Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Driver_irql_not_less_or_equal & Nuwar.n!sys Virus

Started by JCInfected , Apr 15 2007 04:19 PM

  • Please log in to reply
79 replies to this topic

#1 JCInfected

JCInfected

    Authentic Member

  • Authentic Member
  • PipPip
  • 56 posts

Posted 15 April 2007 - 04:19 PM

Hi there,

First of all, thank you for taking the time to help out people like myself. I'm a first time poster so if I make any mistakes, please bare with me and point them out so that I won't make them again.

First of all, I'm running on Windows XP Pro SP2. I'm unable to connect to the internet and this virus has disabled my firewall and antiviruses. I believe I got the virus when I visited a website that suddenly grinded my computer to a slow snail and it suddenly installed d1.exe, d2.exe, d3.exe, d4.exe to my desktop. I then proceeded to reset my computer before it do anymore damage.

I've done some analysis myself and I believe I have the nuwar.N!sys Virus. My computer restarts every single time I try to run any antivirus software where or visit any site that has any scanning. I was lucky one time and I sent an error report to Microsoft and it said I had the nuwar.N!sys virus.

A couple of times when I restarted, it gave me the blue screen of death with the following info:

Driver_IRQL_not_less_or_equal

STOP 0x000.....

NDIS.sys error


I then preceeded to run in safe mode with networking but upon loading the networking "d347.bus", my computer would restart as well. So I ran in safe mode without networking and skipped the loading of d347.bus and it ran fine. I downloaded the AVG Anti spyware program from another computer and ran the scanner. Here is the log it produced :

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:57:42 PM 4/14/2007

+ Scan result:



