8 replies to this topic

[patrickvols]

I run Hijackthis and delete files, but one I cannot delete. ..... dkdkdkd.dll


Logfile of HijackThis v1.99.1
Scan saved at 10:43:22 PM, on 3/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {03686C8A-1562-43DC-A900-1AA0648A54F4} - C:\WINNT\system32\dkdkdkd.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATI DeviceDetect] "C:\Program Files\ATI Multimedia\main\ATIDtct.EXE"
O4 - HKLM\..\Run: [D-Link AirPlus G] "C:\Program Files\D-Link\AirPlus G\AirGCFG.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] "C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [system spool] C:\WINNT\system32\syspools.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [HydraVisionViewport] C:\Program Files\ATI Technologies\ATI HydraVision\HydraMD.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ATI Remote Control] "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe"
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINNT\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINNT\web\AOpenClient.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O20 - Winlogon Notify: lmvyuwlg - C:\WINNT\SYSTEM32\dkdkdkd.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe


Help please.

[Shaba]

Hi patrickvols

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Post:

- a fresh HijackThis log
- vundofix report
- sdfix report

[patrickvols]

Shaba,

Thanks. Here is are the reports.

Logfile of HijackThis v1.99.1
Scan saved at 10:45:55 PM, on 3/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wdfmgr.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\alg.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\HJT\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {03686C8A-1562-43DC-A900-1AA0648A54F4} - C:\WINNT\system32\dkdkdkd.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATI DeviceDetect] "C:\Program Files\ATI Multimedia\main\ATIDtct.EXE"
O4 - HKLM\..\Run: [D-Link AirPlus G] "C:\Program Files\D-Link\AirPlus G\AirGCFG.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] "C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [HydraVisionViewport] C:\Program Files\ATI Technologies\ATI HydraVision\HydraMD.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [ATI Remote Control] "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe"
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINNT\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINNT\web\AOpenClient.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O20 - Winlogon Notify: lmvyuwlg - C:\WINNT\SYSTEM32\dkdkdkd.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe





VundoFix V6.3.16

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 10:55:31 PM 3/18/2007

Listing files found while scanning....

C:\WINNT\system32\dkdkdkd.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\dkdkdkd.dll
C:\WINNT\system32\dkdkdkd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.3.16

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:24:09 PM 3/18/2007

Listing files found while scanning....

C:\WINNT\system32\dkdkdkd.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\dkdkdkd.dll
C:\WINNT\system32\dkdkdkd.dll Could not be deleted.

Performing Repairs to the registry.
Done!






SDFix: Version 1.73

Run by Patrick - Mon 03/19/2007 - 22:11:12.14

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Service

Path:
C:\WINNT\system32\Service.exe

Service Deleted



Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\DOCUME~1\Patrick\LOCALS~1\Temp\abc123.pid - Deleted



ADS Check:

C:\WINNT\system32
No streams found.


Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\EA GAMES\\Battlefield Vietnam2\\bfvietnam.exe"="C:\\Program Files\\EA GAMES\\Battlefield Vietnam2\\bfvietnam.exe:*:Disabled:bfvietnam"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\NovaLogic\\Joint Operations Typhoon Rising\\Jointops.exe"="C:\\Program Files\\NovaLogic\\Joint Operations Typhoon Rising\\Jointops.exe:*:Enabled:Jointops"
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"
"C:\\Program Files\\EA GAMES\\MOHAA\\moh_spearhead.exe"="C:\\Program Files\\EA GAMES\\MOHAA\\moh_spearhead.exe:*:Enabled:Medal of Honor Allied Assault™ Spearhead"
"C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"="C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe:*:Enabled:BattlefrontII"
"C:\\Documents and Settings\\Patrick\\My Documents\\temp\\HP\\Setup\\HPZnet01.exe"="C:\\Documents and Settings\\Patrick\\My Documents\\temp\\HP\\Setup\\HPZnet01.exe:*:Enabled:ICE Network Plug in"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Pure Networks\\Network Magic\\nmsrvc.exe"="C:\\Program Files\\Pure Networks\\Network Magic\\nmsrvc.exe:LocalSubNet:Enabled:Pure Networks Network Magic Service"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Sorry to say, the files that are non-deleteable are still present.

dkdkdkd.dll
dkdkdkd.dll.bak
ssgfwvsd.dll
ssgfwvsd.dll.bak
illxelbv.dll

[Shaba]

Hi

Yes, it seemed to be unsuccessful. It just might be that it's not vundo but some other nasty.

