Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91981 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Please help - log attached


  • This topic is locked This topic is locked
18 replies to this topic

#1 snapperman

snapperman

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 24 February 2007 - 05:52 AM

Like an idiot i clicked on a file which ithought was a norton antivirus crack called norton 2007_c My pc then shut down and rebooted and i knew i was going to have problems. A dll in system32 folder called mwggpsskyaod.dll was created but i have tried everything to delete it with apps on reboot etc. Booted to DOS with a NTFS disk and its no longer visible. When i try and run some apps to fix it they are automatically closed within 2 seconds as is internet explorer when i search for stuff.. any help advice appreciated. I buying a copy of norton now after this.. just not worth it...... Thanks in advance.



Logfile of HijackThis v1.99.1
Scan saved at 21:41:58, on 23/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\testss\analyses.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [EPSON Stylus C46 Series on p4 (from LAPTOP)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P43 "EPSON Stylus C46 Series on p4 (from LAPTOP)" /O5 "TS002" /M "Stylus C46"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - C:\Program Files\MultiPoker\MultiPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - C:\Program Files\MultiPoker\MultiPoker.exe (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ADVFN US -
O16 - DPF: {3CA15C82-6297-11D6-B8FA-00C04F5E375A} (BridgeChannel v3) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://etrade.webex...bex/ieatgpc.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.1.0168.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.1.0168.00.dll
O20 - Winlogon Notify: mwggpsskyaod - C:\WINDOWS\system32\mwggpsskyaod.dll
O20 - Winlogon Notify: zgvimczvtxnv - C:\WINDOWS\system32\zgvimczvtxnv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    Advertisements

Register to Remove


#2 snapperman

snapperman

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 24 February 2007 - 10:49 AM

please help someone

#3 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,173 posts

Posted 24 February 2007 - 12:19 PM

Hello and welcome to the forums

There are FREE anti-virus and spyware programs.

For others reading this topic, not too many helpers at any help sites will help with issues like this. Stealing programs doesn't get it.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download AVG Anti-Spyware from HERE and save that file to your
desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop
    and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition
    files.
  • On the main screen select the icon "Update" then select the "
    Update now
    " link.
    • Next select the "Start Update" button, the update will start and a
      progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of
    the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then
    select " "Quarantine" .".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting
    your computer and continually tapping the F8 key until a menu appears.

    Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or
    programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab
    then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little
    time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all
    actions
    "
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the
    screen and save it to a text file on your system (make sure to remember where
    you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the
    results of the AVG Anti-Spyware report scan along with a new HijackThis log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#4 snapperman

snapperman

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 24 February 2007 - 01:02 PM

Thanks for the advice but i am really struggling to do this. I had to download the AVG software on another pc and copy it across on a memory stick as the web browser kept shutting down when i tried to download. This is one of the problems. When i try in install it its gets about 2-3 seconds through it and then the app installation gets automatically closed. I even tried to install it in safe mode and inanother profile but no luck. I'm pretty sure that the problem lies with this mwggpsskyaod.dll which appeared at the time i ran the dayam file. It also appears dependant on the winlogon service. I have tied using dellater to remove this dll and even that doesnt work! tried a batch file to unload the dll and then immediately delete it before the pc auto shuts down, also no good.... www.diamondcs.com.au/index.php?page=dellater I'm running our of options now i feel. Is there a way of figuring out whats been put where from viewing the exe with some special tools? I'm concerned as i run a business via this pc so have started to back everthing up just in case... I cant even run another hijack log now as that keep getting shut down. The pc appears to be running pretty normal apart from the shutting down ob browsers and apps when i try and install them... I'm concerned though at what might be going on in the background that i am not aware off. No unusual processes appear to be running in task manager either.. its as if winlogon and svchost may somehow be involved. Thanks in advance Dave

Edited by snapperman, 24 February 2007 - 01:11 PM.


#5 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,173 posts

Posted 24 February 2007 - 01:08 PM

Next, launch Notepad (Start>All Programs>Accessories), and copy/paste all the BOLD REGEDIT below to it. Don't forget to include REGEDIT4.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\mwggpsskyaod.dll]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\zgvimczvtxnv.dll]


On the desktop, doubleclick fix.reg and allow it to run. Let it merge.

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:
O20 - Winlogon Notify: mwggpsskyaod - C:\WINDOWS\system32\mwggpsskyaod.dll
O20 - Winlogon Notify: zgvimczvtxnv - C:\WINDOWS\system32\zgvimczvtxnv.dll

Close ALL windows and browsers except HijackThis and click "Fix checked"


Delete these Files if listed:
C:\WINDOWS\system32\mwggpsskyaod.dll
C:\WINDOWS\system32\zgvimczvtxnv.dll




Empty Recycle Bin

Restart your computer.

Now see if you can run the fix I posted before.

If not, post a new HijackThis log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#6 snapperman

snapperman

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 24 February 2007 - 01:39 PM

Hi, Did the first bit but hijackthis keeps getting closed down within a couple of seconds so cant run it.. Nightmare!

#7 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,173 posts

Posted 24 February 2007 - 01:45 PM

Open the HijackThis Folder. Find the file HijackThis.exe, Right Click on the file and Select Rename. Rename Hijackthis.exe to Spyware.exe.