C:\Program Files\Overnet\Plugins\httpprotocol.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\wincom32.sys -> Dropper.Agent.bbv : Cleaned with backup (quarantined).
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\8FTF2G3Z\d5[1].exe -> Dropper.Agent.bdy : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT000061.EXE -> Dropper.Agent.bdy : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-484763869-706699826-682003330-1003\Dc1.exe -> Dropper.Agent.bdy : Cleaned with backup (quarantined).
C:\Program Files\eDonkey2000\URL2FILE.exe -> Not-A-Virus.Downloader.Win32.Url2File.a : Cleaned with backup (quarantined).
C:\Program Files\eDonkey2000\server.met_autoupdater_by_maurice_-_version_3.0_-_core.zip/URL2FILE.exe -> Not-A-Virus.Downloader.Win32.Url2File.a : Cleaned with backup (quarantined).
C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3da4390a-13539c24.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\windev-1a33-45b0.sys -> Not-A-Virus.SpamTool.Win32.Agent.af : Cleaned with backup (quarantined).
C:\WINDOWS\comdlg64.dll -> Proxy.Agent.jk : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts -> Proxy.Small : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT000062.sys -> Rootkit.Agent.dn : Cleaned with backup (quarantined).
C:\Documents and Settings\user\Cookies\user@247realmedia[2].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\user\Cookies\user@oasc06006.247realmedia[2].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\user\Cookies\user@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\user\Cookies\user@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\user\Cookies\user@axa.addcontrol[1].txt -> TrackingCookie.Addcontrol : Cleaned.
C:\Documents and Settings\user\Cookies\user@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\user\Cookies\user@ad.adition[2].txt -> TrackingCookie.Adition : Cleaned.
C:\Documents and Settings\user\Cookies\user@rotator.its.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\user\Cookies\user@ad.admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\user\Cookies\user@admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\user\Cookies\user@admarketplace[3].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\user\Cookies\user@www.adobe[2].txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\user\Cookies\user@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\user\Cookies\user@media.adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\user\Cookies\user@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\user\Cookies\user@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\user\Cookies\user@text.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\user\Cookies\user@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\user\Cookies\user@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\user\Cookies\user@ad1.clickhype[2].txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\user\Cookies\user@cz6.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\user\Cookies\user@ads.cnn[1].txt -> TrackingCookie.Cnn : Cleaned.
C:\Documents and Settings\user\Cookies\user@ads.cnn[3].txt -> TrackingCookie.Cnn : Cleaned.
C:\Documents and Settings\user\Cookies\user@ads.com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\user\Cookies\user@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\user\Cookies\user@com[3].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\user\Cookies\user@com[4].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\user\Cookies\user@news.com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\user\Cookies\user@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\user\Cookies\user@dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\user\Cookies\user@c.enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\user\Cookies\user@estat[1].txt -> TrackingCookie.Estat : Cleaned.
C:\Documents and Settings\user\Cookies\user@www.etracker[1].txt -> TrackingCookie.Etracker : Cleaned.
C:\Documents and Settings\user\Cookies\user@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\user\Cookies\user@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\user\Cookies\user@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\user\Cookies\user@as1.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\user\Cookies\user@fortunecity[1].txt -> TrackingCookie.Fortunecity : Cleaned.
C:\Documents and Settings\user\Cookies\user@ads.gamershell[1].txt -> TrackingCookie.Gamershell : Cleaned.
C:\Documents and Settings\user\Cookies\user@gamershell[2].txt -> TrackingCookie.Gamershell : Cleaned.
C:\Documents and Settings\user\Cookies\user@www.gamershell[1].txt -> TrackingCookie.Gamershell : Cleaned.
C:\Documents and Settings\user\Cookies\user@hit.gemius[1].txt -> TrackingCookie.Gemius : Cleaned.
C:\Documents and Settings\user\Cookies\user@hit.gemius[2].txt -> TrackingCookie.Gemius : Cleaned.
C:\Documents and Settings\user\Cookies\user@hotlog[1].txt -> TrackingCookie.Hotlog : Cleaned.
C:\Documents and Settings\user\Cookies\user@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned.
C:\Documents and Settings\user\Cookies\user@ads.infinite-ads[2].txt -> TrackingCookie.Infinite-ads : Cleaned.
C:\Documents and Settings\user\Cookies\user@searchportal.information[2].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\user\Cookies\user@intelli-direct[1].txt -> TrackingCookie.Intelli-direct : Cleaned.
C:\Documents and Settings\user\Cookies\user@intelli-direct[2].txt -> TrackingCookie.Intelli-direct : Cleaned.
C:\Documents and Settings\user\Cookies\user@intelli-direct[3].txt -> TrackingCookie.Intelli-direct : Cleaned.
C:\Documents and Settings\user\Cookies\user@ilead.itrack[2].txt -> TrackingCookie.Itrack : Cleaned.
C:\Documents and Settings\user\Cookies\user@komtrack[2].txt -> TrackingCookie.Komtrack : Cleaned.
C:\Documents and Settings\user\Cookies\user@search.live[2].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\user\Cookies\user@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\user\Cookies\user@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\user\Cookies\user@image.masterstats[2].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\user\Cookies\user@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\user\Cookies\user@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\user\Cookies\user@search.msn[3].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\user\Cookies\user@search.msn[4].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\user\Cookies\user@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\user\Cookies\user@www.myaffiliateprogram[3].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\user\Cookies\user@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\user\Cookies\user@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\user\Cookies\user@ssl-hints.netflame[4].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\user\Cookies\user@diepress.oewabox[1].txt -> TrackingCookie.Oewabox : Cleaned.
C:\Documents and Settings\user\Cookies\user@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\user\Cookies\user@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\user\Cookies\user@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\user\Cookies\user@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\user\Cookies\user@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\user\Cookies\user@ads.planetactive[1].txt -> TrackingCookie.Planetactive : Cleaned.
C:\Documents and Settings\user\Cookies\user@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\user\Cookies\user@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\user\Cookies\user@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned.
C:\Documents and Settings\user\Cookies\user@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\user\Cookies\user@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\user\Cookies\user@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\user\Cookies\user@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\user\Cookies\user@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\user\Cookies\user@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\user\Cookies\user@adopt.specificclick[3].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\user\Cookies\user@adopt.specificclick[4].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\user\Cookies\user@specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\user\Cookies\user@spylog[2].txt -> TrackingCookie.Spylog : Cleaned.
C:\Documents and Settings\user\Cookies\user@h.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\user\Cookies\user@starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\user\Cookies\user@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\user\Cookies\user@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\user\Cookies\user@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\user\Cookies\user@ad.text.tbn[1].txt -> TrackingCookie.Texttbnru : Cleaned.
C:\Documents and Settings\user\Cookies\user@toplist[2].txt -> TrackingCookie.Toplist : Cleaned.
C:\Documents and Settings\user\Cookies\user@toplist[3].txt -> TrackingCookie.Toplist : Cleaned.
C:\Documents and Settings\user\Cookies\user@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\user\Cookies\user@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\user\Cookies\user@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\user\Cookies\user@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\user\Cookies\user@ezzs.valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\user\Cookies\user@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\user\Cookies\user@yadro[1].txt -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\user\Cookies\user@yadro[2].txt -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\user\Cookies\user@yadro[3].txt -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\user\Cookies\user@yadro[4].txt -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\user\Cookies\user@yadro[5].txt -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\user\Cookies\user@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\user\Cookies\user@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\user\Local Settings\Temp\Cookies\user@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\user\Cookies\user@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\Cracks\rpftpv90.zip/aaocg_ftpvoyager_crk.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sblwjsnte.dll -> Trojan.Vqten : Cleaned with backup (quarantined).
C:\Program Files\AIM95\icbmft.ocm -> Worm.AimVen : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\rsvp32_2.dll -> Worm.Zhelatin.al : Cleaned with backup (quarantined).
[476] C:\WINDOWS\system32\rsvp32_2.dll -> Worm.Zhelatin.al : Cleaned with backup (quarantined).
[664] C:\WINDOWS\system32\rsvp32_2.dll -> Worm.Zhelatin.al : Cleaned with backup (quarantined).
C:\Documents and Settings\user\Local Settings\Temp\d3.exe -> Worm.Zhelatin.cs : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\spoolsvv.exe -> Worm.Zhelatin.cs : Cleaned with backup (quarantined).


