Disabled : compmgmt.msc, taskmanager, folder option, regedit

xrafza

Newbie

Posts: 10

Disabled : compmgmt.msc, taskmanager, folder option, regedit

« on: August 14, 2010, 01:36:18 AM »

I suspect virus or malware etc. have infected my computer. All the items above were disabled.

when attempt to "run" *.msc file, it will pop up a notepad file with weird character. in the hijack this log also show "svchost.com", which i don't think a genuine windows file.

Kindly assist on steps to resolve the problem.
the HJT logs as below:

Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Acer\LOCALS~1\Temp\svchost.com
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\DiGi Internet\DiGi Internet.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\fdisk.com
F3 - REG:win.ini: load=C:\DOCUME~1\Acer\LOCALS~1\Temp\svchost.com
F3 - REG:win.ini: run=C:\DOCUME~1\Acer\LOCALS~1\Temp\svchost.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\fdisk.com
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [HotKey] C:\Documents and Settings\Acer\Templates\cache\SFCsrvc.pif
O4 - HKLM\..\Run: [User Agent] C:\WINDOWS\system32\fdisk.com
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [HotKey] C:\Documents and Settings\Acer\Templates\cache\SFCsrvc.pif
O4 - HKCU\..\Run: [User Agent] C:\DOCUME~1\Acer\LOCALS~1\Temp\svchost.com
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe -update activex
O4 - Startup: sndvol32.exe
O4 - Global Startup: Lotus QuickStart.lnk = ?
O4 - Global Startup: sndvol32.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {C2AD5B59-154E-4090-91F5-19FC1410E8EE} (Downloader Control) - http://www.koreatimes.co.kr/www/TTS/App/Downloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://workforce.petronas.com.my/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{691DF7F8-0F82-4F4F-893B-DA5818E903D6}: NameServer = 210.48.195.134 210.48.195.133
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O24 - Desktop Component 0: (no name) - http://lb2f.lilypie.com/dcUbm7.png

--
End of file - 7378 bytes


	Logged

Jintan

Administrator
Hero Member

Posts: 3878

Disabled : compmgmt.msc, taskmanager, folder option, regedit

« Reply #1 on: August 14, 2010, 04:06:32 PM »

Welcome to Malware Crypt xrafza,

Yes, the files you mention are malware, and this log shows the many startup settings it has created there. Let's get a little more detailed look, then start some repairs.

This HijackThis has the very top part of it's header portion missing, so be sure when posting logs that you include the entire log info.

Right off see if you can access Safe Mode, where the malware is less active. At startup tap the F8 key about once per half-second, then select Safe Mode with Networking from the menu that will appear.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

Download RSIT (random's system information tool) from here to your desktop. Then click on the RSIT.exe to open the RSIT display, and click the Continue button.

If RSIT downloads/installs HijackThis be sure to agree to the install of that.

Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt.

RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt).

You can break logs into parts and use separate posts here when replying and posting the log files, if needed.

--------------

Also click here and download the installer for Gmer to your desktop, then click that file to run Gmer.

Once the opening scan finishes, click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

-------------

Also download Gmer's mbr.exe from here and place it on your C drive (so the file is then C:\mbr.exe).

Go to Start - Run, type cmd (and press OK). At the prompt type or copy/paste the following, pressing Enter after each:

cd\
mbr.exe -t

Then type exit and press Enter to close the command window.

The report created in the command window will have been saved to C:\mbr.log. Locate that and post it here please.


	Logged

xrafza

Newbie

Posts: 10

Disabled : compmgmt.msc, taskmanager, folder option, regedit

« Reply #2 on: August 15, 2010, 10:01:54 AM »


	Logged

xrafza

Newbie

Posts: 10

Disabled : compmgmt.msc, taskmanager, folder option, regedit

« Reply #3 on: August 15, 2010, 10:02:39 AM »

next, info file:

info.txt logfile of random's system information tool 1.08 2010-08-15 23:52:05

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP CIO Components Installer-->MsiExec.exe /I{F7B0E599-C114-4493-BC4D-D8FC7CBBABBB}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe -maintain activex
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Agere Systems AC'97 Modem-->agrsmdel
Applian FLV Player-->"C:\WINDOWS\Applian FLV Player\uninstall.exe" "/U:C:\Program Files\FLV Player\Uninstall\uninstall.xml"
ArcSoft PhotoStudio 5.5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85309D89-7BE9-4094-BB17-24999C6118FC}\SETUP.EXE" -l0x9
AVG 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Canon MP Navigator 3.0-->"C:\Program Files\Canon\MP Navigator 3.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator 3.0\uninst.ini
Canon MP160-->"C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160 /L0x0009
Canon Utilities Easy-PhotoPrint-->C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
DiGi Internet-->C:\Program Files\DiGi Internet\uninst.exe
Easy-WebPrint-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
Exterminate It!-->C:\Program Files\Exterminate It!\ExterminateIt_Uninst.exe
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HiJackThis-->MsiExec.exe /X{45A66726-69BC-466B-A7A4-12FCBA4883D7}
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB979306)-->"C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB981793)-->"C:\WINDOWS\$NtUninstallKB981793$\spuninst\spuninst.exe"
HP Smart Web Printing-->C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpzscr01.exe -datfile hpqbud15.dat
HP Update-->MsiExec.exe /X{D063F201-FAC4-4D5C-B10B-615058ADE5A7}
Intel(R) Graphics Media Accelerator Driver for Mobile-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Juniper Networks Network Connect 6.0.0-->"C:\Program Files\Juniper Networks\Network Connect 6.0.0\uninstall.exe"
K-Lite Codec Pack 4.1.6 (Full)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Launch Manager-->C:\WINDOWS\UnInst32.exe LManager.UNI
Lotus NotesSQL 2.06 driver-->C:\WINDOWS\IsUninst.exe -fC:\NotesSQL\UnInN206.isu -c"C:\NotesSQL\UninDrv.DLL"
Lotus SmartSuite - English-->MsiExec.exe /I{536D6172-7453-7569-7465-392E36300409}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Mobile Connect-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EAAC5FD-E209-4856-8C49-D4EA40F85032}\setup.exe" -l0x9 -removeonly
Nero 6 Ultra Edition-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
PowerDVD Ultra-->"C:\Program Files\InstallShield Installation Information\{1F0B7A92-C643-4F8F-B35F-2CBAE4FEA4F3}\setup.exe" -l0x000409 /z-uninstall
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB978207)-->"C:\WINDOWS\ie8updates\KB978207-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB981332)-->"C:\WINDOWS\ie8updates\KB981332-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB982381)-->"C:\WINDOWS\ie8updates\KB982381-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB978695)-->"C:\WINDOWS\$NtUninstallKB978695_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB979402)-->"C:\WINDOWS\$NtUninstallKB979402_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2079403)-->"C:\WINDOWS\$NtUninstallKB2079403$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2115168)-->"C:\WINDOWS\$NtUninstallKB2115168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2160329)-->"C:\WINDOWS\$NtUninstallKB2160329$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2229593)-->"C:\WINDOWS\$NtUninstallKB2229593$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2286198)-->"C:\WINDOWS\$NtUninstallKB2286198$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972260)-->"C:\WINDOWS\$NtUninstallKB972260$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975561)-->"C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975562)-->"C:\WINDOWS\$NtUninstallKB975562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB976325)-->"C:\WINDOWS\$NtUninstallKB976325$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977165-v2)-->"C:\WINDOWS\$NtUninstallKB977165-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977816)-->"C:\WINDOWS\$NtUninstallKB977816$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978338)-->"C:\WINDOWS\$NtUninstallKB978338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978542)-->"C:\WINDOWS\$NtUninstallKB978542$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978601)-->"C:\WINDOWS\$NtUninstallKB978601$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979309)-->"C:\WINDOWS\$NtUninstallKB979309$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979482)-->"C:\WINDOWS\$NtUninstallKB979482$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979559)-->"C:\WINDOWS\$NtUninstallKB979559$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979683)-->"C:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980195)-->"C:\WINDOWS\$NtUninstallKB980195$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980218)-->"C:\WINDOWS\$NtUninstallKB980218$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980232)-->"C:\WINDOWS\$NtUninstallKB980232$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980436)-->"C:\WINDOWS\$NtUninstallKB980436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB982214)-->"C:\WINDOWS\$NtUninstallKB982214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB982665)-->"C:\WINDOWS\$NtUninstallKB982665$\spuninst\spuninst.exe"
Shop for HP Supplies-->C:\Program Files\HP\Digital Imaging\HPSSupply\hpzscr01.exe -datfile hpqbud16.dat
SMSC IrCC V5.1.3600.5 SP2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F1B8DB67-D30E-4FF9-A85F-3CEE51825AA2}\setup.exe" -l0x9 UNINSTALL
Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB980182)-->"C:\WINDOWS\ie8updates\KB980182-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Update for Windows XP (KB978207)-->"C:\WINDOWS\$NtUninstallKB978207$\spuninst\spuninst.exe"
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Messenger-->C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: OEM-D45C75B5089
Event Code: 7023
Message: The Shell Network service terminated with the following error:
The specified module could not be found.