Now see if you can Post a new HijackThis Log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#8 snapperman

snapperman

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 24 February 2007 - 01:57 PM

Still the same, sometimes i get half way through but it then closes. Tried opening 20 web browsers to slow everything down but it doesnt appear to help.. arghhhh

#9 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,173 posts

Posted 24 February 2007 - 01:59 PM

For users running Windows 2000, XP or Vista

Download ComboScan to your Desktop.
  • Close all applications and windows.
  • Double-click on comboscan.exe to run it, and follow the prompts.
  • When the scan is complete, a text file will open - ComboScan.txt
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread in the HijackThis Log Help Forum.
  • A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
  • Please attach Supplementary.txt to your post.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

To attach a file to a new post, simply
  • Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  • copy and paste the following into the "Upload File from your Computer" box:

    C:\ComboScan\Supplementary.txt

  • Click Upload.
What ComboScan will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. ComboScan automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#10 snapperman

snapperman

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 24 February 2007 - 02:12 PM

ComboScan v20070221.16 run by Dave on 2007-02-24 at 20:01:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Restore was disabled; re-enabling.
Failed to create restore point: System Restore is disabled (service is not running).
Performed disk cleanup.


-- HijackThis (run as Dave.exe) -------------------------------------------------

Unable to find log (file not found).

-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\system32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\system32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\system32\NOTEPAD.EXE %1
.js - jsfile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - vbsfile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

2R A4SII300 - C:\WINDOWS\system32\drivers\a4sii300.sys
3R ac97intc (Intel® 82801 Audio Driver Install Service (WDM)) - C:\WINDOWS\system32\drivers\ac97intc.sys
3S AR5211 (Wireless LAN Adapter) - C:\WINDOWS\system32\drivers\ar5211.sys
3S CnxEtP (SAMSUNG AHT-E310 WAN Adapter Filter Driver) - C:\WINDOWS\system32\drivers\CnxEtP.sys
3S CnxEtU (SAMSUNG AHT-E310 Device Driver) - C:\WINDOWS\system32\drivers\CnxEtU.sys
3S CnxTgN (SAMSUNG AHT-E310 WAN Adapter Driver) - C:\WINDOWS\system32\drivers\CnxTgN.sys
3R E100B (Intel® PRO Adapter Driver) - C:\WINDOWS\system32\drivers\e100b325.sys
3S FTD2XX (FTD2XX.SYS FT8U2XX device driver) - C:\WINDOWS\system32\drivers\FTD2XX.sys
3S HCF_MSFT - C:\WINDOWS\system32\drivers\HCF_MSFT.sys
3R HidUsb (Microsoft HID Class Driver) - C:\WINDOWS\system32\drivers\hidusb.sys
1R intelppm (Intel Processor Driver) - C:\WINDOWS\system32\drivers\intelppm.sys
3S KTC111 (Kingston EtherRx KNE111TX NDIS 5.0 Miniport Driver) - C:\WINDOWS\system32\drivers\KTC111.SYS
3R mouhid (Mouse HID Driver) - C:\WINDOWS\system32\drivers\mouhid.sys
3S msloop (Microsoft Loopback Adapter Driver) - C:\WINDOWS\system32\drivers\loop.sys
3R nv - C:\WINDOWS\system32\drivers\nv4_mini.sys
3S nv4 - C:\WINDOWS\system32\drivers\nv4.sys
3S PPDrv (Protector Plus Driver (UnRegistered)) - C:\Program Files\Protector Plus\PPDrv.sys (not found)
0R srescan - C:\WINDOWS\system32\ZoneLabs\srescan.sys
2R tmcomm - C:\WINDOWS\system32\drivers\tmcomm.sys
3R usbprint (Microsoft USB PRINTER Class) - C:\WINDOWS\system32\drivers\usbprint.sys
3S usbscan (USB Scanner Driver) - C:\WINDOWS\system32\drivers\usbscan.sys
3R USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\usbstor.sys
1R vsdatant - C:\WINDOWS\system32\vsdatant.sys
3S Winachcf - C:\WINDOWS\system32\drivers\winachcf.sys
3R KLIF - C:\WINDOWS\system32\drivers\klif.sys
0S kl1 - C:\WINDOWS\system32\Drivers\kl1.sys (not found)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3S Adobe LM Service - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
4S Alerter - C:\WINDOWS\System32\svchost.exe -k LocalService
3R ALG (Application Layer Gateway Service) - C:\WINDOWS\System32\alg.exe
3S AppMgmt (Application Management) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
2R AudioSrv (Windows Audio) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R BITS (Background Intelligent Transfer Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R Browser (Computer Browser) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S cisvc (Indexing Service) - C:\WINDOWS\System32\cisvc.exe
4S ClipSrv (ClipBook) - C:\WINDOWS\system32\clipsrv.exe
3S clr_optimization_v2.0.50727_32 (.NET Runtime Optimization Service v2.0.50727_X86) - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
3S COMSysApp (COM+ System Application) - C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
2R CryptSvc (Cryptographic Services) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R DcomLaunch (DCOM Server Process Launcher) - C:\WINDOWS\system32\svchost -k DcomLaunch
2R Dhcp (DHCP Client) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S dmadmin (Logical Disk Manager Administrative Service) - C:\WINDOWS\System32\dmadmin.exe /com
2R dmserver (Logical Disk Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R Dnscache (DNS Client) - C:\WINDOWS\System32\svchost.exe -k NetworkService
