [ "America Online, Inc."]
Webroot Spy Sweeper Engine, WebrootSpySweeperService, " "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" " [ "Webroot Software, Inc."]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = <<!>> "SSKBFD" [ "Webroot Software Inc (www.webroot.com)"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
730 Series Port\Driver = "lxcflmpm.DLL" [" "]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 61 seconds.
---------- (total run time: 375 seconds)

 

ComboScan v20070306.20 run by Owner on 2007-03-13 at 16:06:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-03-13 21:06:35 UTC - RP1 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:06:47 PM, on 3/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink 5.0\etoolbar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Owner\Desktop\comboscan.exe
C:\PROGRA~1\Killer.exe\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: (no name) - {2A904E40-731D-4881-83FB-04EFDEE88C3B} - C:\WINDOWS\system32\bhkabhk.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108584393156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: igmzfjhr - C:\WINDOWS\SYSTEM32\bhkabhk.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


-- HijackThis Fixed Entries (C:\PROGRA~1\Killer.exe\backups\) ------------------

backup-20070312-055408-253 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
backup-20070312-055408-273 O20 - Winlogon Notify: igmzfjhr - C:\WINDOWS\SYSTEM32\bhkabhk.dll
backup-20070312-055408-406 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
backup-20070312-055408-605 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
backup-20070312-055408-857 O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA9669A-37D8-4C9E-B3CF-D6DFBC83A48A}: NameServer = 85.255.114.107,85.255.112.133
backup-20070312-055408-889 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.133
backup-20070312-055408-902 O2 - BHO: (no name) - {2A904E40-731D-4881-83FB-04EFDEE88C3B} - C:\WINDOWS\system32\bhkabhk.dll
backup-20070312-060113-416 O2 - BHO: (no name) - {2A904E40-731D-4881-83FB-04EFDEE88C3B} - C:\WINDOWS\system32\bhkabhk.dll
backup-20070312-060113-834 O20 - Winlogon Notify: igmzfjhr - C:\WINDOWS\SYSTEM32\bhkabhk.dll
backup-20070312-101739-280 O2 - BHO: (no name) - {2A904E40-731D-4881-83FB-04EFDEE88C3B} - C:\WINDOWS\system32\bhkabhk.dll
backup-20070312-101739-882 O20 - Winlogon Notify: igmzfjhr - C:\WINDOWS\SYSTEM32\bhkabhk.dll
backup-20070312-202413-200 O2 - BHO: (no name) - {2A904E40-731D-4881-83FB-04EFDEE88C3B} - C:\WINDOWS\system32\bhkabhk.dll
backup-20070312-202414-972 O20 - Winlogon Notify: igmzfjhr - C:\WINDOWS\SYSTEM32\bhkabhk.dll