::Report end


Unfortunately, I forgot to disable system restore before running it. I proceeded to go back in Windows XP normally and my internet would not work at all. I restarted my computer again and I found myself at the blue screen of death again, with the same error message and I got back the exact same symtoms of restarting everytime i tried to run scan in non-safe mode. I then ran HijackThis in safe mode again with the following log:


Logfile of HijackThis v1.99.1
Scan saved at 10:52:45 AM, on 4/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Windows\Explorer.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Start GetRight.lnk = C:\Program Files\GetRight\GETRIGHT.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - C:\PROGRA~1\GETRIGHT\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRA~1\GETRIGHT\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES12031.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES12031.DLL
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'rsvp32_2.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros....?1120209053671
O16 - DPF: {68253470-5D4F-4CDF-8D9C-353C14A2F013} (SVPorsche Control) - http://seevideo.co.k...3/svporsche.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros....?1160072345984
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn....o.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/....ploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~4\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Sorry for the long post. I'm afraid to do anything else right now and I hope I can leave it to you professionals for help. Thanks a lot for the help and hopefully we'll be able to resolve this soon.

    Advertisements

Register to Remove

#2 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 16 April 2007 - 08:01 AM

Hello JCInfected and Welcome to TomCoyote,

Please avoid using Safemode with Networking as much as you can because you are wide open to the WWW without protection.

Do you have Windows XP cds? If you do, are they Microsoft purchased or did they come installed on the computer (OEM) original equipment manufacturer?

Please tell me what brand and model of computer you have. This may help me to find OEM related fixes if needed which may vary from the fixes posted on the Microsoft site.

MSconfig.exe detected:
Let's find out if you have any malware disabled with selective start-up.
Go to Start >Run and type "Notepad" without the quotes
Copy/paste the following blue text into a new notepad (not wordpad) document. Make sure that wordwrap is unchecked.
Go to the menu at the top of the Notepad file and Save as:
  • Name the file mslook.bat
  • Save as Type: All files (not as a text document or it won't work)
  • Select the desktop icon on the left to save it on the desktop.
Locate mslook.bat on your Desktop and double-click it. When notepad opens, copy/paste the content in your reply. When you close Notepad the CMD window will close automatically and the text file will be deleted.

regedit /a /e %systemdrive%\regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig"
notepad %systemdrive%\regkey.txt
del /q %systemdrive%\regkey.txt

Reboot into Safe Mode(unless you are already in safe mode): please see here if you are not sure how to do this.

Show hidden files:
Windows XP

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\WINDOWS\system32\mszsrn32.dll<=file
C:\WINDOWS\system32\rpcc.dll<=file
Exit Explorer.


Scan with HijackThis. Place a check against each of the following:
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

Post (reply) with a fresh HijackThis log and we will take another look, along with the infomation for msconfig items, and answers to questions about model, cds.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#3 JCInfected

