WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Cryp_Trap-2 / Spyware warning

Started by laffenjoh , Apr 03 2008 03:24 PM

This topic is locked

32 replies to this topic

#1 laffenjoh

Authentic Member

Authentic Member
35 posts

Posted 03 April 2008 - 03:24 PM

Hi,

I have serious problems with my PC:

1. My Trend Micro OfficeScan detects a Virus/Malware called Cryp_Trap-2, and this is going on over and over again producing a long list in the OfficeScan Notification Message window. I cannot get rid of this.

2. Upon starting my computer, a blue wallpaper appears with a yellow text: "Warning spyware threat has been detected on your PC..." etc

Here comes the HJT log:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\gxsnorab\ihalqxgt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\vgpgzixq.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.no/0SEN...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.no/0SEN...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...DT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SEN...S01?FORM=TOOLBR
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mwxxmbmr] C:\WINDOWS\system32\vgpgzixq.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093264321400
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://ras.biovitru.../WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Can you please help me solve these problems?

Best regards
Laffenjoh

Advertisements

Register to Remove

#2 silver

Malware Expert Emeritus

Authentic Member
2,994 posts

Posted 09 April 2008 - 04:08 AM

Hi laffenjoh,

When posting your HijackThis log to the forum, please include the whole log starting with "Logfile of HijackThis..." - all the information is important

Download Deckard's System Scanner (DSS) to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Make sure Format->Word Wrap is unchecked
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply

Once complete, please post both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you.

ASAP & UNITE Member

#3 laffenjoh

Authentic Member

Authentic Member
35 posts

Posted 09 April 2008 - 04:54 AM

Hi Silver,

Sorry about the missing part of the HJT log, the was a mistake by me..

/Lars

Here are the DSS logs:

Deckard's System Scanner v20071014.68
Run by Lars on 2008-04-09 12:46:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
12: 2008-04-09 10:47:00 UTC - RP240 - Deckard's System Scanner Restore Point
11: 2008-04-03 12:50:19 UTC - RP239 - Last known good configuration
10: 2008-04-03 12:49:59 UTC - RP238 - System Checkpoint
9: 2008-04-03 12:49:57 UTC - RP237 - System Checkpoint
8: 2008-04-03 12:49:54 UTC - RP236 - System Checkpoint

-- First Restore Point --
1: 2008-04-03 12:49:44 UTC - RP229 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Lars.exe) ------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-09 12:48:02
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\incdsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Compaq\Easy Access Button Support\STARTEAK.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Compaq\Easy Access Button Support\CpqEAKSystemTray.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\compaq\EAKDRV\EAUSBKBD.exe
C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\vgpgzixq.exe
C:\Program Files\Compaq\Easy Access Button Support\BttnServ.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Lars\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.no/0SEN...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.no/0SEN...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SEN...S01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...DT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {826A5ED9-1316-4EFD-87F8-AA400C5D551A} - C:\WINDOWS\system32\xxyvsrro.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar4.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: (no name) - {FB0A80A6-E833-43E2-931D-5FEC5D35099C} - C:\WINDOWS\system32\yayaAQjG.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mwxxmbmr] C:\WINDOWS\system32\vgpgzixq.exe
O4 - HKLM\..\Policies\Explorer\Run: [tIVH5Spcjn] C:\Documents and Settings\All Users\Application Data\gxsnorab\ihalqxgt.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093264321400
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://ras.biovitru.../WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ent/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O20 - Winlogon Notify: xxyvsrro - C:\WINDOWS\system32\xxyvsrro.dll
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - (no file)
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\incdsrv.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11322 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ewido security suite driver - c:\program files\ewido anti-malware\guard.sys

S2 WZHNHPNP - c:\windows\system32\wzhnhpnp.emc (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 LVUSBSta (Logitech USB Monitor Filter) - c:\windows\system32\drivers\lvusbsta.sys (file missing)
S3 PID_0928 (Logitech QuickCam Express(PID_0928)) - c:\windows\system32\drivers\lv561av.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AdobeActiveFileMonitor (Adobe Active File Monitor) - c:\program files\adobe\photoshop elements 3.0\photoshopelementsfileagent.exe
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 PhotoshopElementsDeviceConnect (Photoshop Elements Device Connect) - c:\program files\adobe\photoshop elements 3.0\photoshopelementsdeviceconnect.exe

S4 ewido security suite guard - c:\program files\ewido anti-malware\ewidoguard.exe <Not Verified; ewido networks; guard>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-04-03 23:21:04 256 --a------ C:\WINDOWS\Tasks\Se etter oppdateringer for Windows Live Toolbar.job
2007-10-11 07:39:12 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-03-09 and 2008-04-09 -----------------------------