-- File Associations -----------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1 "
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3R aeaudio - C:\WINDOWS\system32\drivers\aeaudio.sys
1R AVG Anti-Spyware Driver - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
1R Avg7Core (AVG7 Kernel) - C:\WINDOWS\system32\drivers\avg7core.sys
1R Avg7RsW (AVG7 Wrap Driver) - C:\WINDOWS\system32\drivers\avg7rsw.sys
1R Avg7RsXP (AVG7 Resident Driver XP) - C:\WINDOWS\system32\drivers\avg7rsxp.sys
1R AvgAsCln (AVG Anti-Spyware Clean Driver) - C:\WINDOWS\system32\drivers\AvgAsCln.sys
1R AvgClean (AVG7 Clean Driver) - C:\WINDOWS\system32\drivers\avgclean.sys
2R AvgTdi (AVG Network Redirector) - C:\WINDOWS\system32\drivers\avgtdi.sys
3R bcm4sbxp (Broadcom 440x 10/100 Integrated Controller XP Driver) - C:\WINDOWS\system32\drivers\bcm4sbxp.sys
0R drvmcdb - C:\WINDOWS\system32\drivers\drvmcdb.sys
2R drvnddm - C:\WINDOWS\system32\drivers\drvnddm.sys
3R ialm - C:\WINDOWS\system32\drivers\ialmnt5.sys
3R IntelC51 - C:\WINDOWS\system32\drivers\IntelC51.sys
3R IntelC52 - C:\WINDOWS\system32\drivers\IntelC52.sys
3R IntelC53 - C:\WINDOWS\system32\drivers\IntelC53.sys
3R MODEMCSA (Unimodem Streaming Filter Device) - C:\WINDOWS\system32\drivers\MODEMCSA.sys
3R mohfilt - C:\WINDOWS\system32\drivers\mohfilt.sys
1R OMCI - C:\WINDOWS\system32\drivers\omci.sys
1R SASDIFSV - C:\Program Files\SUPERAntiSpyware\sasdifsv.sys
3S SASENUM - C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
1R SASKUTIL - C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
3R smwdm - C:\WINDOWS\system32\drivers\smwdm.sys
1R sscdbhk5 - C:\WINDOWS\system32\drivers\sscdbhk5.sys
0R SSFS0509 (Spy Sweeper File System Filer Driver: 0509) - C:\WINDOWS\system32\drivers\SSFS0509.sys
0R SSHRMD (Spy Sweeper Hookrack MiniDriver) - C:\WINDOWS\system32\drivers\sshrmd.sys
0R SSIDRV (Spy Sweeper Interdiction Driver) - C:\WINDOWS\system32\drivers\ssidrv.sys
3R SSKBFD (Webroot Spy Sweeper Keylogger Shield Keyboard Filter) - C:\WINDOWS\system32\drivers\sskbfd.sys
1R ssrtln - C:\WINDOWS\system32\drivers\ssrtln.sys
2R tfsnboio - C:\WINDOWS\system32\dla\tfsnboio.sys
2R tfsncofs - C:\WINDOWS\system32\dla\tfsncofs.sys
2R tfsndrct - C:\WINDOWS\system32\dla\tfsndrct.sys
2R tfsndres - C:\WINDOWS\system32\dla\tfsndres.sys
2R tfsnifs - C:\WINDOWS\system32\dla\tfsnifs.sys
2R tfsnopio - C:\WINDOWS\system32\dla\tfsnopio.sys
2R tfsnpool - C:\WINDOWS\system32\dla\tfsnpool.sys
2R tfsnudf - C:\WINDOWS\system32\dla\tfsnudf.sys
2R tfsnudfa - C:\WINDOWS\system32\dla\tfsnudfa.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3S usbprint (Microsoft USB PRINTER Class) - C:\WINDOWS\system32\drivers\usbprint.sys
3R wanatw (WAN Miniport (ATW)) - C:\WINDOWS\system32\drivers\wanatw4.sys
0R yaarnvjg (Microsoft RPC API Helper) - C:\WINDOWS\System32\drivers\hqisceim.sys (not found)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2R AOL ACS (AOL Connectivity Service) - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
2R AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
2R Avg7Alrt (AVG7 Alert Manager Server) - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
2R Avg7UpdSvc (AVG7 Update Service) - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
2R AVGEMS (AVG E-mail Scanner) - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
3S gusvc (Google Updater Service) - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe "
3S lxcf_device - C:\WINDOWS\System32\lxcfcoms.exe -service
4S Sound Service (Sound Sservice Driver ) -
2R WANMiniportService (WAN Miniport (ATW) Service) - "C:\WINDOWS\wanmpsvc.exe "
2R WebrootSpySweeperService (Webroot Spy Sweeper Engine) - "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe "


-- Scheduled Tasks -------------------------------------------------------------

2007-03-09 20:52:35 1378 --a------ C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job<WRSPYS~1.JOB>