JCInfected

    Authentic Member

  • Authentic Member
  • PipPip
  • 56 posts

Posted 16 April 2007 - 12:08 PM

Thank you for your help. I was unable to delete mszrn32.dll and rpcc.dll because Windows reported it was being used by another process or another user was currently using it. I was on the admin account so I had priviledges to delete them and my network cable was completely unplugged as well. Since I couldn't delete them, I guessed running hijack this wouldn't help so I didn't. Also, I've used msconfig a lot to disable a lot of tasks I didn't think I needed so they may also be why some stuff is missing. Here is the regkey.txt: REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Acrobat Assistant.lnk" "backup"="C:\\WINDOWS\\pss\\Acrobat Assistant.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Distillr\\acrotray.exe " "item"="Acrobat Assistant" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AcctMgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="AcctMgr" "hkey"="HKLM" "command"="C:\\Program Files\\Norton SystemWorks\\Password Manager\\AcctMgr.exe /startup" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIPTA] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="atiptaxx" "hkey"="HKLM" "command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CloneCDElbyCDFL] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ElbyCheck" "hkey"="HKLM" "command"="\"C:\\Program Files\\Elaborate Bytes\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="iTunesHelper" "hkey"="HKLM" "command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="dumprep 0 -k" "hkey"="HKLM" "command"="%systemroot%\\system32\\dumprep 0 -k" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Mirabilis ICQ] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ICQNet" "hkey"="HKLM" "command"="C:\\Program Files\\ICQ\\ICQNet.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msmsgs" "hkey"="HKCU" "command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NVMixerTray] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NVMixerTray" "hkey"="HKLM" "command"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\spoolsvv] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="spoolsvv" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\spoolsvv.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpybotSD TeaTimer] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TeaTimer" "hkey"="HKCU" "command"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="jusched" "hkey"="HKLM" "command"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SNDMon" "hkey"="HKLM" "command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\updateMgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="AdobeUpdateManager" "hkey"="HKCU" "command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ViewMgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ViewMgr" "hkey"="HKLM" "command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state] "system.ini"=dword:00000000 "win.ini"=dword:00000000 "bootini"=dword:00000000 "services"=dword:00000000 "startup"=dword:00000002 And in response to the Windows CD question, my computer is upgraded from Win 98 to Windows XP Pro. I used the CDs that I was given from the computer shop. I beleive they are not the OEM version. Thanks again for your help

Edited by JCInfected, 16 April 2007 - 12:09 PM.

#4 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 16 April 2007 - 05:24 PM

To install the Recovery Console, follow these steps:
1. Insert the Windows XP CD into the CD-ROM drive.
2. Click Start, and then click Run.
3. In the Open box, type d:\i386\winnt32.exe /cmdcons where d is the drive letter for the CD-ROM drive.
4. A Windows Setup Dialog Box appears. The Windows Setup Dialog Box describes the Recovery Console option. To confirm the installation, click Yes.
5. Restart the computer. The next time that you start your computer, "Microsoft Windows Recovery Console" appears on the startup menu.
Alternatively, you can use a Universal Naming Convention (UNC)-established connection to install the Recovery Console from a network share point.

Let me know if you receive the following error洋aybe we will not have to pursue this part.
Note You may receive an error message that is similar the following:
Setup cannot continue because the version of Windows on your computer is newer than the version on the CD.
If this problem occurs, click the following article number to view the article in the Microsoft Knowledge Base:
898594 (http://support.micro....com/kb/898594/) You receive an error message if you try to install the Recovery Console on a Microsoft Windows XP Service Pack 2-based computer
======================

To restart the computer using the Windows Recovery Console
To remove this threat it is necessary to restart the computer and run the Windows Recovery Console. For full details on how to do this please read the Microsoft Knowledge Base article, How to install and use the Recovery Console in Windows XP.
http://support.micro...kb;en-us;307654
a. Insert the Windows XP CD-ROM into the CD-ROM drive.
b. Restart the computer from the CD-ROM drive.
c. Press R to start the Recovery Console when the "Welcome to Setup" screen appears.
d. Select the installation that you want to access from the Recovery Console.
e. Enter the administrator password and press Enter.
f. Type cd system32
g. Press Enter
h. Type del mszsrn32.dll
i. Press Enter
j. Type del rpcc.dll
k. Press Enter
l. Type exit
Please let me know if you were able to delete those files.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#5 JCInfected

JCInfected

    Authentic Member

  • Authentic Member
  • PipPip
  • 56 posts

Posted 16 April 2007 - 06:31 PM

Thanks again Susan for your help. I won't be home for like another 5 hrs so I'm unable to do any of this. However, I was doing some research and I think I found a way to delete those 2 files. I believe it might have to do with the ownership of the files being registered to another user, thus I wasn't able to delete since the error message said "Access Denied", saying it's either in use by another user or something along the lines of that. Also, I forgot to mention, in safe mode, a new user account called "Administator" showed up that did not need a password to log in to. I've only ever created one user account for Windows XP and it already had admin access. I'm assuming the hacker made this new account but I'm not sure since I believe this account is only accessable via safe mode. If I'm able to delete these 2 files using the new method, should I continue with the recovery console? My Windows CD is definately older than SP2 so I'm pretty sure I'd get that error message. However, I believe I do have a friend with an SP2 CD that I could possibly borrow. Thanks again Susan.