2008-04-03 21:39:26 0 dr-h----- C:\Documents and Settings\Lars\Recent
2008-04-03 20:42:16 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-04-03 20:42:16 4096 --a------ C:\WINDOWS\system32winlogonpc.exe
2008-04-03 20:42:16 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-04-03 20:42:15 4096 --a------ C:\WINDOWS\system32hoproxy.dll
2008-04-03 20:42:12 4096 --a------ C:\WINDOWS\system32taack.exe
2008-04-03 20:42:12 4096 --a------ C:\WINDOWS\system32taack.dat
2008-04-03 20:42:12 4096 --a------ C:\WINDOWS\system32sncntr.exe
2008-04-03 20:42:12 4096 --a------ C:\WINDOWS\system32mwin32.exe
2008-04-03 20:42:12 4096 --a------ C:\WINDOWS\system32hxiwlgpm.exe
2008-04-03 20:42:12 4096 --a------ C:\WINDOWS\system32hxiwlgpm.dat
2008-04-03 20:42:12 4096 --a------ C:\WINDOWS\a.bat
2008-04-03 20:42:12 0 d-------- C:\Documents and Settings\Lars\Desktopvirii
2008-04-03 20:42:11 4096 --a------ C:\WINDOWS\system32psoft1.exe
2008-04-03 20:42:11 4096 --a------ C:\WINDOWS\system32psof1.exe
2008-04-03 20:42:11 4096 --a------ C:\WINDOWS\system32ps1.exe
2008-04-03 20:42:11 4096 --a------ C:\WINDOWS\system32msnbho.dll
2008-04-03 20:42:11 4096 --a------ C:\WINDOWS\system32bsva-egihsg52.exe
2008-04-03 20:42:11 4096 --a------ C:\WINDOWS\iTunesMusic.exe
2008-04-03 20:42:10 4096 --a------ C:\WINDOWS\system32temp#01.exe
2008-04-03 20:42:10 4096 --a------ C:\WINDOWS\system32ssurf022.dll
2008-04-03 20:42:10 0 d-------- C:\WINDOWS\system32smp
2008-04-03 20:42:10 4096 --a------ C:\WINDOWS\system32netode.exe
2008-04-03 20:42:10 4096 --a------ C:\WINDOWS\system32mtr2.exe
2008-04-03 20:42:10 4096 --a------ C:\WINDOWS\system32msgp.exe
2008-04-03 20:42:10 4096 --a------ C:\WINDOWS\system32medup020.dll
2008-04-03 20:42:10 4096 --a------ C:\WINDOWS\system32medup012.dll
2008-04-03 20:42:10 4096 --a------ C:\WINDOWS\system32h@tkeysh@@k.dll
2008-04-03 20:42:06 4096 --a------ C:\WINDOWS\system32dpcproxy.exe
2008-04-03 20:41:58 4096 --a------ C:\WINDOWS\system32ssvchost.exe
2008-04-03 20:41:58 4096 --a------ C:\WINDOWS\system32ssvchost.com
2008-04-03 20:41:58 4096 --a------ C:\WINDOWS\system32regm64.dll
2008-04-03 20:41:58 4096 --a------ C:\WINDOWS\system32regc64.dll
2008-04-03 20:41:58 4096 --a------ C:\WINDOWS\system32msvchost.exe
2008-04-03 20:41:57 4096 --a------ C:\Documents and Settings\Lars\Desktopfilemanagerclient.exe
2008-04-03 20:41:52 4096 --a------ C:\WINDOWS\system32thun32.dll
2008-04-03 20:41:52 4096 --a------ C:\WINDOWS\system32thun.dll
2008-04-03 20:41:47 4096 --a------ C:\WINDOWS\system32Rundl1.exe
2008-04-03 20:41:46 4096 --a------ C:\Documents and Settings\Lars\DesktopFWebdEditor.exe
2008-04-03 20:41:46 4096 --a------ C:\Documents and Settings\Lars\Desktopfwebd.exe
2008-04-03 20:41:40 4096 --a------ C:\WINDOWS\winsystem.exe
2008-04-03 20:41:40 4096 --a------ C:\WINDOWS\system32WINWGPX.EXE
2008-04-03 20:41:40 4096 --a------ C:\WINDOWS\system32winsystem.exe
2008-04-03 20:41:40 4096 --a------ C:\WINDOWS\system32vcatchpi.dll
2008-04-03 20:41:40 4096 --a------ C:\WINDOWS\system32sysreq.exe
2008-04-03 20:41:40 4096 --a------ C:\WINDOWS\system32newsd32.exe
2008-04-03 20:41:40 4096 --a------ C:\WINDOWS\system32mssecu.exe
2008-04-03 20:41:40 4096 --a------ C:\WINDOWS\system32emesx.dll
2008-04-03 20:41:40 4096 --a------ C:\WINDOWS\system32bdn.com
2008-04-03 20:41:40 4096 --a------ C:\WINDOWS\system32anticipator.dll
2008-04-03 20:41:40 4096 --a------ C:\WINDOWS\system32akttzn.exe
2008-04-03 20:41:40 4096 --a------ C:\WINDOWS\mssecu.exe
2008-04-03 20:41:40 4096 --a------ C:\WINDOWS\bdn.com
2008-04-03 20:41:38 4096 --a------ C:\WINDOWS\system32awtoolb.dll
2008-04-03 20:41:33 4096 --a------ C:\WINDOWS\system32vbsys2.dll
2008-04-03 20:41:33 0 d-------- C:\WINDOWS\mslagent
2008-04-03 20:41:29 0 d-------- C:\Program Files\akl
2008-04-03 20:40:54 106496 --a------ C:\WINDOWS\system32\vgpgzixq.exe
2008-04-03 14:49:23 7450 --ahs---- C:\WINDOWS\system32\GjQAayay.ini2
2008-04-03 14:49:19 268288 --a------ C:\WINDOWS\system32\yayaAQjG.dll
2008-04-03 14:38:00 217088 --a------ C:\WINDOWS\sxfnewqb.dll
2008-04-03 14:38:00 212992 --a------ C:\WINDOWS\svpekgongpv.dll
2008-04-03 14:37:59 151552 --a------ C:\WINDOWS\stfngdvw.dll
2008-04-03 14:37:59 188416 --a------ C:\WINDOWS\fkdnrwsv.dll
2008-04-03 14:37:59 98304 --a------ C:\WINDOWS\dwltqnmx.exe
2008-04-03 14:37:59 0 d-------- C:\Documents and Settings\All Users\Application Data\gxsnorab
2008-04-03 14:37:43 36352 --a------ C:\WINDOWS\system32\xxyvsrro.dll