Uninstall via add/remove programs

Java runtime environment 1.5.0.3 and 1.5.0.6

Upload this file -> C:\WINNT\system32\dkdkdkd.dll to VirusTotal and post back results here.

Edited by Shaba, 20 March 2007 - 02:04 AM.

[patrickvols]

Could not remove Java 1.503 or 1.506... I get the message from Windows...."The Windows Installer Service could not be accessed. This can occur if you are running Windows in Safe mode, or if the Windows installer is not correctly installed. Contact your support personnel for assistance". I then checked in "Services" and it was disabled. I tried to start it again, and I get the same message as above. STATUS: FINISHEDComplete scanning result of "dkdkdkd.dll", received in VirusTotal at 03.21.2007, 02:04:53 (CET). Antivirus Version Update Result AhnLab-V3 2007.3.21.0 03.20.2007 no virus found AntiVir 7.3.1.44 03.20.2007 TR/Dldr.ConHook.Gen Authentium 4.93.8 03.20.2007 no virus found Avast 4.7.936.0 03.20.2007 no virus found AVG 7.5.0.447 03.20.2007 no virus found BitDefender 7.2 03.21.2007 no virus found CAT-QuickHeal 9.00 03.20.2007 no virus found ClamAV devel-20070312 03.21.2007 no virus found DrWeb 4.33 03.20.2007 no virus found eSafe 7.0.14.0 03.20.2007 Suspicious Trojan/Worm eTrust-Vet 30.6.3496 03.20.2007 no virus found Ewido 4.0 03.20.2007 no virus found FileAdvisor 1 03.21.2007 no virus found Fortinet 2.85.0.0 03.20.2007 no virus found F-Prot 4.3.1.45 03.20.2007 no virus found F-Secure 6.70.13030.0 03.21.2007 no virus found Ikarus T3.1.1.3 03.20.2007 no virus found Kaspersky 4.0.2.24 03.21.2007 no virus found McAfee 4988 03.20.2007 no virus found Microsoft 1.2306 03.21.2007 no virus found NOD32v2 2129 03.20.2007 no virus found Norman 5.80.02 03.20.2007 no virus found Panda 9.0.0.4 03.20.2007 Suspicious file Prevx1 V2 03.21.2007 no virus found Sophos 4.15.0 03.13.2007 no virus found Sunbelt 2.2.907.0 03.16.2007 no virus found Symantec 10 03.21.2007 no virus found TheHacker 6.1.6.078 03.20.2007 no virus found UNA 1.83 03.16.2007 no virus found VBA32 3.11.2 03.19.2007 no virus found VirusBuster 4.3.7:9 03.20.2007 no virus found Webwasher-Gateway 6.0.1 03.20.2007 Trojan.Dldr.ConHook.Gen Aditional Information File size: 77312 bytes MD5: 9bb52e6a75a4300e6b2ed234d2e44e1b SHA1: 71a0f8cf0d9e7b739d23e8f3674f1977e0928d47 packers: UPX VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability

[Shaba]

Hi

As for that Windows installer thing, see here

1. Download this file - combofix.exe
and save it to your desktop.

2. Go to start -> run.
type this in box and click ok

"%userprofile%\desktop\ComboFix.exe" /v dkdkdkd ssgfwvsd

3. When finished, it shall produce a log for you. Post that log in your next reply

4. Reboot

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report

[patrickvols]

Well, that seems to have done it. Below are the log files.