Edited by JCInfected, 16 April 2007 - 06:33 PM.

#6 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 16 April 2007 - 08:22 PM

a new user account called "Administator" showed up that did not need a password to log in to


There generally is an "Administrator" account that shows in safe mode in addition to the accounts that have been set up.

http://support.microsoft.com/kb/898594
That friend's CD may help.
Method 1: Use a Windows XP SP2 CD
Click Start, click Run, type CD drive letter:\i386\winnt32.exe /cmdcons, and then click OK.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#7 JCInfected

JCInfected

    Authentic Member

  • Authentic Member
  • PipPip
  • 56 posts

Posted 16 April 2007 - 09:43 PM

Unfortunately it's too late to call up my friend tonight asking to borrow his CD. If I'm successful in deleting those 2 files, should I proceed to do another Hijack This Scan as you suggested before and post here since that's the best I can possibly do tonight? And if I'm successful, should I even bother asking my friend for his CD? Sorry if I'm pestering you too much Susan. Thanks a lot and I really appreciate this.

Edited by JCInfected, 16 April 2007 - 09:44 PM.

#8 JCInfected

JCInfected

    Authentic Member

  • Authentic Member
  • PipPip
  • 56 posts

Posted 17 April 2007 - 12:22 AM

Sorry, never mind. I tried that new method without the SP2 CD but it didn't work. I'll just wait till I get the CD from my friend and see if I can delete those files after that. I'll post again once that's done. Thanks Susan.

#9 JCInfected

JCInfected

    Authentic Member

  • Authentic Member
  • PipPip
  • 56 posts

Posted 18 April 2007 - 11:19 AM

I was able to successfully delete those files under the recovery console. Just a side question, does the "administator" account in safe mode always start out initialized with no password? I just entered nothing for the password and the recovery console allowed me to use it.

Anyways, here's the fresh HijackThis Log after removing the files in recovery console and after the previous HijackThis scan, where I clicked the "Fix Selected Items" on those 2 files.

This new Hijack log scan was done in safe mode, as were all the other ones I've done and without restarting after the previous HijackThis scan that fixed the selected items.



Logfile of HijackThis v1.99.1
Scan saved at 10:09:58 AM, on 4/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Windows\Explorer.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Start GetRight.lnk = C:\Program Files\GetRight\GETRIGHT.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - C:\PROGRA~1\GETRIGHT\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRA~1\GETRIGHT\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES12031.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES12031.DLL
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'rsvp32_2.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120209053671
O16 - DPF: {68253470-5D4F-4CDF-8D9C-353C14A2F013} (SVPorsche Control) - http://seevideo.co.k...3/svporsche.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160072345984
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~4\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Should I also run an AVG scan as well in safe mode? Thanks a lot Susan

#10 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 18 April 2007 - 02:48 PM

Hi JCInfected,

I will have to do some research concerning the 鄭dministrator and no password. I know I must enter a password on mine.

Are you able to boot into normal mode or are you still limited to safe mode?

SDFix

Also download SDFix.zip
and save it to the Desktop.
(http://downloads.and...Tools/SDFix.zip) location if you are printing document

Right click the SDFix.zip folder
Select: Extract All to extract it to its own folder on the Desktop.

====
Start the computer in Safe Mode :
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

====
Open the SDFix folder on the Desktop, and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
The process removes any Trojan Services or Registry Entries found, and then prompts you to press any key to Reboot.

Press any key to restart the PC.
When the PC restarts the SDFix will run again and complete the removal process
It then displays Finished
Press any key to end the script and load the Desktop icons.

Once the Desktop icons load, the SDFix report opens on screen and saves itself in the SDFix folder as Report.txt.


MSconfig.exe detected:
Let's find out if you have any malware disabled with selective start-up.
Go to Start >Run and type "Notepad" without the quotes
Copy/paste the following blue text into a new notepad (not wordpad) document. Make sure that wordwrap is unchecked.
Go to the menu at the top of the Notepad file and Save as:
  • Name the file mslook.bat
  • Save as Type: All files (not as a text document or it won't work)
  • Select the desktop icon on the left to save it on the desktop.
Locate mslook.bat on your Desktop and double-click it. When notepad opens, copy/paste the content in your reply. When you close Notepad the CMD window will close automatically and the text file will be deleted.

regedit /a /e %systemdrive%\regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig"
notepad %systemdrive%\regkey.txt
del /q %systemdrive%\regkey.txt

Please download LSPfix and save it to the Desktop and unzip it.
(http://www.cexx.org/lspfix.zip) location of LSPfix if you are printing document.