2R ERSvc (Error Reporting Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R Eventlog (Event Log) - C:\WINDOWS\system32\services.exe
3R EventSystem (COM+ Event System) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S FastUserSwitchingCompatibility (Fast User Switching Compatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2S Fax - C:\WINDOWS\system32\fxssvc.exe
2R helpsvc (Help and Support) - C:\WINDOWS\System32\svchost.exe -k netsvcs
4S HidServ (Human Interface Device Access) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S HTTPFilter (HTTP SSL) - C:\WINDOWS\System32\svchost.exe -k HTTPFilter
2R IISADMIN (IIS Admin) - C:\WINDOWS\system32\inetsrv\inetinfo.exe
3S ImapiService (IMAPI CD-Burning COM Service) - C:\WINDOWS\System32\imapi.exe
2R lanmanserver (Server) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R lanmanworkstation (Workstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R LmHosts (TCP/IP NetBIOS Helper) - C:\WINDOWS\System32\svchost.exe -k LocalService
4S Messenger - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S mnmsrvc (NetMeeting Remote Desktop Sharing) - C:\WINDOWS\System32\mnmsrvc.exe
3S MSDTC (Distributed Transaction Coordinator) - C:\WINDOWS\System32\msdtc.exe
3S MSIServer (Windows Installer) - C:\WINDOWS\system32\msiexec.exe /V
4S NetDDE (Network DDE) - C:\WINDOWS\system32\netdde.exe
4S NetDDEdsdm (Network DDE DSDM) - C:\WINDOWS\system32\netdde.exe
3S Netlogon (Net Logon) - C:\WINDOWS\System32\lsass.exe
3R Netman (Network Connections) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R Nla (Network Location Awareness (NLA)) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S NtLmSsp (NT LM Security Support Provider) - C:\WINDOWS\System32\lsass.exe
3S NtmsSvc (Removable Storage) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R PlugPlay (Plug and Play) - C:\WINDOWS\system32\services.exe
2R PolicyAgent (IPSEC Services) - C:\WINDOWS\System32\lsass.exe
2R ProtectedStorage (Protected Storage) - C:\WINDOWS\system32\lsass.exe
3S RasAuto (Remote Access Auto Connection Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R RasMan (Remote Access Connection Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S RDSessMgr (Remote Desktop Help Session Manager) - C:\WINDOWS\system32\sessmgr.exe
4S RemoteAccess (Routing and Remote Access) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R RemoteRegistry (Remote Registry) - C:\WINDOWS\system32\svchost.exe -k LocalService
3S RpcLocator (Remote Procedure Call (RPC) Locator) - C:\WINDOWS\System32\locator.exe
2R RpcSs (Remote Procedure Call (RPC)) - C:\WINDOWS\system32\svchost -k rpcss
3S RSVP (QoS RSVP) - C:\WINDOWS\System32\rsvp.exe
2R SamSs (Security Accounts Manager) - C:\WINDOWS\system32\lsass.exe
3S SCardSvr (Smart Card) - C:\WINDOWS\System32\SCardSvr.exe
2R Schedule (Task Scheduler) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R seclogon (Secondary Logon) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R SENS (System Event Notification) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R SharedAccess (Windows Firewall/Internet Connection Sharing (ICS)) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R ShellHWDetection (Shell Hardware Detection) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R Spooler (Print Spooler) - C:\WINDOWS\system32\spoolsv.exe
2R srservice (System Restore Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R SSDPSRV (SSDP Discovery Service) - C:\WINDOWS\System32\svchost.exe -k LocalService
2R stisvc (Windows Image Acquisition (WIA)) - C:\WINDOWS\System32\svchost.exe -k imgsvc
3S SwPrv (MS Software Shadow Copy Provider) - C:\WINDOWS\System32\dllhost.exe /Processid:{8617AD26-9569-4C6F-978B-F7F2A3D73432}
3S SysmonLog (Performance Logs and Alerts) - C:\WINDOWS\system32\smlogsvc.exe
3R TapiSrv (Telephony) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3R TermService (Terminal Services) - C:\WINDOWS\System32\svchost -k DComLaunch
2R Themes - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S TlntSvr (Telnet) - C:\WINDOWS\System32\tlntsvr.exe
2R TrkWks (Distributed Link Tracking Client) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R UMWdf (Windows User Mode Driver Framework) - C:\WINDOWS\system32\wdfmgr.exe
3S upnphost (Universal Plug and Play Device Host) - C:\WINDOWS\System32\svchost.exe -k LocalService
3S UPS (Uninterruptible Power Supply) - C:\WINDOWS\System32\ups.exe
3S usnjsvc (Messenger Sharing Folders USN Journal Reader service) - "C:\Program Files\MSN Messenger\usnsvc.exe"
2S vsmon (TrueVector Internet Monitor) - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
3S VSS (Volume Shadow Copy) - C:\WINDOWS\System32\vssvc.exe
2R W32Time (Windows Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R W3SVC (World Wide Web Publishing) - C:\WINDOWS\system32\inetsrv\inetinfo.exe
2R WebClient - C:\WINDOWS\System32\svchost.exe -k LocalService
2R winmgmt (Windows Management Instrumentation) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3S WmdmPmSN (Portable Media Serial Number Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S Wmi (Windows Management Instrumentation Driver Extensions) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S WmiApSrv (WMI Performance Adapter) - C:\WINDOWS\System32\wbem\wmiapsrv.exe
2R wscsvc (Security Center) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R wuauserv (Automatic Updates) - C:\WINDOWS\system32\svchost.exe -k netsvcs
2R WZCSVC (Wireless Zero Configuration) - C:\WINDOWS\System32\svchost.exe -k netsvcs
3S xmlprov (Network Provisioning Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs


-- Files created between 2007-01-24 and 2007-02-24 ------------------------------

2007-02-24 19:42:11 4896 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-02-24 19:42:11 218656 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-02-24 17:09:20 2560 --a------ C:\WINDOWS\system32\dellater.exe
2007-02-24 17:08:34 0 d-------- C:\delete
2007-02-24 16:54:07 0 d-------- C:\VundoFix Backups
2007-02-24 16:11:51 0 d-------- C:\Documents and Settings\Administrator\Application Data\MailFrontier
2007-02-24 14:33:17 60928 -----n--- C:\WINDOWS\system32\MWGGPS~1.DLL
2007-02-24 12:18:01 0 d-------- C:\sreng
2007-02-24 12:13:22 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-02-24 09:00:45 0 d-------- C:\!KillBox
2007-02-24 08:41:20 0 d-------- C:\Documents and Settings\Dave\Application Data\MailFrontier
2007-02-24 08:29:07 0 d-------- C:\Program Files\Remove on Reboot
2007-02-24 08:24:08 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-02-24 08:23:52 75512 --a------ C:\WINDOWS\zllsputility.exe
2007-02-24 08:23:51 11264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-02-24 08:23:27 1087216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-02-24 08:23:27 0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-02-24 08:14:27 0 d-------- C:\dodgy files
2007-02-23 22:57:06 72704 --a------ C:\WINDOWS\system32\d3acdb.dll
2007-02-23 21:41:45 0 d-------- C:\testss
2007-02-23 20:44:12 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-02-23 20:43:06 0 d-------- C:\Documents and Settings\Dave\.housecall6.6
2007-02-23 18:59:42 71223 -rah----- C:\WINDOWS\system32\zgvimczvtxnv.dll
2007-02-23 18:59:42 71223 --a------ C:\WINDOWS\system32\mwggpsskyaod.dll
2007-02-23 18:15:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-02-20 22:06:27 0 d-------- C:\Program Files\AAALOGO
2007-02-18 22:29:04 0 d-------- C:\Program Files\Nokia
2007-02-18 21:10:33 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2007-02-18 21:04:49 50688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-02-11 09:11:39 0 d-------- C:\Program Files\Win Web Crawler 2.0
2007-02-11 09:00:56 0 d-------- C:\Program Files\Meta Maker Wizard 2
2007-02-11 09:00:50 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-02-11 09:00:50 249856 -----n--- C:\WINDOWS\Setup1.exe
2007-02-07 18:11:15 0 d-------- C:\Program Files\IrfanView
2007-02-07 17:58:35 0 d-------- C:\Program Files\ClicPic


-- Find3M Report ----------------------------------------------------------------

2007-02-24 18:42:23 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-02-24 12:42:42 2 --a------ C:\AutoExec.Bat
2007-02-24 10:10:53 0 d-------- C:\Program Files\Mozilla Firefox
2007-02-24 10:03:32 0 d-------- C:\Program Files\Trojan Guarder
2007-02-24 09:38:11 0 d-------- C:\Program Files\PartyPoker
2007-02-23 19:33:40 0 d-------- C:\Program Files\Kontiki
2007-02-18 23:11:46 0 d-------- C:\Documents and Settings\Dave\Application Data\Nokia
2007-02-18 21:02:58 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-06 18:19:58 17186 --a------ C:\Documents and Settings\Dave\Application Data\.googlewebacchosts
2007-01-22 18:13:31 0 d-------- C:\Documents and Settings\Dave\Application Data\Avant Browser<AVANTB~1>
2007-01-19 23:35:59 0 d-------- C:\Program Files\PokerStars
2007-01-15 18:49:20 438272 --a------ C:\WINDOWS\system32\acebitaw.dll
2007-01-13 11:51:51 0 d-------- C:\Program Files\EmpirePokerMaster
2007-01-10 14:19:58 0 d-------- C:\Documents and Settings\Dave\Application Data\AdobeUM
2006-12-29 17:32:51 0 d-------- C:\Program Files\PartyGaming
2006-12-28 09:26:10 0 d-------- C:\Program Files\MSN Messenger
2006-12-07 06:40:49 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-03 11:04:06 48424 --a------ C:\WINDOWS\system32\sirenacm.dll


-- Registry Dump ----------------------------------------------------------------


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"EPSON Stylus C46 Series on p4 (from LAPTOP)"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0T1.EXE /P43 \"EPSON Stylus C46 Series on p4 (from LAPTOP)\" /O5 \"TS002\" /M \"Stylus C46\""
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Google Updater.lnk"
"backup"="C:\\WINDOWS\\pss\\Google Updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Google\\Google Updater\\1.1.433.23491\\GoogleUpdater.exe -systray -startup"
"item"="Google Updater"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~3\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Windows Desktop Search.lnk"
"backup"="C:\\WINDOWS\\pss\\Windows Desktop Search.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Program Files\\MSN Toolbar Suite\\DS\\02.05.0001.1119\\en-us\\bin\\WindowsSearch.exe /startup"
"item"="Windows Desktop Search"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dave^Start Menu^Programs^Startup^IG Index - Financial Spread Betting.url]
"path"="C:\\Documents and Settings\\Dave\\Start Menu\\Programs\\Startup\\IG Index - Financial Spread Betting.url"
"backup"="C:\\WINDOWS\\pss\\IG Index - Financial Spread Betting.urlStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Dave\\Start Menu\\Programs\\Startup\\IG Index - Financial Spread Betting.url"
"item"="IG Index - Financial Spread Betting"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dave^Start Menu^Programs^Startup^NewsNow Business & Finance.url]
"path"="C:\\Documents and Settings\\Dave\\Start Menu\\Programs\\Startup\\NewsNow Business & Finance.url"
"backup"="C:\\WINDOWS\\pss\\NewsNow Business & Finance.urlStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Dave\\Start Menu\\Programs\\Startup\\NewsNow Business & Finance.url"
"item"="NewsNow Business & Finance"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dave^Start Menu^Programs^Startup^Shortcut to analyses.lnk]
"path"="C:\\Documents and Settings\\Dave\\Start Menu\\Programs\\Startup\\Shortcut to analyses.lnk"
"backup"="C:\\WINDOWS\\pss\\Shortcut to analyses.lnkStartup"
"location"="Startup"
"command"="C:\\testss\\analyses.exe "
"item"="Shortcut to analyses"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="; C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C46 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="E_S4I0T1"
"hkey"="HKLM"
"command"="; C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0T1.EXE /P23 \"EPSON Stylus C46 Series\" /O6 \"USB001\" /M \"Stylus C46\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C46 Series (Copy 1)]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="E_S4I0T1"
"hkey"="HKLM"
"command"="; C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0T1.EXE /P32 \"EPSON Stylus C46 Series (Copy 1)\" /O6 \"USB001\" /M \"Stylus C46\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleDesktop"
"hkey"="HKLM"
"command"="; \"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft NetMeeting]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="conf"
"hkey"="HKCU"
"command"="; \"C:\\Program Files\\NetMeeting\\conf.exe\" -Background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PicasaMediaDetector"
"hkey"="HKLM"
"command"="; C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="; \"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="smc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TeaTimer"
"hkey"="HKCU"
"command"="; C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="; C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="; \"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zlclient"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{2188CEDE-B239-484C-8EA6-B84DC1001001}"="mwggpsskyaod"
"{CEDE2188-484C-B239-A68E-DC1B84001001}"="zgvimczvtxnv"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowCpl]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\RestrictCpl]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\RestrictRun]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mwggpsskyaod
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zgvimczvtxnv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of ComboScan: finished at 2007-02-24 at 20:05:11 -------------------------