"Patrick" - 07-03-21 21:08:50 Service Pack 2
ComboFix 07-03-22 - Running from: "C:\Documents and Settings\Patrick\desktop"
Command switches used :: /v dkdkdkd ssgfwvsd

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\dkdkdkd.dll
C:\WINNT\system32\ssgfwvsd.dll
C:\WINNT\system32\dkdkdkd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\dkdkdkd.dll.bak
C:\WINNT\system32\drivers\cqigsjyg.sys
C:\WINNT\system32\dkdkdkd.dll
C:\WINNT\system32\dkdkdkd.dll.bak
C:\WINNT\system32\dkdkdkd.dll
C:\WINNT\system32\dkdkdkd.dll


((((((((((((((((((((((((((((((( Files Created from 2007-02-21 to 2007-03-21 ))))))))))))))))))))))))))))))))))


2007-03-20 21:02 117,248 --a------ C:\WINNT\system32\illxelbv.dll
2007-03-20 00:07 <DIR> d-------- C:\Program Files\FileASSASSIN
2007-03-19 22:09 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-18 22:55 <DIR> d-------- C:\VundoFix Backups
2007-03-17 23:18 <DIR> d-------- C:\Program Files\Privacy Guardian
2007-03-17 22:09 61,556 --a------ C:\WINNT\system32\pguard.dat
2007-03-17 22:09 32,852 --a------ C:\WINNT\system32\pghash.dat
2007-03-17 21:09 <DIR> d-------- C:\Program Files\Alwil Software
2007-03-17 21:06 <DIR> d-------- C:\Program Files\ProcessGuard
2007-03-17 21:00 <DIR> d-------- C:\Program Files\FreeFixer
2007-03-17 20:58 <DIR> d-------- C:\Program Files\Bazooka Scanner
2007-03-17 20:00 83,536 --a------ C:\WINNT\system32\drivers\iksyssec.sys
2007-03-17 20:00 59,472 --a------ C:\WINNT\system32\drivers\iksysflt.sys
2007-03-17 20:00 52,304 --a------ C:\WINNT\system32\drivers\ikfilesec.sys
2007-03-17 20:00 39,248 --a------ C:\WINNT\system32\drivers\ikfileflt.sys
2007-03-17 20:00 26,064 --a------ C:\WINNT\system32\drivers\kcom.sys
2007-03-17 20:00 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-03-17 20:00 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2007-03-17 20:00 <DIR> d-------- C:\DOCUME~1\Patrick\APPLIC~1\PC Tools
2007-03-17 20:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Tools
2007-03-17 19:59 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-03-17 16:20 <DIR> d-------- C:\Program Files\HJT
2007-03-17 15:51 <DIR> d-------- C:\WINNT\system32\bak
2007-03-13 23:08 <DIR> d-------- C:\DOCUME~1\Patrick\APPLIC~1\ImgBurn


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-21 20:59 -------- d-------- C:\Program Files\java
2007-02-17 15:08 -------- d--h----- C:\Program Files\installshield installation information
2007-02-07 17:18 -------- d-------- C:\DOCUME~1\Patrick\APPLIC~1\petroglyph
2007-02-07 17:16 -------- d-------- C:\DOCUME~1\Patrick\APPLIC~1\lucasarts
2007-02-07 17:07 -------- d-------- C:\Program Files\lucasarts
2007-02-07 17:05 -------- d---s---- C:\Program Files\xfire


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Remote Control"="\"C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIRW.exe\""
"!1_ProcessGuard_Startup"="\"C:\\Program Files\\ProcessGuard\\procguard.exe\" -minimize"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"ATI DeviceDetect"="\"C:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE\""
"D-Link AirPlus G"="\"C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"D-Link AirPlus XtremeG"="\"C:\\Program Files\\D-Link\\AirPlus XtremeG\\AirPlusCFG.exe\""
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"nmapp"="\"C:\\Program Files\\Pure Networks\\Network Magic\\nmapp.exe\" -autorun -nosplash"
"HydraVisionDesktopManager"="C:\\Program Files\\ATI Technologies\\ATI HydraVision\\HydraDM.exe"
"HydraVisionViewport"="C:\\Program Files\\ATI Technologies\\ATI HydraVision\\HydraMD.exe"
"!1_pgaccount"="\"C:\\Program Files\\ProcessGuard\\pgaccount.exe\""
"SDTray"="C:\\Program Files\\Spyware Doctor\\SDTrayApp.exe"
"UnlockerAssistant"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
C:\ComboFix\aa.cf