-- Files created between 2007-02-13 and 2007-03-13 -----------------------------

2007-03-11 20:46:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-03-11 20:45:30 0 d-------- C:\Program Files\Killer.exe
2007-03-11 20:15:02 0 d-------- C:\Documents and Settings\Owner\Application Data\Google
2007-03-11 20:15:01 0 d-------- C:\Program Files\Google
2007-03-11 20:14:10 0 d-------- C:\Program Files\Java
2007-03-11 20:12:25 0 d-------- C:\Program Files\Common Files\Java
2007-03-11 00:37:16 0 d-------- C:\fixwareout<FIXWAR~1>
2007-03-11 00:06:16 0 d-------- C:\SDFix
2007-03-09 21:28:16 0 --a------ C:\WINDOWS\System32\CMMGR32.EXE
2007-03-09 21:20:56 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-03-09 21:20:47 0 d-------- C:\Program Files\SUPERAntiSpyware<SUPERA~1>
2007-03-09 21:20:47 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com<SUPERA~1.COM>
2007-03-09 21:20:32 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-03-09 20:52:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-03-09 20:52:35 144960 --a------ C:\WINDOWS\System32\drivers\ssidrv.sys
2007-03-09 20:52:35 20544 --a------ C:\WINDOWS\System32\drivers\SSFS0509.sys
2007-03-09 20:52:34 22080 --a------ C:\WINDOWS\System32\drivers\sshrmd.sys
2007-03-09 20:52:26 0 d-------- C:\Program Files\Webroot
2007-03-09 20:52:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-03-09 20:51:43 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2007-03-09 20:37:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Simply Super Software<SIMPLY~1>
2007-03-08 22:42:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-03-08 19:55:00 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-03-08 19:51:46 153088 --a------ C:\WINDOWS\System32\UNRAR3.dll
2007-03-08 19:51:46 75264 --a------ C:\WINDOWS\System32\unacev2.dll
2007-03-08 19:51:45 0 d-------- C:\Program Files\Trojan Remover<TROJAN~1>
2007-03-08 19:51:45 0 d-------- C:\Documents and Settings\Owner\Application Data\Simply Super Software<SIMPLY~1>
2007-03-08 16:08:23 1378 --a------ C:\WINDOWS\System32\tmp.reg
2007-03-08 16:04:08 24576 --a------ C:\WINDOWS\System32\VundoFixSVC.exe<VUNDOF~1.EXE>
2007-03-08 15:53:16 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-03-06 22:08:19 0 d-------- C:\Program Files\BHODemon 2<BHODEM~1>
2007-03-06 22:00:04 0 d-------- C:\Documents and Settings\Owner\Application Data\WinPatrol<WINPAT~1>
2007-03-06 21:59:53 0 d-------- C:\Program Files\BillP Studios<BILLPS~1>
2007-03-05 22:35:28 3968 --a------ C:\WINDOWS\System32\drivers\AvgAsCln.sys
2007-03-05 20:22:08 1189069 ---hs---- C:\WINDOWS\System32\uttss.bak2<UTTSS~1.BAK>
2007-03-05 20:07:31 0 d-------- C:\!KillBox
2007-02-28 20:44:51 911 ---hs---- C:\WINDOWS\System32\uttss.ini2<UTTSS~1.INI>
2007-02-22 12:50:00 21056 --a------ C:\WINDOWS\System32\drivers\sskbfd.sys
2007-02-22 12:48:47 164 --a------ C:\install.dat
2007-02-21 11:40:55 19392 --a------ C:\WINDOWS\System32\drivers\avgmfx86.sys
2007-02-21 11:40:55 3968 --a------ C:\WINDOWS\System32\drivers\avgclean.sys
2007-02-21 11:40:55 27776 --a------ C:\WINDOWS\System32\drivers\avg7rsxp.sys
2007-02-18 09:15:14 0 d-------- C:\Program Files\Common Files\{1CF6E176-0958-1033-1202-030512200001}<{1CF6E~1>
2007-02-15 23:51:01 0 --a------ C:\slbvi.exe
2007-02-15 23:50:43 0 --a------ C:\mjhiq.exe
2007-02-15 23:50:26 0 --a------ C:\enmmwl.exe
2007-02-15 23:50:08 0 --a------ C:\lorh.exe
2007-02-15 23:49:48 0 --a------ C:\pyrw.exe
2007-02-15 23:49:31 0 --a------ C:\itacaan.exe
2007-02-15 23:49:13 0 --a------ C:\sdfionr.exe
2007-02-15 23:48:55 0 --a------ C:\utcddpi.exe
2007-02-15 23:47:08 80 --a-s---- C:\WINDOWS\abc1.bat