Record Number: 16216
Source Name: Service Control Manager
Time Written: 20100720064521.000000-420
Event Type: error
User:

Computer Name: OEM-D45C75B5089
Event Code: 34
Message: The time service has detected that the system time needs to be
changed by -54288 seconds. The time service will not change the system
time by more than -54000 seconds. Verify that your time and time zone
are correct, and that the time source time.windows.com (ntp.m|0x1|115.164.84.225:123->207.46.197.32:123) is working properly.

Record Number: 16211
Source Name: W32Time
Time Written: 20100719185254.000000-420
Event Type: error
User:

Computer Name: OEM-D45C75B5089
Event Code: 7023
Message: The Shell Network service terminated with the following error:
The specified module could not be found.

Record Number: 16190
Source Name: Service Control Manager
Time Written: 20100719184930.000000-420
Event Type: error
User:

Computer Name: OEM-D45C75B5089
Event Code: 7023
Message: The Driver Config service terminated with the following error:
The specified module could not be found.

Record Number: 16189
Source Name: Service Control Manager
Time Written: 20100719184930.000000-420
Event Type: error
User:

Computer Name: OEM-D45C75B5089
Event Code: 7023
Message: The Shell Manager service terminated with the following error:
The specified module could not be found.

Record Number: 16188
Source Name: Service Control Manager
Time Written: 20100719184930.000000-420
Event Type: error
User:

=====Application event log=====

Computer Name: OEM-D45C75B5089
Event Code: 1004
Message: Detection of product '{27197499-7680-4208-8FD8-5439CDB0FDC1}', feature 'RedboxMM', component '{E3446636-35AF-4093-8163-269E09C1DA8C}' failed. The resource 'F:\' does not exist.

Record Number: 621
Source Name: MsiInstaller
Time Written: 20090416144323.000000-420
Event Type: warning
User: OEM-D45C75B5089\Acer

Computer Name: OEM-D45C75B5089
Event Code: 1001
Message: Detection of product '{27197499-7680-4208-8FD8-5439CDB0FDC1}', feature 'RedboxMM' failed during request for component '{CD23E09B-D3E3-4624-AFAC-DFC0BD19059E}'

Record Number: 619
Source Name: MsiInstaller
Time Written: 20090416144322.000000-420
Event Type: warning
User: OEM-D45C75B5089\Acer

Computer Name: OEM-D45C75B5089
Event Code: 1004
Message: Detection of product '{27197499-7680-4208-8FD8-5439CDB0FDC1}', feature 'RedboxMM', component '{E3446636-35AF-4093-8163-269E09C1DA8C}' failed. The resource 'F:\' does not exist.

Record Number: 618
Source Name: MsiInstaller
Time Written: 20090416144322.000000-420
Event Type: warning
User: OEM-D45C75B5089\Acer

Computer Name: OEM-D45C75B5089
Event Code: 11706
Message: Product: HPProductAssistant -- Error 1706. An installation package for the product HPProductAssistant cannot be found. Try the installation again using a valid copy of the installation package 'HPProductAssistant.msi'.

Record Number: 616
Source Name: MsiInstaller
Time Written: 20090416144322.000000-420
Event Type: error
User: OEM-D45C75B5089\Acer

Computer Name: OEM-D45C75B5089
Event Code: 1001
Message: Detection of product '{27197499-7680-4208-8FD8-5439CDB0FDC1}', feature 'RedboxMM' failed during request for component '{CD23E09B-D3E3-4624-AFAC-DFC0BD19059E}'

Record Number: 615
Source Name: MsiInstaller
Time Written: 20090416144318.000000-420
Event Type: warning
User: OEM-D45C75B5089\Acer

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0d08
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------


« Last Edit: August 15, 2010, 10:07:23 AM by xrafza »	Logged

Jintan

Administrator
Hero Member

Posts: 3878

Disabled : compmgmt.msc, taskmanager, folder option, regedit

« Reply #4 on: August 15, 2010, 01:56:04 PM »

If you run into problems getting Gmer to complete, still see if you can complete the mbr.exe -t command step.

I would also like to see one additional scan log, though given the amount of malware activity the logs are showing, if you have problems with it, pass on it for now as well.