-- Find3M Report ---------------------------------------------------------------

2008-04-03 22:32:54 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-03 14:49:19 268288 --a------ C:\WINDOWS\system32\yayaAQjG.dll
2008-04-02 22:30:21 0 d-------- C:\Documents and Settings\Lars\Application Data\AdobeUM
2008-02-25 21:36:21 0 d-------- C:\Documents and Settings\Lars\Application Data\DivX
2008-02-17 22:31:22 0 d-------- C:\Documents and Settings\Lars\Application Data\Adobe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77701e16-9bfe-4b63-a5b4-7bd156758a37}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{826A5ED9-1316-4EFD-87F8-AA400C5D551A}]
03.04.2008 14:37 36352 --a------ C:\WINDOWS\system32\xxyvsrro.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
15.12.2007 12:10 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB0A80A6-E833-43E2-931D-5FEC5D35099C}]
03.04.2008 14:49 268288 --a------ C:\WINDOWS\system32\yayaAQjG.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [15.12.2007 12:10 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [15.12.2003 00:20]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [15.12.2003 00:07]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25.09.2007 01:11]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [01.02.2003 01:49]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [28.05.2002 10:37]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [24.07.2001 23:34]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [07.08.2002 16:24]
"CPQEASYACC"="C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe" [14.12.2001 23:01]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09.07.2001 11:50]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [06.04.2004 19:36]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [29.01.2004 10:45]
"nwiz"="nwiz.exe" [29.01.2004 10:45 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [29.01.2004 10:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [29.06.2007 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [31.07.2007 18:44]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [08.05.2007 02:43]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [13.03.2008 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13.10.2004 18:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [26.01.2007 11:30]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 09:56]
"mwxxmbmr"="C:\WINDOWS\system32\vgpgzixq.exe" [03.04.2008 20:40]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [04.10.2004 02:12:18]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [21.01.2000 08:15:54]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [23.12.1998 21:51:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"tIVH5Spcjn"=C:\Documents and Settings\All Users\Application Data\gxsnorab\ihalqxgt.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{826A5ED9-1316-4EFD-87F8-AA400C5D551A}"= C:\WINDOWS\system32\xxyvsrro.dll [03.04.2008 14:37 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvsrro]
xxyvsrro.dll 03.04.2008 14:37 36352 C:\WINDOWS\system32\xxyvsrro.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\yayaAQjG

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a

-- End of Deckard's System Scanner: finished at 2008-04-09 12:50:42 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 76%
Physical Memory (total/avail): 511.48 MiB / 122.66 MiB
Pagefile Memory (total/avail): 1238.07 MiB / 879.59 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.04 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 18.34 GiB free.
D: is Fixed (NTFS) - 149.05 GiB total, 148.62 GiB free.
E: is CDROM (No Media)
F: is CDROM (CDFS)

\\.\PHYSICALDRIVE1 - ST3160023A - 149.05 GiB - 1 partition
\PARTITION0 - Logical Disk Manager - 149.05 GiB - D:

\\.\PHYSICALDRIVE0 - WDC WD400BB-22HEA1 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: ZoneAlarm Firewall v7.0.470.000 (Check Point, LTD.)
AV: Trend Micro OfficeScan Antivirus v8.0 (TrendAntiVirus)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Lars\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOME
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Lars
LOGONSERVER=\\HOME
NpmLib=C:\Norman\Npm\Bin
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier";C:\Norman\Npm\Bin;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Lars\LOCALS~1\Temp
TMP=C:\DOCUME~1\Lars\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=HOME
USERNAME=Lars
USERPROFILE=C:\Documents and Settings\Lars
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Lars (admin)
Trine (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> MsiExec.exe /I{5B782FFA-6A95-480D-8E0A-0954A14693D6}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Acrobat and Reader 6.0.3 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000603}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop Elements 3.0 --> MsiExec.exe /I{851C67EF-068A-4060-9EF5-2E3DDCD68382}
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Apple Mobile Device Support --> MsiExec.exe /I{967D588C-9B96-40C9-A222-DCD6922563CA}
Apple Software Update --> MsiExec.exe /I{492724FC-3B26-46B4-824F-3CE2722D9AA0}
Broadcom Management Programs --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{750DFF5E-C559-11D4-A441-00B0D0436EE7}\Setup.exe"
Canon i965 --> C:\WINDOWS\System32\CNMCP5n.exe "-PRINTERNAMECanon i965" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon i965 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon i965 Installer\Inst2\cnmi0409.dll"
DiMAGE Viewer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{976EA7B1-7562-483D-88DA-4323D263B7CD}\Setup.exe" -l0x9 anything
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Easy Access Button Support --> C:\Program Files\COMPAQ\Easy Access Button Support\Uninst.exe
ewido anti-malware --> C:\Program Files\ewido anti-malware\Uninstall.exe
Feed-detektor for Windows Live Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{20E4FE32-6A56-4CD3-8DDE-56C360D3727A}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\HijackThis.exe /uninstall
IKEA Home Planner Kitchen --> C:\PROGRA~1\IKEAHO~1\UNWISE.EXE C:\PROGRA~1\IKEAHO~1\INSTALL.LOG
InCD --> C:\WINDOWS\NuNInst.exe /UNINSTALL
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{E0219810-16E4-437D-9165-93D7B22524F9}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment, SE v1.4.2_01 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142010}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
KONICA_MINOLTA DiMAGE remote camera driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99E67091-D392-4031-AD2A-E9547F3615F8}\setup.exe" -l0x9
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office 2000 Proofing Tools Disc 1 --> MsiExec.exe /I{00300409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 SR-1 Standard --> MsiExec.exe /I{00020409-78E1-11D2-B60F-006097C998E7}
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NVIDIA Display Driver --> C:\WINDOWS\System32\nvudisp.exe Uninstall C:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display Driver
OneCare Advisor (Windows Live Toolbar) --> MsiExec.exe /X{037E9698-C8E7-44A7-8F04-0234760B7F2D}
Popup-blokkering (Windows Live Toolbar) --> MsiExec.exe /X{4F4913A9-700B-4C4F-8170-FDB145FF2E11}
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Smartmenyer (Windows Live Toolbar) --> MsiExec.exe /X{12841457-E894-476B-B4AA-09F403E7B7C6}
Software Setup --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\COMPAQ\Software Setup\Uninst.isu" -c"C:\Program Files\COMPAQ\Software Setup\CPQUNST.DLL"
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\setup.exe" UNINSTALL
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.EXE"
System Security Suite 1.04 --> C:\Program Files\System Security Suite 1.04\uninstal.exe
Trend Micro OfficeScan Client --> "C:\Program Files\Trend Micro\OfficeScan Client\ntrmv.exe"
Utvidelse for Windows Live Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{DC752A56-5572-454C-9695-154ED6C1A5AB}
Whale Communications' Client Components v3.7.1 --> rundll32.exe C:\WINDOWS\DOWNLO~1\DM.0\WhlMgr.dll,UnInstall 3.1.0 63 0 1 3.7.1
WinAce Archiver --> C:\Program Files\WinAce\SXUNINST.EXE C:\Program Files\WinAce\SXUNINST.INI
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /I{B4C75EAB-B1B8-4120-B9AF-0852EAE4A434}
Windows Live Outlook Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{9CD62AAC-122D-4B9A-A46C-7EC2F566307B}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {C887E8F1-6500-46EA-BF73-3EF636159444}
Windows Live Toolbar --> MsiExec.exe /X{C887E8F1-6500-46EA-BF73-3EF636159444}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
ZoneAlarm Spy Blocker --> rundll32 C:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O

-- Application Event Log -------------------------------------------------------

Event Record #/Type2979 / Success
Event Submitted/Written: 04/09/2008 00:39:04 PM
Event ID/Source: 2570 / Adobe Active File Monitor
Event Description:
Adobe Active File Monitor Service has Started.

Event Record #/Type2976 / Success
Event Submitted/Written: 04/09/2008 00:24:26 PM
Event ID/Source: 2570 / Adobe Active File Monitor
Event Description:
Adobe Active File Monitor Service has Started.

Event Record #/Type2973 / Success
Event Submitted/Written: 04/08/2008 09:43:12 AM
Event ID/Source: 2570 / Adobe Active File Monitor
Event Description:
Adobe Active File Monitor Service has Started.

Event Record #/Type2970 / Success
Event Submitted/Written: 04/03/2008 10:49:40 PM
Event ID/Source: 2570 / Adobe Active File Monitor
Event Description:
Adobe Active File Monitor Service has Started.

Event Record #/Type2967 / Success
Event Submitted/Written: 04/03/2008 10:35:22 PM
Event ID/Source: 2570 / Adobe Active File Monitor
Event Description:
Adobe Active File Monitor Service has Started.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type26581 / Error
Event Submitted/Written: 04/09/2008 00:41:17 PM
Event ID/Source: 7011 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

Event Record #/Type26576 / Error
Event Submitted/Written: 04/09/2008 00:41:17 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The OfficeScan NT Listener service failed to start due to the following error:
%%1053

Event Record #/Type26575 / Error
Event Submitted/Written: 04/09/2008 00:41:17 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the OfficeScan NT Listener service to connect.

Event Record #/Type26574 / Warning
Event Submitted/Written: 04/09/2008 00:38:53 PM / 04/09/2008 00:39:22 PM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom NetXtreme Gigabit Ethernet for hp: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type26567 / Warning
Event Submitted/Written: 04/09/2008 00:37:20 PM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom NetXtreme Gigabit Ethernet for hp: The network link is down. Check to make sure the network cable is properly connected.

-- End of Deckard's System Scanner: finished at 2008-04-09 12:50:42 ------------

#4 silver

Malware Expert Emeritus

Authentic Member
2,994 posts

Posted 09 April 2008 - 08:29 PM

Hi laffenjoh,

If you have any problems with these instructions please stop and let me know - do not continue on.