-- Find3M Report ---------------------------------------------------------------

2007-03-08 21:38:06 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-03-08 19:43:08 0 d-------- C:\Program Files\Lx_cats
2007-03-05 22:35:14 0 d-------- C:\Program Files\Grisoft
2007-03-05 21:26:53 76800 --a------ C:\WINDOWS\System32\bhkabhk.dll
2007-02-27 15:01:16 0 d-------- C:\Program Files\Sonic
2007-02-21 14:04:06 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-02-21 14:02:05 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-02-21 11:39:57 0 d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft<MICROS~1>
2007-02-18 09:17:37 0 d-------- C:\Program Files\EarthLink 5.0<EARTHL~1.0>
2007-02-10 01:54:41 91136 --a------ C:\WINDOWS\System32\awougykg.exe
2007-02-10 01:54:14 16384 --a------ C:\WINDOWS\System32\sxqcpaaa.exe
2007-02-10 01:54:14 10240 --a------ C:\WINDOWS\System32\mmsctl32.dll
2007-02-10 01:53:23 93696 --a------ C:\WINDOWS\System32\mexvgaaa.exe
2007-02-07 17:49:35 3800 --a------ C:\Documents and Settings\Owner\Application Data\wklnhst.dat


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray "= "C:\\WINDOWS\\System32\\igfxtray.exe "
"HotKeysCmds "= "C:\\WINDOWS\\System32\\hkcmd.exe "
"PCMService "= "\ "C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\" "
"ConMgr.exe "= "\ "C:\\Program Files\\EarthLink 5.0\\ConMgr.exe\" "
"AVG7_CC "= "\ "C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe\" /STARTUP "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "
"WinPatrol "= "\ "C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe\" "
"SunJavaUpdateSched "= "\ "C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\" "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^BHODemon 2.0.lnk]
"path "= "C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\BHODemon 2.0.lnk "
"backup "= "C:\\WINDOWS\\pss\\BHODemon 2.0.lnkStartup "
"location "= "Startup "
"command "= "C:\\PROGRA~1\\BHODEM~1\\BHODemon.exe "
"item "= "BHODemon 2.0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "bargains "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\BullsEye Network\\bin\\bargains.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Compaq Service Drivrs]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "copq "
"hkey "= "HKCU "
"command "= "copq.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Compd Service Drivrs]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "codq "
"hkey "= "HKLM "
"command "= "codq.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "tfswctrl "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\system32\\dla\\tfswctrl.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "optimize "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\Internet Optimizer\\optimize.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "istsvc "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\ISTsvc\\istsvc.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ITUNES]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "itunes "
"hkey "= "HKLM "
"command "= "itunes.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCFCATS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "LXCFtime "
"hkey "= "HKLM "
"command "= "rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCFtime.dll,_RunDLLEntry@16 "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "MediaAccK "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Media Access\\MediaAccK.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "mnyexpr "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "MSMSGS "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "powerscan "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Power Scan\\powerscan.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rapunib]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "rapunib "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\rapunib.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\salm]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "salm "
"hkey "= "HKLM "
"command "= "c:\\temp\\salm.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service Drivers]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msnpg "
"hkey "= "HKLM "
"command "= "msnpg.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SKhfwYD]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "mrsrmxsd "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\mrsrmxsd.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "SpySweeperUI "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe /startintray "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "SUPERAntiSpyware "
"hkey "= "HKCU "
"command "= "C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System service62]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "pokapoka62 "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\etb\\pokapoka62.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System service66]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "pokapoka66 "
"hkey "= "HKLM "
"command "= "C:\\WINDOWS\\etb\\pokapoka66.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "TBPS "
"hkey "= "HKLM "
"command "= "C:\\PROGRA~1\\Toolbar\\TBPS.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "Trjscan "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\Trojan Remover\\Trjscan.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "WToolsA "
"hkey "= "HKLM "
"command "= "C:\\PROGRA~1\\COMMON~1\\WinTools\\WToolsA.exe "
"inimapping "= "0 "


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910} "=" "
"{8C32931D-9CBC-4126-83BA-55EAAA25B255} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "=" "

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run "= "C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=dword:00000000

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igmzfjhr

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Sound Service
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0



-- End of ComboScan: finished at 2007-03-13 at 16:07:16 ------------------------

 