Cant find the attach option i;m afraid so copied supplimenary.txt below.. Thanks for your help, really appreciate it...

ComboScan v20070221.16 run by Dave on 2007-02-24 at 20:01:42
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information -----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.00GHz
Percentage of Memory in Use: 37%
Physical Memory (total/avail): 767.42 MiB / 482.46 MiB
Pagefile Memory (total/avail): 1877.15 MiB / 1678.26 MiB
Virtual Memory (total/avail): 2047.88 MiB / 2000.61 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 18.64 GiB total, 2.55 GiB free.
D: is CDROM (No Media)
E: is Removable (FAT)


-- Security Center --------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: ZoneAlarm Security Suite Firewall v7.0.302.000 (Check Point, LTD.) Disabled
AV: ZoneAlarm Security Suite Antivirus v7.0.302.000 (Check Point, LTD.) Disabled


-- Environment Variables --------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Dave\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=P4
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Dave
LOGONSERVER=\\P4
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Perl\bin\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Dave\LOCALS~1\Temp
TMP=C:\DOCUME~1\Dave\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=P4
USERNAME=Dave
USERPROFILE=C:\Documents and Settings\Dave
windir=C:\WINDOWS


-- User Profiles ----------------------------------------------------------------

Dave (admin)
Topfurniture (admin)
Administrator (admin)


-- Add/Remove Programs ----------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AAA Logo 1.2 --> "C:\Program Files\AAALOGO\unins000.exe"
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\Ad-Aware SE Personal\UNWISE.EXE C:\PROGRA~1\Lavasoft\Ad-Aware SE Personal\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.0.5 Language Support --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7050000000A7}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Auction Sentry --> MsiExec.exe /X{DF29A0E2-DF76-4932-98A9-34B441F40486}
Avant Browser (remove only) --> "C:\Program Files\Avant Browser\uninst.exe"
Color Cop v5.3 --> "C:\Program Files\ColorCop\unins000.exe"
E*TRADE online trading 1.1 --> C:\PROGRA~1\ETRADE\CLIENT~1\UNWISE.EXE C:\PROGRA~1\ETRADE\CLIENT~1\INSTALL.LOG
E*TRADE online trading 1.2 --> C:\PROGRA~1\ETRADE\CLIENT~1\UNWISE.EXE C:\PROGRA~1\ETRADE\CLIENT~1\INSTALL.LOG
EmpirePoker --> "C:\Program Files\EmpirePokerMaster\EmpirePoker\Uninstall.exe" "C:\Program Files\EmpirePokerMaster\EmpirePoker\install.log"
EPSON PhotoQuicker3.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{65F5B7AF-3363-11D7-BB6B-00018021113F}\SETUP.EXE" -l0x9 uninst
EPSON PRINT Image Framer Tool2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23B59ED4-C360-11D7-875B-0090CC005647}\SETUP.EXE" -l0x9 anything
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Web-To-Page --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\SETUP.EXE" -l0x9 -anything
ESC46 Reference Guide --> C:\Program Files\EPSON\TPMANUAL\ESC46\REF_G\DOCUNINS.EXE
ESC46 Software Guide --> C:\Program Files\EPSON\TPMANUAL\ESC46\PQU_G\DOCUNINS.EXE
ETRADE Professional 1.2 --> C:\PROGRA~1\EtradeUK\CLIENT~1\UNWISE.EXE C:\PROGRA~1\EtradeUK\CLIENT~1\INSTALL.LOG
Firehand Ember Pro --> C:\PROGRA~1\FIREHA~1\Ember\EmberUninstall\UNWISE.EXE C:\PROGRA~1\FIREHA~1\Ember\EmberUninstall\install.log
Google Pack Screensaver --> C:\WINDOWS\Google Pack Screensaver Uninstaller.exe
Google Toolbar for Firefox --> MsiExec.exe /X{AA345678-12B4-1C34-12D4-12345678FFEE}
Google Updater --> "C:\Program Files\Google\Google Updater\1.1.433.23491\GoogleUpdater.exe" -uninstall
Hello Engines! Standard 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51974F4F-7A40-48AE-99B8-243F34F17884}\setup.exe" -l0x9 -removeonly
HijackThis 1.99.1 --> C:\testss\HijackThis.exe /uninstall
Installation Tools for ScanMagic Scanner --> C:\WINDOWS\TWAIN_32\A4S2_32\UNWISE.EXE C:\WINDOWS\TWAIN_32\A4S2_32\INSTALL.LOG
Intel® PRO Network Connections Drivers --> Prounstl.exe
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
J2SE Runtime Environment 5.0 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150050}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Klick Photopoint Online Print Wizard --> C:\PROGRA~1\Klick Photopoint\UNWISE.EXE C:\PROGRA~1\Klick Photopoint\INSTALL.LOG
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\Shockwave 10\UNWISE.EXE C:\WINDOWS\system32\Macromed\Shockwave 10\Install.log
MailFrontier Desktop --> C:\PROGRA~1\Zone Labs\ZoneAlarm\MailFrontier\UNWISE.EXE C:\PROGRA~1\Zone Labs\ZoneAlarm\MailFrontier\INSTMLF.LOG
Meta Maker Wizard 2.2 --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Meta Maker Wizard 2\ST6UNST.LOG"
Microsoft AutoRoute 2001 --> MsiExec.exe /I{4D719053-5593-11D3-8F25-0060085C1758}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office PowerPoint Viewer 2003 --> MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Mozilla Firefox (2.0.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nikon Message Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\Setup.exe" -l0x9 UNINSTALL
Nokia Connectivity Cable Driver --> MsiExec.exe /X{0FF1922C-B6C4-40BB-AF30-BEF75A482444}
Optimize Memory for Windows --> C:\PROGRA~1\Advanced Searchbar\Optimize Memory\UNWISE.EXE /A C:\PROGRA~1\Advanced Searchbar\Optimize Memory\INSTALL.LOG
Pdf995 --> C:\Program Files\pdf995\setup.exe uninstall
Peter's XML Editor --> MsiExec.exe /I{5E770B51-820C-402E-8569-E02D12C212D2}
PictureProject --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF3999BE-1A7B-4738-88AA-97BF14094A4A}\Setup.exe" -l0x9 UNINSTALL
PokerStars --> C:\Program Files\PokerStars\Uninstall.EXE /u:"PokerStars"
Quick Screenshot Maker 2.1 --> "C:\Program Files\Quick Screenshot Maker\unins000.exe"
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Remove on Reboot Shell Extension --> "C:\Program Files\Remove on Reboot\unins000.exe"
RoadAngel 2 - UK --> MsiExec.exe /X{81A661FA-55C8-4B21-902D-BE236B439A83}
RoadAngel II USB Drivers --> C:\WINDOWS\system32\FTD2XXUN.exe C:\WINDOWS\system32\FTD2XXUN.INI
SAMSUNG AHT-E310 WAN Adapter --> C:\Program Files\SAMSUNG\SAMSUNG AHT-E310\CnxUnist.exe -w7 AccessRunner ADSL
Skype 1.4 --> "C:\Program Files\Skype\Phone\unins000.exe"
SnipeRight --> C:\Program Files\SnipeRight\UnInstall_22755.exe
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Terminal Services Web Client --> rundll32 advpack.dll,LaunchINFSection C:\Windows\Web\TSWeb\setup.inf,DefaultUninstall,,
Turbo Lister 2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\Intel 32\IDriver.exe /M{69640730-B830-4C24-BB5C-222DA1260548}
uninstall --> "C:\Program Files\Dynamic\Dynamic Submission V7\unins000.exe"
Win Web Crawler 2.0 --> "C:\Program Files\Win Web Crawler 2.0\unins000.exe"
Windows Live Messenger --> MsiExec.exe /I{D900E12F-DC9F-437B-8E63-5E8D781A06B5}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
ZoneAlarm Security Suite --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- End of ComboScan: finished at 2007-02-24 at 20:05:11 -------------------------