------------------------------------------------------------------------

Temporarily disable Ewido:
Open Ewido Antimalware and select the Status screen
Next to Resident Shield press Change state so that the status reads inactive
Close Ewido Antimalware

------------------------------------------------------------------------

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Right-click the white box in the middle and select Add more files?
Copy/paste the following path into the program:

C:\WINDOWS\system32\xxyvsrro.dll
Then press Add Files, Close Window and then Remove Vundo
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo
When completed, it will prompt that it will reboot your computer, click OK
Post the contents of C:\vundofix.txt in your next response

------------------------------------------------------------------------

Backup Your Registry with ERUNT:

Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.

Note: to restore your registry, go to the backup folder and start ERDNT.exe

------------------------------------------------------------------------

Open Notepad: press Start->Run, type notepad into the box and press OK
Select Format from the top menu and make sure Word Wrap is NOT checked.
Then, copy/paste the contents of the following code box into Notepad:
NOTE: I have uploaded this file as runme.txt, you can download it if you prefer

@echo off
echo REGEDIT4> temp.reg
echo.>> temp.reg
echo [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>> temp.reg
echo "mwxxmbmr"=->> temp.reg
echo.>> temp.reg
echo [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]>> temp.reg
echo "tIVH5Spcjn"=->> temp.reg
echo.>> temp.reg
echo [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]>> temp.reg
echo "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00>> temp.reg
echo.>> temp.reg
regedit /s temp.reg >> results.txt 2>>&1
del /q temp.reg >> results.txt 2>>&1
reg query hkcr\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s >> results.txt 2>>&1
dir c:\windows\system32\wzhnhpnp.emc /a >> results.txt 2>>&1

Select File and Save as
Save it to your Desktop as "runme.bat" (you MUST type the quotes)
Locate runme.bat on your Desktop and double-click it.
A black box should open and close after a short time, this is normal.
Another text file should appear on your Desktop called results.txt, do not open it until the black box has closed.
Post the contents of this file in your next response.

------------------------------------------------------------------------

Please download OTMoveIt2 by OldTimer to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)

Double-click OTMoveIt2.exe to start the program. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the OTMoveIt file list below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
OTMoveIt File List:

C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\a.bat
C:\Documents and Settings\Lars\Desktopvirii
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32smp
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32msvchost.exe
C:\Documents and Settings\Lars\Desktopfilemanagerclient.exe
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32Rundl1.exe
C:\Documents and Settings\Lars\DesktopFWebdEditor.exe
C:\Documents and Settings\Lars\Desktopfwebd.exe
C:\WINDOWS\winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\bdn.com
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\mslagent
C:\Program Files\akl
C:\WINDOWS\system32\vgpgzixq.exe
C:\WINDOWS\system32\GjQAayay.ini2
C:\WINDOWS\system32\yayaAQjG.dll
C:\WINDOWS\sxfnewqb.dll
C:\WINDOWS\svpekgongpv.dll
C:\WINDOWS\stfngdvw.dll
C:\WINDOWS\fkdnrwsv.dll
C:\WINDOWS\dwltqnmx.exe
C:\Documents and Settings\All Users\Application Data\gxsnorab
C:\WINDOWS\system32\xxyvsrro.dll
C:\WINDOWS\system32\yayaAQjG.dll
C:\Documents and Settings\All Users\Application Data\gxsnorab\ihalqxgt.exe

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
Then click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
If OTMoveIt asks to reboot your computer, allow it to do so. The report will appear in Notepad after the reboot.
Close OTMoveIt2

------------------------------------------------------------------------

Then, make a new main.txt with DSS:

Make sure DSS.exe is on your Desktop
Press the Start->Run, copy/paste the following command into the box and press OK:

"%userprofile%\desktop\dss.exe" /config
A configuration box will appear, make sure all boxes are checked in the Main Log section, then un-check everything in the Extra Log section and press Scan!

------------------------------------------------------------------------

Once complete, please post the VundoFix report, the results.txt output, the OTMoveIt report and the new DSS main.txt report.

Attached Files

runme.txt 729bytes 437 downloads

ASAP & UNITE Member

#5 laffenjoh

Authentic Member

Authentic Member
35 posts

Posted 10 April 2008 - 02:40 PM

Hi Silver, Thanks for your fast reply! I have actually problems to Temporarily disable Ewido: When I select the Status screen, I am not able to find neither "Resident Shield" nor "Change state" anywere in the Ewido window... The items I find is "Your Security Status", "Status of the program" and "Additional". It is version 3.5 of the program. What do you suggest - should I deinstall the program? (Due to this, I have not performed any of the instructions that you sent in the last post). /Lars

#6 silver

Malware Expert Emeritus

Authentic Member
2,994 posts

Posted 10 April 2008 - 07:53 PM

I'm sorry, my instructions refer to a more recent version. Ewido is outdated and unless you have paid for the program I recommend you uninstall it via Add/Remove Programs. If you have paid for the program you should contact AVG customer support about upgrading to a current version. I will give you some advice on free alternatives to this program once your computer is clean.

ASAP & UNITE Member

#7 laffenjoh

Authentic Member

Authentic Member
35 posts

Posted 11 April 2008 - 03:29 PM

Hi Silver,

I have tried to follow your instructions as good as possible..