ComboScan v20070306.20 run by Owner on 2007-03-13 at 16:06:31
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(R) CPU 2.40GHz
Percentage of Memory in Use: 49%
Physical Memory (total/avail): 510 MiB / 259.02 MiB
Pagefile Memory (total/avail): 862.74 MiB / 609.98 MiB
Virtual Memory (total/avail): 2047.88 MiB / 2006.36 MiB

C: is Fixed (NTFS) - 33.7 GiB total, 28.68 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DELL-BNJ05N7H86
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\DELL-BNJ05N7H86
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=DELL-BNJ05N7H86
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BHODemon 2.0.0.23 --> "C:\Program Files\BHODemon 2\unins000.exe "
Broadcom 440x 10/100 Integrated Controller --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Media Experience --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe" -uninstall
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
EarthLink 5.0 --> C:\Program Files\EarthLink 5.0\EUNINSTALL.EXE /UC:\Program Files\EarthLink 5.0\SETUP.CFG
Earthlink Instant Messenger --> C:\WINDOWS\aim95\ElnIM.exe /s -LOG= c:\program files\earthlinkim\install.log -OEM=Earthlink Instant Messenger
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll "
Hijackthis 1.99.1 --> "C:\Program Files\Killer.exe\unins000.exe "
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
Intel(R) 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel(R) 537EP V9x DF PCI Modem "
Intel(R) Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
Jasc Paint Shop Pro 8 Dell Edition --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Lexmark 730 Series --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxcfUNST.EXE -NOLICENSE
LQfix 1.0 --> "C:\WINDOWS\LQfix\unins000.exe "
Microsoft Encarta Encyclopedia Standard 2004 --> MsiExec.exe /I{04410044-9149-45C6-A806-F2BF9CFCE762}
Microsoft Money 2004 --> MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft Money 2004 System Pack --> MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (1.0PR) --> C:\WINDOWS\UninstallFirefox.exe /ua "1.0PR (en-US) "
Panda ActiveScan --> C:\WINDOWS\System32\ASUninst.exe Panda ActiveScan
PopThis! Free Version --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9B855BA8-B521-46EB-A1D3-4B17662C717F}\Setup.exe" -l0x9
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe "
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins002.exe "
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins002.exe "
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe "
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Trojan Remover 6.5.8 --> "C:\Program Files\Trojan Remover\unins000.exe "
WinPatrol 2007 Restore/Remove First --> C:\Program Files\BillP Studios\WinPatrol\WinPatrolEx.exe -remove
WinPatrol 2007 Step 2 --> MsiExec.exe /X{736CE9DD-F589-485B-ACFF-78C235A57066}


-- End of ComboScan: finished at 2007-03-13 at 16:07:16 ------------------------

 

Hi,
I had some difficulty copying and paste the Autorun list so until you request it I will hold off on those results (along with Process Explorer that I have not done yet)...It kept advising to shorten it, it was too lengthy.

Note: Since I found and deleted from Current Version, "d" - "mbjsc" - and "dmkch.exe" I have not seen the AVG threat detection on "bhkabhk.dll" pop up today a million times like it has been doing...

 

Hi,
While I await word, I took a peak at the silent runners list and much to my amazement noticed the pop-up blocker "PopThis" having the same BHO & CLSID related to the trojan and file/path of C:\WINDOWS\system32\bhkabhk.dll 2A904E40-731D-4881-83FB-04EFDEE88C3B...I copied and pasted it below for your extra viewing:

InProcServer32\(Default) = "C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll" [ "www.surfapps.com"]
{2A904E40-731D-4881-83FB-04EFDEE88C3B}\(Default) = (no title provided)

 

Hi,
I uninstalled PopThis (PopUp Blocker) after the threat detection started appearing again...It made no difference...Just wanted to keep you posted...

 

Hi
Blender may be stopping in here, Please do as she asks, she is very good at this. and I always welcome the help.
Geri

 

Hi Geri,
Never a problem here, will be glad to welcome her...Help is always appreciated because when I post a problem it's usually above and beyond the call of duty...Thank you.

 

Hi,
While I am awaiting Blender arrival, I tried another method to rid this computer of that trojan by going into command window and typing (1) cd \windows\system32 and then, (2) del bhkabhk.dll...It said access denied.