Run LSPfix and place a check against the I know what I am doing checkbox.
Highlight every instance of the following names and move them from the Keep to the Remove panel. Be sure to move nothing other than the files listed below!

rsvp32_2.dll
When done, click on Finish to exit the program; do not use the X in the top right-hand corner as nothing will happen!

Scan with HijackThis. Place a check against each of the following:
O16 - DPF: {68253470-5D4F-4CDF-8D9C-353C14A2F013} (SVPorsche Control) - http://seevideo.co.k...3/svporsche.cab
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

Please let me know about if you are only able to boot still into safe mode. . Post (reply) with the Report.txt and a fresh hijackthis log..
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

    Advertisements

Register to Remove

#11 JCInfected

JCInfected

    Authentic Member

  • Authentic Member
  • PipPip
  • 56 posts

Posted 18 April 2007 - 03:53 PM

I actually didn't try to go into normal windows mode yet in fear that I would damage stuff. I waited until you told me it was ok to do so. Should I do all the above steps first in safe mode then try to run Windows in normal mode? And a little tidbit about the administrator "no password" thing. I normally log into a different account under some name that is an "admin" account. When I started the recovery console, it did ask me for a password for the adminstrator access. I typed in my normal password for the account I normally used but that failed. I remember that "new" "Adminstrator" account that I've only seen in safe mode didn't need a password to enter it so I just left the password as blank and the Recovery console let me in. Thank you again Susan for you quick responses and your detailed explanations.

#12 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 18 April 2007 - 04:19 PM

Go ahead and try to boot into normal mode and let me know if you can.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#13 JCInfected

JCInfected

    Authentic Member

  • Authentic Member
  • PipPip
  • 56 posts

Posted 18 April 2007 - 05:54 PM

Alright, I'll do all those steps above first and then see if I can reboot into normal mode. Please stop me and reply here if you just want me to try and see if normal mode works without the above steps.

#14 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 18 April 2007 - 06:27 PM

If you can boot into normal mode and do the rest of the instructions, that would be good. If you encounter problems let me know.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#15 JCInfected

JCInfected

    Authentic Member

  • Authentic Member
  • PipPip
  • 56 posts

Posted 19 April 2007 - 02:19 AM

The link to the SDFix seems to be broken. However, when you reach the site, there's an alternate download "SDFix.exe". I assumed that's the same there so I ran that. Hopefully it's the same thing. Here's the SDFix Report:


SDFix: Version 1.79

Run by user - 04/19/2007 Thu - 0:40:10.43

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
ntldr.sys
wincom32

ImagePath:
\??\C:\ntldr.sys
\??\C:\WINDOWS\system32\wincom32.sys

ntldr.sys - Deleted
wincom32 - Deleted


ndis.sys Infected!

Patched File copied to Backups Folder
Attempting to replace ndis.sys with original version...