One question: I have not restored my registry (ERDNT.exe) - I understood it as I should do this later on, is this correct?

/Lars

Here are the logs:

VundoFix V7.0.3

Scan started at 22:29:14 11.04.2008

Listing files found while scanning....

No infected files were found.

result.txt:

Error: The system was unable to find the specified registry key or value
Volume in drive C has no label.
Volume Serial Number is 74F3-986B

Directory of c:\windows\system32

File Not Found

OTMovelt report:

Files moved on Reboot...
DllUnregisterServer procedure not found in C:\WINDOWS\system32\yayaAQjG.dll
C:\WINDOWS\system32\yayaAQjG.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\yayaAQjG.dll scheduled to be moved on reboot.

Deckard's System Scanner v20071014.68
Run by Lars on 2008-04-11 23:13:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

-- Last 5 Restore Point(s) --
12: 2008-04-09 10:47:00 UTC - RP240 - Deckard's System Scanner Restore Point
11: 2008-04-03 12:50:19 UTC - RP239 - Last known good configuration
10: 2008-04-03 12:49:59 UTC - RP238 - System Checkpoint
9: 2008-04-03 12:49:57 UTC - RP237 - System Checkpoint
8: 2008-04-03 12:49:54 UTC - RP236 - System Checkpoint

-- First Restore Point --
1: 2008-04-03 12:49:44 UTC - RP229 - System Checkpoint

Performed disk cleanup.

Percentage of Memory in Use: 85% (more than 75%).

-- HijackThis (run as Lars.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 23:13:43, on 11.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\XTD25A.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\vgpgzixq.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Lars\desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Lars.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.no/0SEN...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.no/0SEN...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...DT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SEN...S01?FORM=TOOLBR
O2 - BHO: (no name) - {04F9002E-AF05-4A49-B5AF-01C655AA4E69} - C:\WINDOWS\system32\yayaAQjG.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {826A5ED9-1316-4EFD-87F8-AA400C5D551A} - C:\WINDOWS\system32\xxyvsrro.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093264321400
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://ras.biovitru.../WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xxyvsrro - C:\WINDOWS\SYSTEM32\xxyvsrro.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R4 ewido security suite driver - c:\program files\ewido anti-malware\guard.sys (file missing)

S2 WZHNHPNP - c:\windows\system32\wzhnhpnp.emc (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 LVUSBSta (Logitech USB Monitor Filter) - c:\windows\system32\drivers\lvusbsta.sys (file missing)
S3 PID_0928 (Logitech QuickCam Express(PID_0928)) - c:\windows\system32\drivers\lv561av.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AdobeActiveFileMonitor (Adobe Active File Monitor) - c:\program files\adobe\photoshop elements 3.0\photoshopelementsfileagent.exe
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 PhotoshopElementsDeviceConnect (Photoshop Elements Device Connect) - c:\program files\adobe\photoshop elements 3.0\photoshopelementsdeviceconnect.exe

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 692)
2002-11-07 04:00:38 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-04-03 14:37:43 36352 --a------ C:\WINDOWS\system32\xxyvsrro.dll

C:\WINDOWS\system32\svchost.exe (pid 956)
2002-11-07 04:00:38 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>

C:\WINDOWS\system32\svchost.exe (pid 1100)
2002-11-07 04:00:38 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>

C:\WINDOWS\system32\svchost.exe (pid 1816)
2002-11-07 04:00:38 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>

C:\WINDOWS\explorer.exe (pid 2568)
2002-11-07 04:00:38 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-04-03 14:49:19 268288 --a------ C:\WINDOWS\system32\yayaAQjG.dll
2008-04-03 14:37:43 36352 --a------ C:\WINDOWS\system32\xxyvsrro.dll
2004-09-30 14:21:56 39488 --a------ C:\Program Files\ewido anti-malware\shellhook.dll
2005-08-09 03:06:00 166912 --a------ C:\Program Files\WinAce\arcext.dll <Not Verified; e-merge GmbH; WinAce-Archiver>
2005-08-09 03:06:00 235008 --a------ C:\Program Files\WinAce\acev2.dll <Not Verified; ACE Compression Software; WinAce>
2004-01-22 18:36:28 120832 --a------ C:\Program Files\WinRAR\RarExt.dll
2005-05-21 18:13:03 69632 --a------ C:\Program Files\ewido anti-malware\context.dll <Not Verified; ewido networks; context_menu>
2005-09-16 22:31:39 24640 --a------ C:\Program Files\ewido anti-malware\lang.dll <Not Verified; privat; privat lang>
2006-12-22 13:28:14 271360 --a------ C:\WINDOWS\system32\mscoree.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2007-04-13 21:57:58 86016 --a------ C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorie.dll <Not Verified; Microsoft Corporation; Microsoft .NET Framework>
2007-04-13 21:58:00 102400 --a------ C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll <Not Verified; Microsoft Corporation; Microsoft .NET Framework>

C:\WINDOWS\system32\rundll32.exe (pid 3168)
2002-11-07 04:00:38 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>

-- Scheduled Tasks -------------------------------------------------------------

2008-04-11 22:21:06 256 --a------ C:\WINDOWS\Tasks\Se etter oppdateringer for Windows Live Toolbar.job
2007-10-11 07:39:12 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-03-11 and 2008-04-11 -----------------------------