    Advertisements

Register to Remove


#11 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,173 posts

Posted 24 February 2007 - 02:55 PM

Next, launch Notepad (Start>All Programs>Accessories), and copy/paste all the BOLD REGEDIT below to it. Don't forget to include REGEDIT4.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowCpl]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\DisallowRun]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\RestrictCpl]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\RestrictRun]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mwggpsskyaod]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zgvimczvtxnv]


On the desktop, doubleclick fix.reg and allow it to run. Let it merge.



Delete these Files if listed:
C:\WINDOWS\system32\zgvimczvtxnv.dll
C:\WINDOWS\system32\mwggpsskyaod.dll




Empty Recycle Bin

Restart your computer.

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#12 snapperman

snapperman

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 24 February 2007 - 04:02 PM

still cant delete the files, in use..... made the changes to the registry and rebooted and then ran this scan again. pc is running fine to be honest but cant install things and when i do some searches on the net the browser closes down... there are no services chewing up memory or anything like that.. i also have zone alarm as well as a hardware router which is probaly helping too.... makes me wonder if some real thought has gone in behind whoever created this... just concerned as whats going on in the background though as it appears more clver than anything i have seen before... I'm happy to send the original file that infected the pc if its of any help? doesnt come up on google so looks very new to me.... ComboScan v20070221.16 run by Dave on 2007-02-24 at 21:50:53 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Dave.exe) ------------------------------------------------- Unable to find log (file not found). -- Files created between 2007-01-24 and 2007-02-24 ------------------------------ 2007-02-24 19:42:11 7200 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-02-24 19:42:11 326176 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-02-24 17:09:20 2560 --a------ C:\WINDOWS\system32\dellater.exe 2007-02-24 17:08:34 0 d-------- C:\delete 2007-02-24 16:54:07 0 d-------- C:\VundoFix Backups 2007-02-24 16:11:51 0 d-------- C:\Documents and Settings\Administrator\Application Data\MailFrontier 2007-02-24 14:33:17 60928 -----n--- C:\WINDOWS\system32\MWGGPS~1.DLL 2007-02-24 12:18:01 0 d-------- C:\sreng 2007-02-24 12:13:22 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-02-24 09:00:45 0 d-------- C:\!KillBox 2007-02-24 08:41:20 0 d-------- C:\Documents and Settings\Dave\Application Data\MailFrontier 2007-02-24 08:29:07 0 d-------- C:\Program Files\Remove on Reboot 2007-02-24 08:24:08 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2007-02-24 08:23:52 75512 --a------ C:\WINDOWS\zllsputility.exe 2007-02-24 08:23:51 11264 --a------ C:\WINDOWS\system32\SpOrder.dll 2007-02-24 08:23:27 1087216 --a------ C:\WINDOWS\system32\zpeng24.dll 2007-02-24 08:23:27 0 d-------- C:\WINDOWS\system32\ZoneLabs 2007-02-24 08:14:27 0 d-------- C:\dodgy files 2007-02-23 22:57:06 72704 --a------ C:\WINDOWS\system32\d3acdb.dll 2007-02-23 21:41:45 0 d-------- C:\testss 2007-02-23 20:44:12 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-02-23 20:43:06 0 d-------- C:\Documents and Settings\Dave\.housecall6.6 2007-02-23 18:59:42 71223 --a------ C:\WINDOWS\system32\zgvimczvtxnv.dll 2007-02-23 18:59:42 71223 --a------ C:\WINDOWS\system32\mwggpsskyaod.dll 2007-02-23 18:15:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7 2007-02-20 22:06:27 0 d-------- C:\Program Files\AAALOGO 2007-02-18 22:29:04 0 d-------- C:\Program Files\Nokia 2007-02-18 21:10:33 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Suite 2007-02-18 21:04:49 50688 --a------ C:\WINDOWS\system32\nmwcdcls.dll 2007-02-11 09:11:39 0 d-------- C:\Program Files\Win Web Crawler 2.0 2007-02-11 09:00:56 0 d-------- C:\Program Files\Meta Maker Wizard 2 2007-02-11 09:00:50 73216 --a------ C:\WINDOWS\ST6UNST.EXE 2007-02-11 09:00:50 249856 -----n--- C:\WINDOWS\Setup1.exe 2007-02-07 18:11:15 0 d-------- C:\Program Files\IrfanView 2007-02-07 17:58:35 0 d-------- C:\Program Files\ClicPic -- Find3M Report ---------------------------------------------------------------- 2007-02-24 18:42:23 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1> 2007-02-24 12:42:42 2 --a------ C:\AutoExec.Bat 2007-02-24 10:10:53 0 d-------- C:\Program Files\Mozilla Firefox 2007-02-24 10:03:32 0 d-------- C:\Program Files\Trojan Guarder 2007-02-24 09:38:11 0 d-------- C:\Program Files\PartyPoker 2007-02-23 19:33:40 0 d-------- C:\Program Files\Kontiki 2007-02-18 23:11:46 0 d-------- C:\Documents and Settings\Dave\Application Data\Nokia 2007-02-18 21:02:58 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1> 2007-02-06 18:19:58 17186 --a------ C:\Documents and Settings\Dave\Application Data\.googlewebacchosts 2007-01-22 18:13:31 0 d-------- C:\Documents and Settings\Dave\Application Data\Avant Browser<AVANTB~1> 2007-01-19 