Original ndis.sys Restored


Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\CP1041.NLS - Deleted
C:\CP1467.NLS - Deleted
C:\WINDOWS\SYSTEM32\3ti.exe.exe - Deleted
C:\WINDOWS\SYSTEM32\pdp.exe.exe - Deleted
C:\WINDOWS\SYSTEM32\zup.exe.exe - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\wincom32.ini - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\StarNet\\X-Win32 6.0\\xwin32.exe"="C:\\Program Files\\StarNet\\X-Win32 6.0\\xwin32.exe:*:Enabled:X-Win32 PC XServer"
"C:\\Program Files\\ICQ\\Icq.exe"="C:\\Program Files\\ICQ\\Icq.exe:*:Enabled:ICQ"
"C:\\Program Files\\Warcraft III\\War3.exe"="C:\\Program Files\\Warcraft III\\War3.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\Overnet\\overnet.exe"="C:\\Program Files\\Overnet\\overnet.exe:*:Enabled:Overnet Application"
"C:\\Program Files\\Kazaa Lite\\KazaaLite.kpp"="C:\\Program Files\\Kazaa Lite\\KazaaLite.kpp:*:Enabled:Kazaa Lite"
"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Enabled:Windows Messenger"
"C:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"="C:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE:*:Disabled:Microsoft ® Visual Studio VSA RPC Event Creator"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"="C:\\Program Files\\WS_FTP\\WS_FTP95.exe:*:Enabled:WS_FTP 95"
"C:\\Program Files\\eDonkey2000\\edonkey2000.exe"="C:\\Program Files\\eDonkey2000\\edonkey2000.exe:*:Enabled:edonkey2000"
"C:\\WINDOWS\\System32\\java.exe"="C:\\WINDOWS\\System32\\java.exe:*:Disabled:java"
"C:\\Program Files\\Java\\jdk1.5.0_01\\jre\\bin\\java.exe"="C:\\Program Files\\Java\\jdk1.5.0_01\\jre\\bin\\java.exe:*:Disabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\World of Warcraft\\WoW-1.4.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.4.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Inu Yasha Movies\\WoW-1.4.2-to-0.5.0-Test-enUS.exe"="C:\\Inu Yasha Movies\\WoW-1.4.2-to-0.5.0-Test-enUS.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.4.2.4375-to-1.5.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.4.2.4375-to-1.5.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Inu Yasha Movies\\CaptureTheFlag-downloader.exe"="C:\\Inu Yasha Movies\\CaptureTheFlag-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\Program Files\\World of Warcraft\\WoW-1.5.1.4449-to-1.6.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.5.1.4449-to-1.6.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Inu Yasha Movies\\WoW-1.6.1.4544-to-0.7.0-enUS-downloader.exe"="C:\\Inu Yasha Movies\\WoW-1.6.1.4544-to-0.7.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.6.1.4544-to-1.7.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.6.1.4544-to-1.7.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.7.1.4695-to-1.8.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.7.1.4695-to-1.8.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Disabled:iTunes"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\WINDOWS\\SYSTEM32\\javaw.exe"="C:\\WINDOWS\\SYSTEM32\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Documents and Settings\\user\\Local Settings\\Temp\\d3.exe"="C:\\Documents and Settings\\user\\Local Settings\\Temp\\d3.exe:*:Enabled:enable"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c509 Packet\3C5X9PD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c556 Packet\3C556.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c59x Packet\3C59XPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1200 Packet\EC32PD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1203 Packet\PCIPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1204 Packet\VLNWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207 Packet\PCIPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207C Packet\PCIPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207D Packet\ACCPKT.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207F Packet\EN5251PD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207TX Packet\PCIPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1208 Packet\1208PD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1625 Packet\NEPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1640 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1650 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1651 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1652 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1653 Packet\NE2PD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1656 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1657 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1658 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN166X Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2216 Packet\PCMPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2218 Packet\PCMPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2228 Packet\PCMPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2320 Packet\EN5251PD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DEVICE.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYB.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MODE.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MOUSE.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\NETBIND.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Paralink.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MSDOS\COMMAND.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\command.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMBIO.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMDOS.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE450 Packet\DE450.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE500 Packet\DE500.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWorks ISA (DE305) Packet\DE305.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DE400 Packet\De400pd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DMF560-TX Packet\Lmpd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DT620 Packet\Dt620pd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\IBM Crystal LAN Packet\Epktisa.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Kingston EtheRx KNE110TX Packet\Ktc110p.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD 10-100AL Packet\L100al.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-CDF Packet\Ldcdt.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-PCI2TL Packet\Ldpcil.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Melco LPC2-T\Lpchkat2.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FNW9x00T - ENW8300T Packet\fetpkt.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\FETPKT.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\Rtspkt.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\PXE Packet Driver\Undipd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\SN 2000p Packet\PNPPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\WaveLAN Packet\Wvlan42.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX Packet\Cbepd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS Packet\Xpspd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10 - RE100 Packet\Ce3pd.com
C:\Old Com D Drive\Program Files\Uninstall Information\IE40.Comctl32\AINF0000
C:\Program Files\Uninstall Information\IE40.Comctl32\AINF0000
C:\Old Com D Drive\Program Files\Uninstall Information\mshtml.DllReg\AINF0000
C:\Program Files\Uninstall Information\mshtml.DllReg\AINF0000
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS16.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\E.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\GUEST.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MSCDEX.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Net.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OHCI.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\PROTMAN.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\UHCI.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX\Cbendis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet 10-100 + Modem\Cbendis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS\Xpsndis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom PE3-10Bx\Pe3ndis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Re-100Btx + Ce3B-100Btx\Ce3ndis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10BT\Ce3ndis.exe
C:\HaNaHiMe\Install.exe
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Elndis.sys
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Usbd.sys
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI1394.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI2DOS.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI4DOS.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8DOS.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8U2.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPICD.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIEHCI.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIOHCI.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIUHCI.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BOOTSRV.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\bootsrv16.sys
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTCDROM.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTDOSM.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\COUNTRY.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DISPLAY.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DLSHELP.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\FLASHPT.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\HIMEM.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYBOARD.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\msbootsrv16.sys
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OAKCDROM.SYS
C:\Program Files\finish\プリンセスサーガI `恥辱の姫君`\____.sys
C:\Web Program Downloads\Windows 98 Boot Disk\EBD.SYS
C:\Jason\English 1127\~WRL0005.tmp
C:\Jason\English 1127\~WRL0013.tmp
C:\Jason\English 1127\~WRL0305.tmp
C:\Jason\English 1127\~WRL1655.tmp
C:\Jason\English 1127\~WRL2226.tmp
C:\Jason\English 1127\~WRL2331.tmp
C:\Jason\English 1127\~WRL2334.tmp
C:\Jason\English 1127\~WRL2472.tmp
C:\Jason\English 1127\~WRL2642.tmp
C:\Jason\English 1127\~WRL3556.tmp
C:\Jason\English 1127\~WRL3648.tmp
C:\Jason\Math 1173 1183 Term 2\Lab 8\~WRL0003.tmp
C:\Jason\Math 1173 1183 Term 2\Lab 8\~WRL2398.tmp
C:\Jason\PACR 1235\Pachinko Presentation\~WRL0001.tmp
C:\Jason\PACR 1235\Pachinko Presentation\~WRL0003.tmp
C:\Jason\PACR 1235\Pachinko Presentation\~WRL0175.tmp
C:\Jason\PACR 1235\Pachinko Presentation\~WRL0420.tmp
C:\Jason\PACR 1235\Pachinko Presentation\~WRL0678.tmp
C:\Jason\PACR 1235\Pachinko Presentation\~WRL0940.tmp
C:\Jason\PACR 1235\Pachinko Presentation\~WRL0951.tmp
C:\Jason\PACR 1235\Pachinko Presentation\~WRL1787.tmp
C:\Jason\PACR 1235\Pachinko Presentation\~WRL1887.tmp
C:\Jason\PACR 1235\Pachinko Presentation\~WRL2262.tmp
C:\Jason\PACR 1235\Pachinko Presentation\~WRL2410.tmp
C:\Jason\PACR 1235\Pachinko Presentation\~WRL2950.tmp
C:\Jason\PACR 1235\Pachinko Presentation\~WRL3089.tmp
C:\Jason\PACR 1235\Pachinko Presentation\~WRL3249.tmp
C:\Jason\PACR 1235\Pachinko Presentation\~WRL3601.tmp
C:\Jason\PACR 1235\Pachinko Presentation\~WRL3636.tmp
C:\Jason\PACR China\Pudong\~WRL1614.tmp
C:\Jason\Psyc 1115\Reasearch Paper\~WRL0001.tmp
C:\Jason\Resume\~WRL0004.tmp
C:\Jason\Resume\~WRL0005.tmp
C:\Jason\Resume\~WRL0266.tmp
C:\Jason\Resume\~WRL1302.tmp
C:\Jason\Resume\~WRL2111.tmp
C:\Jason\Resume\~WRL2213.tmp
C:\Jason\Resume\~WRL3238.tmp
C:\Jason\Resume\~WRL3803.tmp
C:\Jason\Resumes 1-16-05\~WRL3700.tmp