But when you can, go here and download Dial-a-fix-v0.60.0.24.zip (scroll down to the "green" box"), then unzip that to the desktop. In the Dial-a-fix folder locate and click on Dial-a-fix.exe to open the tool display.

Once the display opens another Restrictive Policies display should open. Click the Remove button, then close Dial-a-Fix.

That should return things like accessing the Task Manager, and accessing Folder Options. Use it at any time you find these disabled again until we clean out all the malware there. Be sure not to experiment with any of it's other tools, since they could make things worse, instead of better.

For the added scan, go here and download reglooks.exe to your Desktop. Doubleclick on it to run it and when it has finished scanning, a log named result.txt will open in Notepad. Copy the log and post it in this thread.


	Logged

xrafza

Newbie

Posts: 10

Disabled : compmgmt.msc, taskmanager, folder option, regedit

« Reply #5 on: August 16, 2010, 09:40:21 AM »

the Gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-16 21:20:49
Windows 5.1.2600 Service Pack 3
Running: 93u6mjwb.exe; Driver: C:\DOCUME~1\Acer\LOCALS~1\Temp\awloqfoc.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] nhceg <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] qjwcfy <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] ruszqlm <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\nhceg@DisplayName Shell Manager
Reg HKLM\SYSTEM\CurrentControlSet\Services\nhceg@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\nhceg@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\nhceg@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\nhceg@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\nhceg@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\nhceg@Description Provides notifications for AutoPlay hardware events.
Reg HKLM\SYSTEM\CurrentControlSet\Services\nhceg\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\nhceg\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\qjwcfy@DisplayName Driver Config
Reg HKLM\SYSTEM\CurrentControlSet\Services\qjwcfy@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\qjwcfy@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\qjwcfy@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\qjwcfy@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\qjwcfy@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\qjwcfy@Description Provides notifications for AutoPlay hardware events.
Reg HKLM\SYSTEM\CurrentControlSet\Services\qjwcfy\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\qjwcfy\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ruszqlm@DisplayName Shell Network
Reg HKLM\SYSTEM\CurrentControlSet\Services\ruszqlm@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\ruszqlm@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\ruszqlm@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ruszqlm@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\ruszqlm@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\ruszqlm@Description Allows error reporting for services and applictions running in non-standard environments.
Reg HKLM\SYSTEM\CurrentControlSet\Services\ruszqlm\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\ruszqlm\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll
Reg HKLM\SYSTEM\ControlSet002\Services\nhceg@DisplayName Shell Manager
Reg HKLM\SYSTEM\ControlSet002\Services\nhceg@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\nhceg@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\nhceg@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\nhceg@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\nhceg@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\nhceg@Description Provides notifications for AutoPlay hardware events.
Reg HKLM\SYSTEM\ControlSet002\Services\nhceg\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\nhceg\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll
Reg HKLM\SYSTEM\ControlSet002\Services\qjwcfy@DisplayName Driver Config
Reg HKLM\SYSTEM\ControlSet002\Services\qjwcfy@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\qjwcfy@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\qjwcfy@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\qjwcfy@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\qjwcfy@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\qjwcfy@Description Provides notifications for AutoPlay hardware events.
Reg HKLM\SYSTEM\ControlSet002\Services\qjwcfy\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\qjwcfy\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll
Reg HKLM\SYSTEM\ControlSet002\Services\ruszqlm@DisplayName Shell Network
Reg HKLM\SYSTEM\ControlSet002\Services\ruszqlm@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\ruszqlm@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\ruszqlm@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\ruszqlm@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\ruszqlm@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\ruszqlm@Description Allows error reporting for services and applictions running in non-standard environments.
Reg HKLM\SYSTEM\ControlSet002\Services\ruszqlm\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\ruszqlm\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\nhceg@DisplayName Shell Manager
Reg HKLM\SYSTEM\ControlSet003\Services\nhceg@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\nhceg@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\nhceg@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\nhceg@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\nhceg@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\nhceg@Description Provides notifications for AutoPlay hardware events.
Reg HKLM\SYSTEM\ControlSet003\Services\nhceg\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\nhceg\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\qjwcfy@DisplayName Driver Config
Reg HKLM\SYSTEM\ControlSet003\Services\qjwcfy@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\qjwcfy@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\qjwcfy@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\qjwcfy@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\qjwcfy@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\qjwcfy@Description Provides notifications for AutoPlay hardware events.
Reg HKLM\SYSTEM\ControlSet003\Services\qjwcfy\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\qjwcfy\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\ruszqlm@DisplayName Shell Network
Reg HKLM\SYSTEM\ControlSet003\Services\ruszqlm@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\ruszqlm@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\ruszqlm@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\ruszqlm@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\ruszqlm@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\ruszqlm@Description Allows error reporting for services and applictions running in non-standard environments.
Reg HKLM\SYSTEM\ControlSet003\Services\ruszqlm\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\ruszqlm\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x6fc3dbf size 0x194

---- EOF - GMER 1.0.15 ----


	Logged

xrafza

Newbie

Posts: 10

Disabled : compmgmt.msc, taskmanager, folder option, regedit

« Reply #6 on: August 16, 2010, 09:42:24 AM »

for mbr.exe,
when i type "mbr.exe -t" in the command prompt, it does not recognise it.
but when i type "mbr.exe" only (without -t), it abe to execute and give log as below:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x6fc3dbf size 0x194 !


	Logged

Jintan

Administrator
Hero Member

Posts: 3878

Disabled : compmgmt.msc, taskmanager, folder option, regedit

« Reply #7 on: August 16, 2010, 05:38:33 PM »

We will have to revisit the MBR checking, but for now let's address some of the rootkit activity this log shows.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

Download ComboFix.exe from here to your desktop, then click that to run that scan.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.


	Logged

xrafza

Newbie

Posts: 10

Re: Disabled : compmgmt.msc, taskmanager, folder option, regedit

« Reply #8 on: November 07, 2010, 02:20:27 AM »

i think i've to start all over again as i've lost track of my last action..
before i re-start, i've disabled the resident shield for my avg 8.5 (antivirus) and ensure no other program or window running/open during execution of each steps.

1. run gmer
finding; appear msg box "found system modification ....maybe caused by ROOTKIT activity'..
then "fully scan system" = YES .then, after scan complete.. msg box "WARNING! GMER has found system modification caused by ROOTKIT activity"
the gmer screen shows three lines in red (all with svchost.exe hidden)

2.run mbr.exe using command
cd\
mbr.exe -t

after that cmd shows the msg, however it hang when try to exit. then appear blue screen, with long message, and the last sentence said about dumping memories.this (system hang) happened when i trid to type exit on the cmd screen or try to close it via 'X' .