23:35:59 0 d-------- C:\Program Files\PokerStars 2007-01-15 18:49:20 438272 --a------ C:\WINDOWS\system32\acebitaw.dll 2007-01-13 11:51:51 0 d-------- C:\Program Files\EmpirePokerMaster 2007-01-10 14:19:58 0 d-------- C:\Documents and Settings\Dave\Application Data\AdobeUM 2006-12-29 17:32:51 0 d-------- C:\Program Files\PartyGaming 2006-12-28 09:26:10 0 d-------- C:\Program Files\MSN Messenger 2006-12-07 06:40:49 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll 2006-12-03 11:04:06 48424 --a------ C:\WINDOWS\system32\sirenacm.dll -- Registry Dump ---------------------------------------------------------------- [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "EPSON Stylus C46 Series on p4 (from LAPTOP)"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0T1.EXE /P43 \"EPSON Stylus C46 Series on p4 (from LAPTOP)\" /O5 \"TS002\" /M \"Stylus C46\"" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk" "backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe " "item"="Adobe Reader Speed Launch" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Google Updater.lnk" "backup"="C:\\WINDOWS\\pss\\Google Updater.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Google\\Google Updater\\1.1.433.23491\\GoogleUpdater.exe -systray -startup" "item"="Google Updater" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\MICROS~3\\Office10\\OSA.EXE -b -l" "item"="Microsoft Office" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Windows Desktop Search.lnk" "backup"="C:\\WINDOWS\\pss\\Windows Desktop Search.lnkCommon Startup" "location"="Common Startup" "command"="C:\\Program Files\\MSN Toolbar Suite\\DS\\02.05.0001.1119\\en-us\\bin\\WindowsSearch.exe /startup" "item"="Windows Desktop Search" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dave^Start Menu^Programs^Startup^IG Index - Financial Spread Betting.url] "path"="C:\\Documents and Settings\\Dave\\Start Menu\\Programs\\Startup\\IG Index - Financial Spread Betting.url" "backup"="C:\\WINDOWS\\pss\\IG Index - Financial Spread Betting.urlStartup" "location"="Startup" "command"="C:\\Documents and Settings\\Dave\\Start Menu\\Programs\\Startup\\IG Index - Financial Spread Betting.url" "item"="IG Index - Financial Spread Betting" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dave^Start Menu^Programs^Startup^NewsNow Business & Finance.url] "path"="C:\\Documents and Settings\\Dave\\Start Menu\\Programs\\Startup\\NewsNow Business & Finance.url" "backup"="C:\\WINDOWS\\pss\\NewsNow Business & Finance.urlStartup" "location"="Startup" "command"="C:\\Documents and Settings\\Dave\\Start Menu\\Programs\\Startup\\NewsNow Business & Finance.url" "item"="NewsNow Business & Finance" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dave^Start Menu^Programs^Startup^Shortcut to analyses.lnk] "path"="C:\\Documents and Settings\\Dave\\Start Menu\\Programs\\Startup\\Shortcut to analyses.lnk" "backup"="C:\\WINDOWS\\pss\\Shortcut to analyses.lnkStartup" "location"="Startup" "command"="C:\\testss\\analyses.exe " "item"="Shortcut to analyses" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ctfmon" "hkey"="HKCU" "command"="; C:\\WINDOWS\\system32\\ctfmon.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C46 Series] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="E_S4I0T1" "hkey"="HKLM" "command"="; C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0T1.EXE /P23 \"EPSON Stylus C46 Series\" /O6 \"USB001\" /M \"Stylus C46\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C46 Series (Copy 1)] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="E_S4I0T1" "hkey"="HKLM" "command"="; C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0T1.EXE /P32 \"EPSON Stylus C46 Series (Copy 1)\" /O6 \"USB001\" /M \"Stylus C46\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="GoogleDesktop" "hkey"="HKLM" "command"="; \"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft NetMeeting] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="conf" "hkey"="HKCU" "command"="; \"C:\\Program Files\\NetMeeting\\conf.exe\" -Background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="PicasaMediaDetector" "hkey"="HKLM" "command"="; C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "command"="; \"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="smc" "hkey"="HKLM" "command"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TeaTimer" "hkey"="HKCU" "command"="; C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="jusched" "hkey"="HKLM" "command"="; C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realsched" "hkey"="HKLM" "command"="; \"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="zlclient" "hkey"="HKLM" "command"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{2188CEDE-B239-484C-8EA6-B84DC1001001}"="mwggpsskyaod" "{CEDE2188-484C-B239-A68E-DC1B84001001}"="zgvimczvtxnv" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoAutoUpdate"=dword:00000000 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mwggpsskyaod HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\zgvimczvtxnv [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 -- End of ComboScan: finished at 2007-02-24 at 21:55:40 -------------------------