2008-04-11 23:11:04 3648 --a------ C:\WINDOWS\system32\flutpggw.dll
2008-04-11 23:09:45 85809 --ahs---- C:\WINDOWS\system32\GjQAayay.ini2
2008-04-11 22:29:14 0 d-------- C:\VundoFix Backups
2008-04-03 21:39:26 0 dr-h----- C:\Documents and Settings\Lars\Recent
2008-04-03 14:49:19 268288 --a------ C:\WINDOWS\system32\yayaAQjG.dll
2008-04-03 14:38:00 212992 --a------ C:\WINDOWS\svpekgongpv.dll
2008-04-03 14:37:59 151552 --a------ C:\WINDOWS\stfngdvw.dll
2008-04-03 14:37:59 188416 --a------ C:\WINDOWS\fkdnrwsv.dll
2008-04-03 14:37:59 98304 --a------ C:\WINDOWS\dwltqnmx.exe
2008-04-03 14:37:59 0 d-------- C:\Documents and Settings\All Users\Application Data\gxsnorab
2008-04-03 14:37:43 36352 --a------ C:\WINDOWS\system32\xxyvsrro.dll

-- Find3M Report ---------------------------------------------------------------

2008-04-11 22:56:22 0 d-------- C:\Program Files\ewido anti-malware
2008-04-03 22:32:54 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-03 14:49:19 268288 --a------ C:\WINDOWS\system32\yayaAQjG.dll
2008-04-02 22:30:21 0 d-------- C:\Documents and Settings\Lars\Application Data\AdobeUM
2008-02-25 21:36:21 0 d-------- C:\Documents and Settings\Lars\Application Data\DivX
2008-02-17 22:31:22 0 d-------- C:\Documents and Settings\Lars\Application Data\Adobe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{04F9002E-AF05-4A49-B5AF-01C655AA4E69}]
03.04.2008 14:49 268288 --a------ C:\WINDOWS\system32\yayaAQjG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77701e16-9bfe-4b63-a5b4-7bd156758a37}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{826A5ED9-1316-4EFD-87F8-AA400C5D551A}]
03.04.2008 14:37 36352 --a------ C:\WINDOWS\system32\xxyvsrro.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
15.12.2007 12:10 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [15.12.2003 00:20]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [15.12.2003 00:07]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25.09.2007 01:11]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [01.02.2003 01:49]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [28.05.2002 10:37]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [24.07.2001 23:34]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [07.08.2002 16:24]
"CPQEASYACC"="C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe" [14.12.2001 23:01]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09.07.2001 11:50]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [06.04.2004 19:36]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [29.01.2004 10:45]
"nwiz"="nwiz.exe" [29.01.2004 10:45 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [29.01.2004 10:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [29.06.2007 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [31.07.2007 18:44]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [08.05.2007 02:43]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [13.03.2008 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13.10.2004 18:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [26.01.2007 11:30]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 09:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [04.10.2004 02:12:18]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [21.01.2000 08:15:54]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [23.12.1998 21:51:52]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{826A5ED9-1316-4EFD-87F8-AA400C5D551A}"= C:\WINDOWS\system32\xxyvsrro.dll [03.04.2008 14:37 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvsrro]
xxyvsrro.dll 03.04.2008 14:37 36352 C:\WINDOWS\system32\xxyvsrro.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\yayaAQjG

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a

-- End of Deckard's System Scanner: finished at 2008-04-11 23:16:32 ------------

#8 silver

Malware Expert Emeritus

Authentic Member
2,994 posts

Posted 11 April 2008 - 09:57 PM

Hi laffenjoh,

Did you have any problems removing Ewido? Some components appear to still be operating, please let me know what happened with this.

How did you get on with VundoFix? It appears that the file path was not added to the program, please try again using these revised instructions:

Double-click VundoFix.exe to run it.
Right-click the white box in the middle and select Add more files?
Copy the following path into the File name: box and press OK:

C:\WINDOWS\system32\xxyvsrro.dll
The file path should appear in the program interface - check the box next to it then press the Remove Vundo button
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo
When completed, it will prompt that it will reboot your computer, click OK
Post the contents of C:\vundofix.txt in your next response

It looks like part of the OTMoveIt report is missing, please open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Once complete please post the new VundoFix report, the OTMoveIt report and a new HijackThis log.

ASAP & UNITE Member

#9 laffenjoh

Authentic Member

Authentic Member
35 posts

Posted 12 April 2008 - 01:50 AM

Hi Silver,

No I had no problems to remove Ewido by uninstalling the program from the Control Menu...

However, I realized I did not try to remove xxyvsrro.dll with VundoFix the last time, I pressed
"Scan for Vundo" rather than "Fix Vundo" (= Remove Vundo?).

However, now I have ran VundoFix once again trying to remove xxyvsrro.dll with "Fix Vundo" button this
time, but I got a message saying that:
"C:\WINDOWS\system32\xxyvsrro.dll could not be deleted. Please Click Remove Vundo once your machine has reboooted."
After the first reboot I got the same massage again, however, the second attempt after reboot it seemed to work.

When I ran OTMovelt, I got a lot of similar error messages regarding certain files (I don't remember exactly what the massages were),
but I clicked "OK" to all of these in order to let the program complete. The strange thing is that I am not able to find any log file
in the C:\_OTMovelt\MovedFiles folder...