3.run dial-a-fix. scan and "remove" the 3 restriceted policies. however, then re-scan again and found the three restricted policies still appear.

4.run reglooks

5. then i attempted to run combo-fix. however, once i run command on it nthing happen. (ie after the disclamer box appear , click yes).I'm expecting at least appear a command window like the other diagnosis tool, but nothing happen after some time, the desktop already hang. is this normal.?

6. allthe logs will be posted iin next thread.


	Logged

xrafza

Newbie

Posts: 10

Re: Disabled : compmgmt.msc, taskmanager, folder option, regedit

« Reply #9 on: November 07, 2010, 02:22:52 AM »

log gmer:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-11-07 12:52:05
Windows 5.1.2600 Service Pack 3
Running: 93u6mjwb.exe; Driver: C:\DOCUME~1\Acer\LOCALS~1\Temp\awloqfoc.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [614A9CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [614A9CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [614AAE29] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [614AA3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [614AA3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [614A9C27] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [614A9B56] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [614A9B94] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [614A9CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [614AAE29] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [614A9D87] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [614A9B94] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [614AA3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [614A9C27] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [614AA3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [614A9CF2] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[1260] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [614A9B56] C:\PROGRA~1\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] nhceg <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] qjwcfy <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] ruszqlm <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\nhceg@DisplayName Shell Manager
Reg HKLM\SYSTEM\ControlSet001\Services\nhceg@Type 32
Reg HKLM\SYSTEM\ControlSet001\Services\nhceg@Start 2
Reg HKLM\SYSTEM\ControlSet001\Services\nhceg@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\nhceg@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet001\Services\nhceg@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet001\Services\nhceg@Description Provides notifications for AutoPlay hardware events.
Reg HKLM\SYSTEM\ControlSet001\Services\nhceg\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\nhceg\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\qjwcfy@DisplayName Driver Config
Reg HKLM\SYSTEM\ControlSet001\Services\qjwcfy@Type 32
Reg HKLM\SYSTEM\ControlSet001\Services\qjwcfy@Start 2
Reg HKLM\SYSTEM\ControlSet001\Services\qjwcfy@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\qjwcfy@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet001\Services\qjwcfy@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet001\Services\qjwcfy@Description Provides notifications for AutoPlay hardware events.
Reg HKLM\SYSTEM\ControlSet001\Services\qjwcfy\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\qjwcfy\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ruszqlm@DisplayName Shell Network
Reg HKLM\SYSTEM\ControlSet001\Services\ruszqlm@Type 32
Reg HKLM\SYSTEM\ControlSet001\Services\ruszqlm@Start 2
Reg HKLM\SYSTEM\ControlSet001\Services\ruszqlm@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\ruszqlm@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet001\Services\ruszqlm@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet001\Services\ruszqlm@Description Allows error reporting for services and applictions running in non-standard environments.
Reg HKLM\SYSTEM\ControlSet001\Services\ruszqlm\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ruszqlm\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\nhceg@DisplayName Shell Manager
Reg HKLM\SYSTEM\CurrentControlSet\Services\nhceg@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\nhceg@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\nhceg@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\nhceg@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\nhceg@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\nhceg@Description Provides notifications for AutoPlay hardware events.
Reg HKLM\SYSTEM\CurrentControlSet\Services\nhceg\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\nhceg\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\qjwcfy@DisplayName Driver Config
Reg HKLM\SYSTEM\CurrentControlSet\Services\qjwcfy@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\qjwcfy@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\qjwcfy@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\qjwcfy@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\qjwcfy@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\qjwcfy@Description Provides notifications for AutoPlay hardware events.
Reg HKLM\SYSTEM\CurrentControlSet\Services\qjwcfy\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\qjwcfy\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ruszqlm@DisplayName Shell Network
Reg HKLM\SYSTEM\CurrentControlSet\Services\ruszqlm@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\ruszqlm@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\ruszqlm@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ruszqlm@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\ruszqlm@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\ruszqlm@Description Allows error reporting for services and applictions running in non-standard environments.
Reg HKLM\SYSTEM\CurrentControlSet\Services\ruszqlm\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\ruszqlm\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\nhceg@DisplayName Shell Manager
Reg HKLM\SYSTEM\ControlSet003\Services\nhceg@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\nhceg@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\nhceg@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\nhceg@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\nhceg@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\nhceg@Description Provides notifications for AutoPlay hardware events.
Reg HKLM\SYSTEM\ControlSet003\Services\nhceg\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\nhceg\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\qjwcfy@DisplayName Driver Config
Reg HKLM\SYSTEM\ControlSet003\Services\qjwcfy@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\qjwcfy@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\qjwcfy@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\qjwcfy@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\qjwcfy@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\qjwcfy@Description Provides notifications for AutoPlay hardware events.
Reg HKLM\SYSTEM\ControlSet003\Services\qjwcfy\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\qjwcfy\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll
Reg HKLM\SYSTEM\ControlSet003\Services\ruszqlm@DisplayName Shell Network
Reg HKLM\SYSTEM\ControlSet003\Services\ruszqlm@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\ruszqlm@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\ruszqlm@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\ruszqlm@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\ruszqlm@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\ruszqlm@Description Allows error reporting for services and applictions running in non-standard environments.
Reg HKLM\SYSTEM\ControlSet003\Services\ruszqlm\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\ruszqlm\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll
Reg HKLM\SYSTEM\ControlSet004\Services\nhceg@DisplayName Shell Manager
Reg HKLM\SYSTEM\ControlSet004\Services\nhceg@Type 32
Reg HKLM\SYSTEM\ControlSet004\Services\nhceg@Start 2
Reg HKLM\SYSTEM\ControlSet004\Services\nhceg@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\nhceg@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet004\Services\nhceg@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet004\Services\nhceg@Description Provides notifications for AutoPlay hardware events.
Reg HKLM\SYSTEM\ControlSet004\Services\nhceg\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\nhceg\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll
Reg HKLM\SYSTEM\ControlSet004\Services\qjwcfy@DisplayName Driver Config
Reg HKLM\SYSTEM\ControlSet004\Services\qjwcfy@Type 32
Reg HKLM\SYSTEM\ControlSet004\Services\qjwcfy@Start 2
Reg HKLM\SYSTEM\ControlSet004\Services\qjwcfy@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\qjwcfy@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet004\Services\qjwcfy@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet004\Services\qjwcfy@Description Provides notifications for AutoPlay hardware events.
Reg HKLM\SYSTEM\ControlSet004\Services\qjwcfy\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\qjwcfy\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll
Reg HKLM\SYSTEM\ControlSet004\Services\ruszqlm@DisplayName Shell Network
Reg HKLM\SYSTEM\ControlSet004\Services\ruszqlm@Type 32
Reg HKLM\SYSTEM\ControlSet004\Services\ruszqlm@Start 2
Reg HKLM\SYSTEM\ControlSet004\Services\ruszqlm@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\ruszqlm@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet004\Services\ruszqlm@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet004\Services\ruszqlm@Description Allows error reporting for services and applictions running in non-standard environments.
Reg HKLM\SYSTEM\ControlSet004\Services\ruszqlm\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\ruszqlm\Parameters@ServiceDll C:\WINDOWS\system32\lglajlt.dll