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ WinCinema Manager.lnk"
"backup"="C:\\WINNT\\pss\\ WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Sandisk\\Common\\Bin\\WINCIN~1.EXE "
"item"=" WinCinema Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Acrobat Assistant.lnk"
"backup"="C:\\WINNT\\pss\\Acrobat Assistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Distillr\\acrotray.exe "
"item"="Acrobat Assistant"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINNT\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\AutoCAD Startup Accelerator.lnk"
"backup"="C:\\WINNT\\pss\\AutoCAD Startup Accelerator.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\AUTODE~1\\ACSTAR~1.EXE "
"item"="AutoCAD Startup Accelerator"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-link AirPlus G DWL-G120 Wireless USB.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\D-link AirPlus G DWL-G120 Wireless USB.lnk"
"backup"="C:\\WINNT\\pss\\D-link AirPlus G DWL-G120 Wireless USB.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\D-LINK~1\\120UTIL.exe "
"item"="D-link AirPlus G DWL-G120 Wireless USB"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINNT\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Image Zone Fast Start.lnk"
"backup"="C:\\WINNT\\pss\\HP Image Zone Fast Start.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqthb08.exe -s"
"item"="HP Image Zone Fast Start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Patrick^Start Menu^Programs^Startup^Delta Force-Black Hawk Down Team Sabre Registration.lnk]
"path"="C:\\Documents and Settings\\Patrick\\Start Menu\\Programs\\Startup\\Delta Force-Black Hawk Down Team Sabre Registration.lnk"
"backup"="C:\\WINNT\\pss\\Delta Force-Black Hawk Down Team Sabre Registration.lnkStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Patrick\\Local Settings\\Temp\\{FD276F75-1E38-45E5-B40B-F67A3D80937F}\\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\\NOVG.EXE /remind /language=ENU /PRNM=\"Delta Force-Black Hawk Down Team Sabre\""
"item"="Delta Force-Black Hawk Down Team Sabre Registration"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Patrick^Start Menu^Programs^Startup^Xfire.lnk]
"path"="C:\\Documents and Settings\\Patrick\\Start Menu\\Programs\\Startup\\Xfire.lnk"
"backup"="C:\\WINNT\\pss\\Xfire.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Xfire\\Xfire.exe "
"item"="Xfire"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrust PestPatrol Active Protection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="none"
"hkey"="HKLM"
"command"="none"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark_X79-55]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lsasss"
"hkey"="HKLM"
"command"="C:\\WINNT\\system32\\lsasss.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lnwin.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lnwin"
"hkey"="HKLM"
"command"="C:\\WINNT\\system32\\lnwin.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeperUI"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="\"mobsync"
"hkey"="HKLM"
"command"="\"mobsync.exe\" /logon"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysinter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="adirss"
"hkey"="HKLM"
"command"="C:\\WINNT\\system32\\adirss.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Transponder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="susp"
"hkey"="HKLM"
"command"="C:\\WINNT\\system32\\susp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"x10nets"=dword:00000003
"Prnte10sd"=dword:00000003
"nmraapache"=dword:00000003
"MSIServer"=dword:00000003


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_MCHINJDRV


Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\WebReg 20060418212219.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-21 21:20:46

_____________________________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 9:41:35 PM, on 3/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wdfmgr.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\alg.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATI DeviceDetect] "C:\Program Files\ATI Multimedia\main\ATIDtct.EXE"
O4 - HKLM\..\Run: [D-Link AirPlus G] "C:\Program Files\D-Link\AirPlus G\AirGCFG.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] "C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe
O4 - HKLM\..\Run: [HydraVisionViewport] C:\Program Files\ATI Technologies\ATI HydraVision\HydraMD.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ATI Remote Control] "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe"
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINNT\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINNT\web\AOpenClient.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

[Shaba]

Hi Yes, it looks like so Upload these files to VirusTotal and post back results, please: C:\WINNT\system32\illxelbv.dll C:\WINNT\system32\drivers\iksyssec.sys C:\WINNT\system32\drivers\iksysflt.sys C:\WINNT\system32\drivers\ikfilesec.sys C:\WINNT\system32\drivers\ikfileflt.sys C:\WINNT\system32\drivers\kcom.sys

Edited by Shaba, 22 March 2007 - 02:01 AM.

[Shaba]

Due to the lack of feedback this Topic is closed. If you need help please start a new thread and post a new HJT log