 

Hi there

You sure picked up a nasty cluster of junk didn't you!

Looks like there is a service involved with this dll you are having trouble to remove. Might be why you had the hardware profile thing come up. The nasty service is a boot-level loader.

From your combofix log:

0R yaarnvjg (Microsoft RPC API Helper) - C:\WINDOWS\System32\drivers\hqisceim.sys (not found)

0 means boot load, R means running. (not found) is the trojan hiding it.


Have your system to show hidden files/folders:

[*]Click Start.

[*]Open My Computer.

[*]SelectTools menu

[*]Click Folder Options.

[*]Select the View Tab.

[*]Select Show hidden files and foldersin the Hidden files and folders section.

[*]Uncheck Hide protected operating system files (recommended) option.

[*]Uncheck the Hide file extensions for known file types option.

[*]Click Yes.

[*]Click OK.
[/list]

Find and delete these files using windows explorer:
Let me know if problems to delete any.

C:\WINDOWS\System32\uttss.bak2
C:\WINDOWS\System32\uttss.ini2
C:\WINDOWS\System32\awougykg.exe
C:\WINDOWS\System32\sxqcpaaa.exe
C:\WINDOWS\System32\mmsctl32.dll
C:\WINDOWS\System32\mexvgaaa.exe
C:\slbvi.exe
C:\mjhiq.exe
C:\enmmwl.exe
C:\lorh.exe
C:\pyrw.exe
C:\itacaan.exe
C:\sdfionr.exe
C:\utcddpi.exe
C:\WINDOWS\abc1.bat <-- unless you know what this is

Empty recycle bin.

Next:


TRy this please:

Delete the VundoFix you have now and grab the new one:

http://www.atribune.org/ccount/click.php?id=4

Don't do anything with it yet.

Click start> run> type cmd.exe and hit enter.
Type the following commands exactly as you see em and hit enter after each one:

sc config yaarnvjg start= disabled

You should get success messege.

Exit the cmd window.

Fire up VundoFix and press "scan for vundo "
If files show up look for C:\WINDOWS\SYSTEM32\bhkabhk.dll in the list.

If NOT present, right click in the list window and press "Add more files? "
New window pops up.

On first line type this:

C:\WINDOWS\SYSTEM32\bhkabhk.dll

Press "add file(s)" button then the "close window" button.

Takes you back to the list window.

Press "remove vundo" button.

* You will receive a prompt asking if you want to remove the files,
click *YES*
* Once you click yes, your desktop will go blank as it starts
removing Vundo.
* When completed, it will prompt that it will reboot your computer,
click *OK*.

Your computer will restart. Slower reboot is normal.

Please post:

New Hijackthis log.
C:\Vundofix.txt

Please also post a fresh autoruns scan but do it this way please:

Start autoruns.exe
Let the scan finish
click the "options" menu and check:

"hide microsoft entries "
"verify signatures "

Click the "file" menu & hit "refresh "

Wait for scan to finish.

Press the "floppy" icon> save log.

Post the log.

It may take a few posts to get all 3 logs in.

There will be more work to do because there is stuff from your comboscan log that needs to be dealt with and cleanup to remove remains of vundo.

I may need more logs in a bit but that should be good for now.

Can you also upload some files for me?

Zip up the following folder:

C:\Vundofix backups

Zip up this file:

C:\WINDOWS\System32\drivers\hqisceim.sys

Upload both to here:

http://www.thespykiller.co.uk/forum/index.php?board=1.0

Start yourself a new topic
Put in topic title "Request by Blender "
Put in body of messege the link to our thread here.
Then press the browse button and then navigate to & select the zip files.
press Post to upload the files

It is normal you will not see the file you just posted cus only approved members can see em to download them.

Let me know here when you have posted.

Thanks!

 

Logfile of HijackThis v1.99.1
Scan saved at 10:19:59 PM, on 3/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink 5.0\etoolbar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Killer.exe\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {2A904E40-731D-4881-83FB-04EFDEE88C3B} - C:\WINDOWS\system32\bhkabhk.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108584393156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: igmzfjhr - bhkabhk.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe