Tech Support Forum - View Single Post - winrnt.exe problem along with very slow page fetching

pccenterllc · 07-24-2006, 06:17 AM

The first three took hours to do because the machine was very slow and unresponsive. Now it is running quickly and opening pages as I would expect. During the drweb scan it got interrupted the first time. I am not sure how that happened as I was on another machine at that time. The winrnt.exe was there when I restarted the computer, before I ran combofix. I restarted after running combofix and it is gone now.

Logfile of HijackThis v1.99.1
Scan saved at 07:03:49 AM, on 07/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [StartAOL] "C:\Program Files\America Online 6.0\AOL.EXE"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Start Time= 07/24/2006 6:52:36.00
Running from: C:\Documents and Settings\Owner\Desktop\security programs

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-07-24 06:41 1,103 C:\WINDOWS\win.ini
2006-07-24 03:40 <DIR> C:\Program Files\ewido anti-spyware 4.0
2006-07-24 01:01 <DIR> C:\Program Files\spybot - search & destroy
2006-07-24 00:58 <DIR> C:\Program Files\messenger
2006-07-24 00:58 <DIR> C:\Program Files\internet explorer
2006-07-24 00:55 <DIR> C:\Program Files\digstream
2006-07-24 00:26 <DIR> C:\Program Files\gib
2006-07-23 18:44 <DIR> C:\Program Files\hijackthis
2006-07-22 20:14 <DIR> C:\Program Files\cleanup!
2006-07-22 17:53 <DIR> C:\Documents and Settings\Owner\Application Data\microsoft
2006-07-20 10:02 <DIR> C:\Program Files\spywareblaster
2006-06-14 19:21 <DIR> C:\Documents and Settings\Owner\Application Data\systemdoctor 2006 free

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

2006-07-24 00:41 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-24 00:41 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-24 00:34 132,698,112 C:\hiberfil.sys
2006-07-21 20:56 21,504 C:\WINDOWS\system32\hidserv.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"HPGamesActiveMenu"="C:\\Program Files\\WildTangent\\ActiveMenu\\HP\\Games\\ActiveMenu.exe"
"DIGStream"="C:\\Program Files\\DIGStream\\digstream.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"StartAOL"="\"C:\\Program Files\\America Online 6.0\\AOL.EXE\""
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,40,01,00,00,00,00,00,00,e0,01,00,00,3c,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

Contents of the 'Scheduled Tasks' folder

Completion time: 07/24/2006 6:53:00.00
ComboFix ver 06.07.22 - This logfile is located at C:\ComboFix.txt

ComboFix.txt

Terminator.exe;C:\hp\bin;Trojan.KillApp.30208;Deleted.;
pup.exe;C:\Program Files;Trojan.DownLoader.118;Incurable.Moved.;
01setup.EXE;C:\Program Files\GIB;Dialer.Gea;Incurable.Moved.;
rebootnt.exe;C:\Program Files\HPSelect\frontend\thirdparty\qt5;Tool.Reboot;Incurable.Moved.;
A0014448.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP75;Trojan.DownLoader.based;Deleted.;
A0014458.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP75;Trojan.DownLoader.based;Deleted.;
A0014468.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP75;Trojan.DownLoader.based;Deleted.;
A0014478.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP75;Trojan.DownLoader.based;Deleted.;
A0014486.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP75;Trojan.DownLoader.based;Deleted.;
A0015527.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP80;Trojan.DownLoader.based;Deleted.;
A0015540.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP80;Trojan.DownLoader.based;Deleted.;
A0015553.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP80;Trojan.DownLoader.10346;Deleted.;
A0015566.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP80;Trojan.DownLoader.based;Deleted.;
A0015582.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP81;Trojan.DownLoader.based;Deleted.;
A0015583.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP81;Trojan.DownLoader.based;Deleted.;
A0015696.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP81;Trojan.KillApp.30208;Deleted.;
A0015697.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP81;Trojan.DownLoader.118;Incurable.Moved.;
RatedXXX.exe;C:\WINDOWS;Dialer.AsianRaw;Incurable.Moved.;
svchost.exe;C:\WINDOWS;Trojan.StartPage.65;Deleted.;
svchost.exe;C:\WINDOWS\Downloaded Program Files;Trojan.StartPage.65;Deleted.;
wcmdmgr.exe;C:\WINDOWS\wt\backup\1.6.2.003;Probably DLOADER.Trojan;Incurable.Moved.;
01setup.EXE;C:\Program Files\GIB;Dialer.Gea;;
rebootnt.exe;C:\Program Files\HPSelect\frontend\thirdparty\qt5;Tool.Reboot;;
A0015698.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP81;Trojan.StartPage.65;Deleted.;
RatedXXX.exe;C:\WINDOWS;Dialer.AsianRaw;;

Incident Status Location

Dialer:dialer generic Not disinfected c:\program files\GIB
Dialer:Dialer.BCA Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\01setup.EXE
Spyware:Spyware/AdClicker Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0015697.exe
Spyware:Spyware/AdClicker Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\pup.exe
Dialer:Dialer.AQK Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\RatedXXX.exe
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cs.sexcounter[2].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fortunecity[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[2].txt
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Virus:Trj/Agent.CHY Disinfected C:\WINDOWS\SYSTEM32\winrnt.exe

Incident Status Location

Dialer:dialer generic Not disinfected c:\program files\GIB
Dialer:Dialer.BCA Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\01setup.EXE
Spyware:Spyware/AdClicker Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0015697.exe
Spyware:Spyware/AdClicker Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\pup.exe
Dialer:Dialer.AQK Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\RatedXXX.exe
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cs.sexcounter[2].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fortunecity[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[2].txt
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Virus:Trj/Agent.CHY Disinfected C:\WINDOWS\SYSTEM32\winrnt.exe
I will be installing AVG soon. I am just waiting for the final fixes you said maybe needed.

Thank you for your help!

07-24-2006, 06:17 AM	#6 (permalink)
pccenterllc Registered User Join Date: Jul 2006 Posts: 164 OS: 200/XP	Finally the fixes you asked for are done The first three took hours to do because the machine was very slow and unresponsive. Now it is running quickly and opening pages as I would expect. During the drweb scan it got interrupted the first time. I am not sure how that happened as I was on another machine at that time. The winrnt.exe was there when I restarted the computer, before I ran combofix. I restarted after running combofix and it is gone now. Logfile of HijackThis v1.99.1 Scan saved at 07:03:49 AM, on 07/24/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\explorer.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\nvsvc32.exe C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\DIGStream\digstream.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us3.hpwis.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [StartAOL] "C:\Program Files\America Online 6.0\AOL.EXE" O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Start Time= 07/24/2006 6:52:36.00 Running from: C:\Documents and Settings\Owner\Desktop\security programs (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-07-24 06:41 1,103 C:\WINDOWS\win.ini 2006-07-24 03:40 <DIR> C:\Program Files\ewido anti-spyware 4.0 2006-07-24 01:01 <DIR> C:\Program Files\spybot - search & destroy 2006-07-24 00:58 <DIR> C:\Program Files\messenger 2006-07-24 00:58 <DIR> C:\Program Files\internet explorer 2006-07-24 00:55 <DIR> C:\Program Files\digstream 2006-07-24 00:26 <DIR> C:\Program Files\gib 2006-07-23 18:44 <DIR> C:\Program Files\hijackthis 2006-07-22 20:14 <DIR> C:\Program Files\cleanup! 2006-07-22 17:53 <DIR> C:\Documents and Settings\Owner\Application Data\microsoft 2006-07-20 10:02 <DIR> C:\Program Files\spywareblaster 2006-06-14 19:21 <DIR> C:\Documents and Settings\Owner\Application Data\systemdoctor 2006 free (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days ))))))))))))))))))))))))))))))))))))))))))) 2006-07-24 00:41 73,728 C:\WINDOWS\system32\asuninst.exe 2006-07-24 00:41 11,776 C:\WINDOWS\system32\ZPORT4AS.dll 2006-07-24 00:34 132,698,112 C:\hiberfil.sys 2006-07-21 20:56 21,504 C:\WINDOWS\system32\hidserv.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe" "KBD"="C:\\HP\\KBD\\KBD.EXE" "Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE" "NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" "IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe" "HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe" "PS2"="C:\\WINDOWS\\system32\\ps2.exe" "HPGamesActiveMenu"="C:\\Program Files\\WildTangent\\ActiveMenu\\HP\\Games\\ActiveMenu.exe" "DIGStream"="C:\\Program Files\\DIGStream\\digstream.exe" "UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\ 6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00 "RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER" "StartAOL"="\"C:\\Program Files\\America Online 6.0\\AOL.EXE\"" "!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,40,01,00,00,00,00,00,00,e0,01,00,00,3c,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" Contents of the 'Scheduled Tasks' folder Completion time: 07/24/2006 6:53:00.00 ComboFix ver 06.07.22 - This logfile is located at C:\ComboFix.txt ComboFix.txt Terminator.exe;C:\hp\bin;Trojan.KillApp.30208;Deleted.; pup.exe;C:\Program Files;Trojan.DownLoader.118;Incurable.Moved.; 01setup.EXE;C:\Program Files\GIB;Dialer.Gea;Incurable.Moved.; rebootnt.exe;C:\Program Files\HPSelect\frontend\thirdparty\qt5;Tool.Reboot;Incurable.Moved.; A0014448.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP75;Trojan.DownLoader.based;Deleted.; A0014458.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP75;Trojan.DownLoader.based;Deleted.; A0014468.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP75;Trojan.DownLoader.based;Deleted.; A0014478.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP75;Trojan.DownLoader.based;Deleted.; A0014486.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP75;Trojan.DownLoader.based;Deleted.; A0015527.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP80;Trojan.DownLoader.based;Deleted.; A0015540.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP80;Trojan.DownLoader.based;Deleted.; A0015553.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP80;Trojan.DownLoader.10346;Deleted.; A0015566.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP80;Trojan.DownLoader.based;Deleted.; A0015582.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP81;Trojan.DownLoader.based;Deleted.; A0015583.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP81;Trojan.DownLoader.based;Deleted.; A0015696.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP81;Trojan.KillApp.30208;Deleted.; A0015697.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP81;Trojan.DownLoader.118;Incurable.Moved.; RatedXXX.exe;C:\WINDOWS;Dialer.AsianRaw;Incurable.Moved.; svchost.exe;C:\WINDOWS;Trojan.StartPage.65;Deleted.; svchost.exe;C:\WINDOWS\Downloaded Program Files;Trojan.StartPage.65;Deleted.; wcmdmgr.exe;C:\WINDOWS\wt\backup\1.6.2.003;Probably DLOADER.Trojan;Incurable.Moved.; 01setup.EXE;C:\Program Files\GIB;Dialer.Gea;; rebootnt.exe;C:\Program Files\HPSelect\frontend\thirdparty\qt5;Tool.Reboot;; A0015698.exe;C:\System Volume Information\_restore{554C9778-504A-41F8-AB3C-56924AE6A5F7}\RP81;Trojan.StartPage.65;Deleted.; RatedXXX.exe;C:\WINDOWS;Dialer.AsianRaw;; Incident Status Location Dialer:dialer generic Not disinfected c:\program files\GIB Dialer:Dialer.BCA Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\01setup.EXE Spyware:Spyware/AdClicker Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0015697.exe Spyware:Spyware/AdClicker Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\pup.exe Dialer:Dialer.AQK Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\RatedXXX.exe Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cs.sexcounter[2].txt Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fortunecity[1].txt Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[2].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[2].txt Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe Virus:Trj/Agent.CHY Disinfected C:\WINDOWS\SYSTEM32\winrnt.exe Incident Status Location Dialer:dialer generic Not disinfected c:\program files\GIB Dialer:Dialer.BCA Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\01setup.EXE Spyware:Spyware/AdClicker Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0015697.exe Spyware:Spyware/AdClicker Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\pup.exe Dialer:Dialer.AQK Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\RatedXXX.exe Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cs.sexcounter[2].txt Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fortunecity[1].txt Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[2].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[2].txt Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe Virus:Trj/Agent.CHY Disinfected C:\WINDOWS\SYSTEM32\winrnt.exe I will be installing AVG soon. I am just waiting for the final fixes you said maybe needed. Thank you for your help!