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x6fc3dbf size 0x194

---- EOF - GMER 1.0.15 ----


	Logged

xrafza

Newbie

Posts: 10

Re: Disabled : compmgmt.msc, taskmanager, folder option, regedit

« Reply #10 on: November 07, 2010, 02:23:38 AM »

log mbr.exe

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x6fc3dbf size 0x194 !


	Logged

xrafza

Newbie

Posts: 10

Re: Disabled : compmgmt.msc, taskmanager, folder option, regedit

« Reply #11 on: November 07, 2010, 02:24:47 AM »

okay last one for today..
result reglooks

REGLOOKS logfile - version 0.985
Scan started: Sun 11/07/2010 13:46:22.65

--- INFORMATION ---

Manufacturer: Acer - Model: TravelMate 4150
Operating System: Microsoft Windows XP Home Edition -- 5.1.2600 -- Service Pack 3 --
Processor: Intel(R) Pentium(R) M processor 1.73GHz
Number of Processors: 1
Work Station
Bootmode: Normal boot
Total RAM: 247 MB (free 97 MB - 39%)

Computername: OEM-D45C75B5089
Domain: MSHOME
User: Acer (Administrator account)

Bootdevice: \Device\HarddiskVolume1
Systemdrive: C:
Windowsdirectory: C:\WINDOWS
Systemdirectory: C:\WINDOWS\system32

Internet Explorer Version: 8.0.6001.18702

Antivirus Program: AVG Anti-Virus Free 8.5 [Not Enabled - Updated]

--- SIGCHECK ---

C:\WINDOWS\explorer.exe -- [1033728] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\appmgmts.dll NOT found
C:\WINDOWS\system32\browser.dll -- [77824] -- [04/13/2008 05:11 PM] -- sigcheck OK
C:\WINDOWS\system32\comres.dll -- [792064] -- [04/13/2008 05:11 PM] -- sigcheck OK
C:\WINDOWS\system32\comctl32.dll -- [617472] -- [08/23/2010 09:12 AM] -- sigcheck OK
C:\WINDOWS\system32\cryptsvc.dll -- [62464] -- [04/13/2008 05:11 PM] -- sigcheck OK
C:\WINDOWS\system32\ctfmon.exe -- [15360] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\es.dll -- [253952] -- [07/07/2008 01:26 PM] -- sigcheck OK
C:\WINDOWS\system32\eventlog.dll -- [56320] -- [04/13/2008 05:11 PM] -- sigcheck OK
C:\WINDOWS\system32\ias.dll NOT found
C:\WINDOWS\system32\imm32.dll -- [110080] -- [04/13/2008 05:11 PM] -- sigcheck OK
C:\WINDOWS\system32\kernel32.dll -- [989696] -- [03/21/2009 07:06 AM] -- sigcheck OK
C:\WINDOWS\system32\linkinfo.dll -- [19968] -- [04/13/2008 05:11 PM] -- sigcheck OK
C:\WINDOWS\system32\lpk.dll -- [22016] -- [04/13/2008 05:11 PM] -- sigcheck OK
C:\WINDOWS\system32\lsass.exe -- [13312] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\mfc40u.dll -- [953856] -- [09/17/2010 11:53 PM] -- sigcheck OK
C:\WINDOWS\system32\msgsvc.dll -- [33792] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\mshtml.dll -- [5950976] -- [05/06/2010 03:41 AM] -- sigcheck OK
C:\WINDOWS\system32\mspmsnsv.dll -- [52224] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\mswsock.dll -- [245248] -- [06/20/2008 10:46 AM] -- sigcheck OK
C:\WINDOWS\system32\netlogon.dll -- [407040] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\netman.dll -- [198144] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\ntkrnlpa.exe -- [2066816] -- [04/27/2010 06:05 AM] -- sigcheck OK
C:\WINDOWS\system32\ntmssvc.dll -- [435200] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\ntoskrnl.exe -- [2189952] -- [04/27/2010 07:25 PM] -- sigcheck OK
C:\WINDOWS\system32\pchsvc.dll NOT found
C:\WINDOWS\system32\powrprof.dll -- [17408] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\qmgr.dll -- [409088] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\rasauto.dll -- [88576] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\regsvc.dll -- [59904] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\rpcss.dll -- [401408] -- [02/09/2009 05:10 AM] -- sigcheck OK
C:\WINDOWS\system32\scecli.dll -- [181248] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\schedsvc.dll -- [192512] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\services.exe -- [110592] -- [02/06/2009 04:11 AM] -- sigcheck OK
C:\WINDOWS\system32\sfc.dll -- [5120] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\sfcfiles.dll -- [1614848] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\spoolsv.exe -- [58880] -- [08/17/2010 06:17 AM] -- sigcheck OK
C:\WINDOWS\system32\srsvc.dll -- [171008] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\ssdpsrv.dll -- [71680] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\svchost.exe -- [14336] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\tapisrv.dll -- [249856] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\termsrv.dll -- [295424] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\upnphost.dll -- [185856] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\user32.dll -- [578560] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\userinit.exe -- [26112] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\wininet.dll -- [916480] -- [05/06/2010 03:41 AM] -- sigcheck OK
C:\WINDOWS\system32\winlogon.exe -- [507904] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\ws2_32.dll -- [82432] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\wscntfy.exe -- [13824] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\wuauclt.exe -- [53472] -- [08/06/2009 07:24 PM] -- sigcheck OK
C:\WINDOWS\system32\xmlprov.dll -- [129024] -- [04/13/2008 05:12 PM] -- sigcheck OK
C:\WINDOWS\system32\drivers\acpiec.sys -- [11648] -- [08/04/2004 05:00 AM] -- sigcheck OK
C:\WINDOWS\system32\drivers\aec.sys -- [142592] -- [04/13/2008 09:39 AM] -- sigcheck OK
C:\WINDOWS\system32\drivers\asyncmac.sys -- [14336] -- [04/13/2008 11:57 AM] -- sigcheck OK
C:\WINDOWS\system32\drivers\atapi.sys -- [96512] -- [04/13/2008 11:40 AM] -- sigcheck OK
C:\WINDOWS\system32\drivers\beep.sys -- [4224] -- [08/04/2004 05:00 AM] -- sigcheck OK
C:\WINDOWS\system32\drivers\classpnp.sys -- [49536] -- [04/13/2008 12:16 PM] -- sigcheck OK
C:\WINDOWS\system32\drivers\disk.sys -- [36352] -- [04/13/2008 11:40 AM] -- sigcheck OK
C:\WINDOWS\system32\drivers\iaStor.sys NOT found
C:\WINDOWS\system32\drivers\ip6fw.sys -- [36608] -- [04/13/2008 11:53 AM] -- sigcheck OK
C:\WINDOWS\system32\drivers\kbdclass.sys -- [24576] -- [04/13/2008 11:39 AM] -- sigcheck OK
C:\WINDOWS\system32\drivers\ndis.sys -- [182656] -- [04/13/2008 12:20 PM] -- sigcheck OK
C:\WINDOWS\system32\drivers\ntfs.sys -- [574976] -- [04/13/2008 12:15 PM] -- sigcheck OK
C:\WINDOWS\system32\drivers\tcpip.sys -- [361600] -- [06/20/2008 04:51 AM] -- sigcheck OK