Finished




Here is the mslook.bat textfile which was taken after the SDfix but before the LSPfix:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Acrobat Assistant.lnk"
"backup"="C:\\WINDOWS\\pss\\Acrobat Assistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Distillr\\acrotray.exe "
"item"="Acrobat Assistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AcctMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AcctMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Norton SystemWorks\\Password Manager\\AcctMgr.exe /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CloneCDElbyCDFL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ElbyCheck"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Elaborate Bytes\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Mirabilis ICQ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQNet"
"hkey"="HKLM"
"command"="C:\\Program Files\\ICQ\\ICQNet.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NVMixerTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NVMixerTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\spoolsvv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="spoolsvv"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\spoolsvv.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpybotSD TeaTimer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TeaTimer"
"hkey"="HKCU"
"command"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini"=dword:00000000
"win.ini"=dword:00000000
"bootini"=dword:00000000
"services"=dword:00000000
"startup"=dword:00000002




And finally, the fresh HijackThis Log taken after the LSPFix and after removing svporsche.cab from the previous HijackThis Scan:


Logfile of HijackThis v1.99.1
Scan saved at 1:01:43 AM, on 4/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\NORTON~2\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GetRight\Getright.exe
C:\Windows\Explorer.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Start GetRight.lnk = C:\Program Files\GetRight\GETRIGHT.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - C:\PROGRA~1\GETRIGHT\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRA~1\GETRIGHT\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES12031.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES12031.DLL
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\JETCAR.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120209053671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160072345984
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~4\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


I have successfully entered normal mode after these steps so it seems to have worked. I haven't tested the internet yet though. I'm waiting on your OK to test it. Thanks again Susan for all your help!

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·