#13 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,173 posts

Posted 24 February 2007 - 04:15 PM

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

(original file that infected)

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If Jotti is too busy you can try these.

http://www.kaspersky...anforvirus.html


http://www.virustota.../en/indexf.html



Next, launch Notepad (Start>All Programs>Accessories), and copy/paste all the BOLD REGEDIT below to it. Don't forget to include REGEDIT4.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\zgvimczvtxnv.dll]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\zgvimczvtxnv.dll]

Make sure there's a blank line after the last entry.

On the desktop, doubleclick fix.reg and allow it to run. Let it merge.



Download Avenger by Swandog, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).
http://swandog46.gee...com/avenger.zip


Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.

Click Format, and ensure Word Wrap is unchecked.

Copy and Paste all the text inside the box below into Notepad.

Now save the file as RemoveFiles.txt in a location where you can find it.



Files to delete:
C:\WINDOWS\system32\zgvimczvtxnv.dll
C:\WINDOWS\system32\mwggpsskyaod.dll


Start Avenger by double clicking on Avenger.exe.

Check Load script from file:

Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.

Double click it to enter it into Avenger.

Click the green traffic light symbol.

You will be asked if you want to execute the script, answer Yes.

At this point you may get prompts from your protection systems, allow them please.

Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.

Answer Yes, and allow your computer to re-boot.

Upon re-boot a command window will briefly appear on screen (this is normal).

A Notepad text file will be created C:\avenger.txt.

Copy and Paste it into your next post please, along with a new HJT log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#14 snapperman

snapperman

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 24 February 2007 - 04:47 PM

Jotti results below, the rest will follow... Scanner results Scan taken on 24 Feb 2007 22:39:05 (GMT) AntiVir Found TR/Delphi.Downloader.Gen ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found Trojan.Downloader.Agent.AXO ClamAV Found nothing Dr.Web Found DLOADER.Trojan (probable variant) F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing VirusBuster Found nothing VBA32 Found nothing

#15 snapperman

snapperman

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 24 February 2007 - 05:04 PM

You are amazing, looks like the ba**erds got deleted... i can also run hijack this now.. phewwwwwwwwwwwwwwww.....

this bit is from this first doss window...

The system cannot find the file specified.
Could Not Find C:\avenger\*.reg
1 file(s) copied.
zip warning: C:/backup.zip not found or empty
adding: avenger/avenger.txt (188 bytes security) (deflated 67%)
adding: avenger/backup.reg (188 bytes security) (stored 0%)
adding: avenger/mwggpsskyaod.dll (212 bytes security) (deflated 4%)
adding: avenger/zgvimczvtxnv.dll (212 bytes security) (deflated 4%)
C:\backup.zip
Could Not Find C:\avexport.bat
Could Not Find C:\reboot.exe
Could Not Find C:\reboot.bat

the this text output...

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\edexpcsf

*******************

Script file located at: \??\C:\WINDOWS\system32\etirievq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\zgvimczvtxnv.dll deleted successfully.
File C:\WINDOWS\system32\mwggpsskyaod.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Hijack this below... let me know if any need checking and fixing.... Thanks again.. you certainly know your stuff.....

Logfile of HijackThis v1.99.1
Scan saved at 23:02:37, on 24/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\testss\spyware.exe
C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus C46 Series on p4 (from LAPTOP)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P43 "EPSON Stylus C46 Series on p4 (from LAPTOP)" /O5 "TS002" /M "Stylus C46"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ADVFN 4v4 -
O16 - DPF: ADVFN US -
O16 - DPF: {3CA15C82-6297-11D6-B8FA-00C04F5E375A} (BridgeChannel v3) -
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://etrade.webex...bex/ieatgpc.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.1.0168.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.1.0168.00.dll
O20 - Winlogon Notify: mwggpsskyaod - C:\WINDOWS\system32\mwggpsskyaod.dll (file missing)
O20 - Winlogon Notify: zgvimczvtxnv - C:\WINDOWS\system32\zgvimczvtxnv.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users