--- SSODL regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" -- File: %SystemRoot%\system32\SHELL32.dll -- [?]
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" -- File: %SystemRoot%\system32\SHELL32.dll -- [?]
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" -- File: C:\WINDOWS\system32\webcheck.dll -- [236544] -- [03/08/2009 04:34 AM]
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" -- File: C:\WINDOWS\system32\stobject.dll -- [121856] -- [04/13/2008 05:12 PM]

--- STS regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" -- File: %SystemRoot%\system32\browseui.dll -- [?]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" -- File: %SystemRoot%\system32\browseui.dll -- [?]

--- USERINIT regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\fdisk.com"
File: C:\WINDOWS\system32\userinit.exe -- [26112] -- [04/13/2008 05:12 PM]
File: C:\WINDOWS\system32\fdisk.com -- [356751] -- [08/11/2009 06:06 AM]

--- SHELL regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe C:\\WINDOWS\\system32\\fdisk.com"
File: explorer.exe C:\WINDOWS\system32\fdisk.com -- [X]

--- SYSTEM regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

--- APPINIT_DLLS regkey ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

--- NOTIFY regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
-- File: C:\WINDOWS\system32\avgrsstx.dll -- [11952] -- [09/07/2009 10:07 AM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
-- File: C:\WINDOWS\system32\crypt32.dll -- [599040] -- [04/13/2008 05:11 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
-- File: C:\WINDOWS\system32\cryptnet.dll -- [64512] -- [04/13/2008 05:11 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
-- File: C:\WINDOWS\system32\cscdll.dll -- [101888] -- [04/13/2008 05:11 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
-- File: %SystemRoot%\System32\dimsntfy.dll -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
-- File: C:\WINDOWS\system32\igfxdev.dll -- [139264] -- [06/12/2006 03:57 AM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [92672] -- [04/13/2008 05:12 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [92672] -- [04/13/2008 05:12 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
-- File: C:\WINDOWS\system32\sclgntfy.dll -- [20480] -- [04/13/2008 05:12 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
-- File: C:\WINDOWS\system32\WlNotify.dll -- [92672] -- [04/13/2008 05:12 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [92672] -- [04/13/2008 05:12 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
-- File: C:\WINDOWS\system32\wlnotify.dll -- [92672] -- [04/13/2008 05:12 PM]

--- RUN / LOAD regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"="C:\\DOCUME~1\\Acer\\LOCALS~1\\Temp\\svchost.com"
"run"="C:\\DOCUME~1\\Acer\\LOCALS~1\\Temp\\svchost.com"
File: C:\DOCUME~1\Acer\LOCALS~1\Temp\svchost.com -- [356751] -- [08/11/2009 06:06 AM]
File: C:\DOCUME~1\Acer\LOCALS~1\Temp\svchost.com -- [356751] -- [08/11/2009 06:06 AM]

--- SHELLEXECUTEHOOKS regkey ---

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" -- File: shell32.dll -- [?]

--- HKLM AUTORUN regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor]
no AutoRun regkey found

--- HKCU AUTORUN regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]
no AutoRun regkey found

--- HKLM\RUN regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LManager" -- File C:\PROGRA~1\LAUNCH~1\LManager.exe -- [466944] -- [03/14/2005 12:24 PM]
"AGRSMMSG" -- File: AGRSMMSG.exe -- [?]
"igfxtray" -- File C:\WINDOWS\system32\igfxtray.exe -- [94208] -- [06/12/2006 03:57 AM]
"igfxhkcmd" -- File C:\WINDOWS\system32\hkcmd.exe -- [77824] -- [06/12/2006 03:57 AM]
"igfxpers" -- File C:\WINDOWS\system32\igfxpers.exe -- [118784] -- [06/12/2006 03:57 AM]
"SoundMan" -- File: SOUNDMAN.EXE -- [?]
"Adobe Reader Speed Launcher" -- File "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" -- [39792] -- [01/11/2008 10:16 PM]
"NeroFilterCheck" -- File C:\WINDOWS\system32\NeroCheck.exe -- [155648] -- [07/09/2001 11:50 AM]
"RemoteControl" -- File "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" -- [71216] -- [03/14/2007 09:01 PM]
"LanguageShortcut" -- File "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" -- [54832] -- [02/07/2007 04:21 PM]
"HP Software Update" -- File C:\Program Files\HP\HP Software Update\HPWuSchd2.exe -- [49152] -- [03/25/2008 09:27 PM]
"AVG8_TRAY" -- File C:\PROGRA~1\AVG\AVG8\avgtray.exe -- [2048352] -- [08/08/2010 05:35 PM]
"HotKey" -- File C:\Documents and Settings\Acer\Templates\cache\SFCsrvc.pif -- [356751] -- [08/11/2009 06:06 AM]
"User Agent" -- File C:\WINDOWS\system32\fdisk.com -- [356751] -- [08/11/2009 06:06 AM]
"SunJavaUpdateSched" -- File "C:\Program Files\Common Files\Java\Java Update\jusched.exe" -- [248552] -- [05/14/2010 11:44 AM]

--- HKLM\RUNONCE regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
no runonce values found

--- HKLM\RUNONCEEX regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
no runonceex values found

--- HKLM\RUNSERVICES regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
key not found

--- HKLM\RUNSERVICESONCE regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
key not found