So far, there are no significant changes regarding the computer performance, I still get the warning message from TM OfficeScan about Cryp_Tap-2
over and over again, and the blue "Spyware warning wallpaper" is still present..

/Lars

Here are the logs:

VundoFix V7.0.3

Scan started at 22:29:14 11.04.2008

Listing files found while scanning....

No infected files were found.

Beginning removal...

Attempting to delete C:\WINDOWS\system32\xxyvsrro.dll
C:\WINDOWS\system32\xxyvsrro.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\xxyvsrro.dll
C:\WINDOWS\system32\xxyvsrro.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Beginning removal...

Performing Repairs to the registry.
Done!

Logfile of HijackThis v1.99.1
Scan saved at 09:46:48, on 12.04.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\QY6453.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.no/0SEN...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.no/0SEN...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...DT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SEN...S01?FORM=TOOLBR
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [74f398c4] rundll32.exe "C:\WINDOWS\system32\gpwbrlsq.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093264321400
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://ras.biovitru.../WhlCompMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#10 silver

Malware Expert Emeritus

Authentic Member
2,994 posts

Posted 12 April 2008 - 02:40 AM

Hi laffenjoh,

I'm sorry you are having some difficulties with the processes, this doesn't normally happen!

I should have answered this before:

One question: I have not restored my registry (ERDNT.exe) - I understood it as I should do this later on, is this correct?

Yes this is correct, we would only need to restore the registry if something went seriously wrong with the fix.

We will use a different method:

Please download and run ComboFix. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingc...to-use-combofix

When the tool is finished, it will produce a report for you, please post the C:\ComboFix.txt report in your next response along with a new HijackThis log.

ASAP & UNITE Member

Advertisements

Register to Remove

#11 laffenjoh

Authentic Member

Authentic Member
35 posts

Posted 12 April 2008 - 04:30 AM

Hi Silver,

I am in the process of installing Combofix, and just to make sure everthing is as it should I want to check with you:

I follow the instructions at the bleepingcomputer page and have just downloaded the Windows XP Recovery Console.
Under points 3 and 4 it says that after draging the MS file on top of the Combofix icon, Combofix will automatically
install the Win Recovery Console onto my computer. However, what happens when I drag and drop the MS file is that
the Combofix "Open File - Security Warning" window opens (ie the same window seen below in the instructions after "once you double-click
on the icon..." I am not sure whether I should click on "run" at this point or not since nothing is said in the instructons about that this
window should open after the drag and drop operation. (I have not yet disabled my TM officescan and ZA firewall).
Is it safe to go on and click "run", ie will this install the Win Recovery Console without starting the Combofix program?

I just don't want to do anything that screws things up! :blush:

/Lars

#12 silver

Malware Expert Emeritus

Authentic Member
2,994 posts

Posted 12 April 2008 - 04:35 AM

Yes, you should click "Run" and ComboFix should then proceed to install the recovery console, you're right the instructions don't clarify on this and it should probably be in there.

ASAP & UNITE Member

#13 laffenjoh

Authentic Member

Authentic Member
35 posts

Posted 12 April 2008 - 06:49 AM

Hi Silver,

Another problem......I am not sure how to disable Trend Micro Officescan.. If I right-click and chose unload the Trend Micro OfficeScan, a window pops up asking for the password for this action (which I don't have at the moment). Is there another way to disable Trend Micro Officescan so I can run ComboFix?

/Lars

#14 silver

Malware Expert Emeritus

Authentic Member
2,994 posts

Posted 12 April 2008 - 07:43 AM

If you can't disable Officescan then leave it running, but start ComboFix like this:

Make sure ComboFix.exe is on the Desktop
Press Start->Run, copy/paste the following command into the box and press OK:

"%userprofile%\desktop\combofix.exe" /killall

ComboFix should then begin running and it will reboot your computer when complete.

ASAP & UNITE Member

#15 laffenjoh

Authentic Member

Authentic Member
35 posts

Posted 12 April 2008 - 08:51 AM

Hi Silver,

This is driving me crazy...

I disabled ZA firewall and left OfficeScan running, then I did the drag and drop of the MS file to the ComboFix icon in order to install the Win Recovery Console . Once again the "Open File - Security Warning" window opened, and I clicked run. A new blue window opened up with a disclaimer, and I was told to exit all programs and so on (nothing was said about the Win Recovery Console installation), and I pressed yes, then a new blue window appeared saying something like "about 1/100 computers fail to be cleaned by this program - do you really want to proceed?". Since I was afraid that the ComboFix would start, I pressed no (since you asked me to start the program with the script in your last reply). However, this seemed to uninstall ComboFix (at least the ComboFix icon on the desktop disappeared...

What should I do now? I guess I need to download ComboFix again. Then, how do I know if the Win Recovery Console is correctly installed? And why does the ComboFix program start when I press run after the drag and drop operation? I thought this should only install the Win Recovery Console? Another thing: after I pressed "run" in my attempt to install the Win Recovery Console, OfficeScan found an infected file. Is this behavior OK or should I take some action if this happens when I run the ComboFix later on?

Thanks for your great patience....as you realize I am not that experienced when it comes to problems like these...and I am really scared to do anything wrong since there are loads of warnings about this ComboFix program. And I find it difficult to follow the instructions when unexpected things happen...

/Lars

Body Background

skin color theme