--- HKCU\RUN regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" -- File C:\WINDOWS\system32\ctfmon.exe -- [15360] -- [04/13/2008 05:12 PM]
"MSMSGS" -- File: "C:\Program Files\Messenger\msmsgs.exe" /background -- [?]
"Messenger (Yahoo!)" -- File: "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet -- [?]
"HotKey" -- File C:\Documents and Settings\Acer\Templates\cache\SFCsrvc.pif -- [356751] -- [08/11/2009 06:06 AM]
"User Agent" -- File C:\DOCUME~1\Acer\LOCALS~1\Temp\svchost.com -- [356751] -- [08/11/2009 06:06 AM]

--- HKCU\RUNONCE regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
no runonce values found

--- HKCU\RUNONCEEX regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
key not found

--- HKCU\RUNSERVICES regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
key not found

--- HKCU\RUNSERVICESONCE regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
key not found

--- HKU\.DEFAULT\Run regkeys - Default user ---

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
no run values found

--- HKU\S-1-5-18\Run regkeys - user SYSTEM ---

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
no run values found

--- HKU\S-1-5-19\Run regkeys - User Lokale service ---

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
no run values found

--- HKU\S-1-5-20\Run regkeys - User Lokale service ---

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
no run values found

--- HKLM\Explorer\Run regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
key not found

--- HKCU\Explorer\Run regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
key not found

--- Image File Execution regkeys ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe]
"Debugger"="notepad" -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE]
"Debugger"="notepad" -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE]
"Debugger"="notepad" -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe]
"Debugger"="notepad" -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]
"Debugger"="notepad" -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe]
"Debugger"="notepad" -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe]
"Debugger"="notepad" -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]
"Debugger"="notepad" -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE]
"Debugger"="notepad" -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE]
"Debugger"="notepad" -- [?]

--- BROWSER HELPER OBJECTS regkeys ---

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
-- File: C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll -- [322880] -- [03/27/2008 11:51 PM]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
-- File: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll -- [62080] -- [10/22/2006 11:08 PM]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
-- File: C:\Program Files\AVG\AVG8\avgssie.dll -- [1111320] -- [12/31/2009 03:27 PM]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68F9551E-0411-48E4-9AAF-4BC42A6A46BE}]
-- File: C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll -- [?]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
-- File: C:\Program Files\Java\jre6\bin\jp2ssv.dll -- [41760] -- [11/06/2010 10:53 AM]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
-- File: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll -- [79648] -- [11/06/2010 10:53 AM]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}]
-- File: C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll -- [501056] -- [03/27/2008 11:51 PM]

--- TOOLBAR regkeys ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} -- File: C:\Program Files\Canon\Easy-WebPrint\Toolband.dll -- [?]

--- HKLM\URLSEARCHHOOKS regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks]
key not found

--- HKCU\URLSEARCHHOOKS regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
{CFBFAE00-17A6-11D0-99CB-00C04FD64497} -- File: C:\WINDOWS\system32\ieframe.dll -- [11076096] -- [05/06/2010 03:41 AM]

--- SRCEENSAVER regkey ---

[HKEY_CURRENT_USER\Control Panel\Desktop]
"SCRNSAVE.EXE" -- File C:\DOCUME~1\Acer\LOCALS~1\Temp\scr\logon.exe -- [356751] -- [08/11/2009 06:06 AM]

--- ALTERNATESHELL regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
File: C:\WINDOWS\system32\cmd.exe -- [389120] -- [04/13/2008 05:12 PM]

--- SECURITYPROVIDERS regkey ---

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
File: C:\WINDOWS\system32\msapsspc.dll -- [86016] -- [04/13/2008 05:11 PM]
File: C:\WINDOWS\system32\schannel.dll -- [149504] -- [06/30/2010 05:31 AM]
File: C:\WINDOWS\system32\digest.dll -- [68608] -- [04/13/2008 05:11 PM]
File: C:\WINDOWS\system32\msnsspc.dll -- [290816] -- [04/13/2008 05:12 PM]

--- Active Setup\Installed Components regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
-- File: C:\WINDOWS\system32\ieudinit.exe -- [36864] -- [03/08/2009 04:32 AM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
-- File: C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
-- File: "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
-- File: %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
-- File: %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
-- File: "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
-- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
-- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
-- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
-- File: regsvr32.exe /s /n /i:U shell32.dll -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
-- File: C:\WINDOWS\system32\ie4uinit.exe -BaseSettings -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
-- File: C:\WINDOWS\system32\ie4uinit.exe -BaseSettings -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}]
-- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}]
-- filepath not found

--- Services regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abp480n5]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\adpu160m]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aec]
-- File: system32\drivers\aec.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aic78u2]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aic78xx]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3350p]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi]
-- File: system32\DRIVERS\atapi.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\audstub]
-- File: system32\DRIVERS\audstub.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVG]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avg8wd]
-- File: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe -- [297752] -- [09/07/2009 10:06 AM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AvgLdx86]
-- File: \SystemRoot\System32\Drivers\avgldx86.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DritekPortIO]
-- File: \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dsNcAdpt]
-- File: system32\DRIVERS\dsNcAdpt.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dsNcService]
-- File: C:\Program Files\Juniper Networks\Common Files\dsNcService.exe -- [427376] -- [04/01/2009 08:23 PM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EMSCR]
-- File: system32\DRIVERS\EMS7SK.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ESDCR]
-- File: system32\DRIVERS\ESD7SK.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ESMCR]
-- File: system32\DRIVERS\ESM7SK.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hwdatacard]
-- File: system32\DRIVERS\ewusbmdm.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hwusbapp]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hwusbdev]
-- File: system32\DRIVERS\ewusbdev.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hwusbser]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i2omgmt]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i2omp]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt]
-- File: system32\DRIVERS\i8042prt.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ialm]
-- File: system32\DRIVERS\ialmnt5.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\inetaccs]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ini910u]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\intelppm]
-- File: system32\DRIVERS\intelppm.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irda]
-- File: system32\DRIVERS\irda.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\isapnp]
-- File: system32\DRIVERS\isapnp.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JavaQuickStarterService]
-- File: "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Net Driver HPZ12]
-- File: %SystemRoot%\System32\svchost.exe -k HPZ12 -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nhceg]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ohci1394]
-- File: system32\DRIVERS\ohci1394.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ose]
-- File: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" -- [89136] -- [07/29/2003 03:28 PM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qjwcfy]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ruszqlm]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swwd]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ultra]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost]
-- File: %SystemRoot%\system32\svchost.exe -k LocalService -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbccgp]
-- File: system32\DRIVERS\usbccgp.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbehci]
-- File: system32\DRIVERS\usbehci.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbhub]
-- File: system32\DRIVERS\usbhub.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbprint]
-- File: system32\DRIVERS\usbprint.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbuhci]
-- File: system32\DRIVERS\usbuhci.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{2B3D8010-B960-47E8-8A69-0FA49D467265}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{63E2BA99-EFBE-494B-A1B0-30270711CBD4}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
-- File: \??\C:\Program Files\CyberLink\PowerDVD\000.fcl -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AB4EDF2C-4418-416C-B4F5-D7B1B2100E5A}]
-- filepath not found

--- SAFEBOOT MINIMAL SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
PEVSystemStart
procexp90.Sys
{533C5B84-EC70-11D2-9505-00C04F79DEAF}

--- SAFEBOOT Network SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
DnsCache
PEVSystemStart
procexp90.Sys

--- BOOTEXECUTE regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"= autocheck autochk *\0\0

--- PENDINGFILERENAMEOPERATIONS regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
PendingFileRenameOperations key not found

--- WOW-CMDLINE regkeys ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]
"cmdline" = %SystemRoot%\system32\ntvdm.exe
"cmdline" = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

--- NETSVCS regkey ---

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] -- NETSVCS
0WmdmPmSN
0qjwcfy
0ruszqlm
0nhceg

--- DNS SERVER regkeys ---

no "NameServer" values found

--- File associations ---

.BAT files: ("%1" %*)
.COM files: ("%1" %*)
.EXE files: ("%1" %*)
.HLP files: (%SystemRoot%\System32\winhlp32.exe %1)
.INF files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.INI files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.JS files: (%SystemRoot%\System32\WScript.exe "%1" %*)
.PIF files: ("%1" %*)
.REG files: (regedit.exe "%1")
.SCR files: ("%1" /S)
.TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*)

--- STARTUP FOLDERS ---

C:\Documents and Settings\Acer\Start Menu\Programs\Startup\desktop.ini -- [84] -- [03/20/2009 06:38 PM]
C:\Documents and Settings\Acer\Start Menu\Programs\Startup\sndvol32.exe -- [356751] -- [08/11/2009 06:06 AM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini -- [84] -- [03/20/2009 06:38 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus QuickStart.lnk -- [403] -- [12/28/2009 01:47 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\sndvol32.exe -- [356751] -- [08/11/2009 06:06 AM]
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini -- [84] -- [03/20/2009 06:38 PM]
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini -- [84] -- [03/20/2009 06:38 PM]

--- TASK SCHEDULER JOBS ---

no .job files found

Scan completed: Sun 11/07/2010 13:47:09.29
FINISHED


	Logged

Jintan

Administrator
Hero Member

Posts: 3878

Re: Disabled : compmgmt.msc, taskmanager, folder option, regedit

« Reply #12 on: November 07, 2010, 03:24:34 PM »

Yes, the delay in the repairs really makes the previous info invalid, due to any changes that have been made. And a serious, and active, infection there as well.

Be sure to continue to temporarily disable any protective software when running the scan tools we use here.

Open Gmer again. If on it's opening scan these malware services show, right click each of them, then select "Disable service", and agree to any warnings.

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] nhceg <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] qjwcfy <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] ruszqlm <-- ROOTKIT !!!

If they do not show, run a new Scan, then do the disable steps. There may be some risk that making those changes will cause a shutdown to occur, but we do need them out of action for now.

Once you have done those changes, go ahead and reboot the computer.

---------------------

If you have the access, reboot to Safe Mode, where the malware is less active. At startup tap the F8 key about once per half-second, then select Safe Mode with Networking from the menu that will appear.

Open Notepad (Start, Run type notepad and select Enter) and copy/paste the following text (inside the Code box).

Code:

[Version]
Signature="$Windows NT$"

[DefaultInstall]
AddReg=Add.Settings
DelReg=Del.Settings

[Add.Settings]
HKLM,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SFCsrvc.pif,Debugger,0x00000000,"ntsd --"
HKLM,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdisk.com,Debugger,0x00000000,"ntsd --"
HKLM,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SndVol32.exe,Debugger,0x00000000,"ntsd --"

[Del.Settings]
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\System,NoFolderOptions
HKLM,SOFTWARE\Policies\Microsoft\Windows\System,DisableGPO

Save this as correct.inf

Where it says "Files of Type", select All Files and click on Save and save it to your desktop. Exit Notepad, Then right-click on correct.inf and select Install. That should allow access to functions like the Task Manager. If you are blocked from the accesses again while we do the repairs, just go ahead and "Install" the correct.inf again.

(If successful, part of that may make your sound non-functional. If so, be sure to remind me later and we will correct that)

=============

Make a copy of the following list, then close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\fdisk.com
F3 - REG:win.ini: load=C:\DOCUME~1\Acer\LOCALS~1\Temp\svchost.com
F3 - REG:win.ini: run=C:\DOCUME~1\Acer\LOCALS~1\Temp\svchost.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\fdisk.com
O4 - HKCU\..\Run: [HotKey] C:\Documents and Settings\Acer\Templates\cache\SFCsrvc.pif
O4 - HKCU\..\Run: [User Agent] C:\DOCUME~1\Acer\LOCALS~1\Temp\svchost.com
O4 - Startup: sndvol32.exe
O4 - Global Startup: sndvol32.exe
O24 - Desktop Component 0: (no name) - http://lb2f.lilypie.com/dcUbm7.png

-----------------

Delete any existing copies if you have any there, and download ComboFix.exe from here to your desktop, then click that to run that scan.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

Run a new Gmer scan, and post that log and the ComboFix log please.


	Logged

Jintan

Administrator
Hero Member

Posts: 3878

Re: Disabled : compmgmt.msc, taskmanager, folder option, regedit

« Reply #13 on: November 07, 2010, 03:28:15 PM »

This infection is known to include some autorun functions, so avoid using usb/flash/thumb drives right now. If any have been used while this system has been infected, you will need to go ahead and insert them now, since they and the computer infection need to be cleaned at the same time. Better options to transferring scans/logs to/from the problem computer are emailing them to yourself as attachments, or burn things to a disk.


	Logged

xrafza

Newbie

Posts: 10

Re: Disabled : compmgmt.msc, taskmanager, folder option, regedit

« Reply #14 on: February 01, 2011, 09:38:09 AM »

I've ran Gme and did discovered the listed scvhost item.

however, on right clicked, the "disable" option not active(grey). (as attached)
Kindly advise if its ok jus click "delete"?

otherwise can i just skip the above step and just go to the "safemode " step?

thanks..


	Logged

Pages: [1] 2

« previous next »