Tech Support Forum banner
Cancel

Grogotix...Fagej.exe

Jump to Latest Follow
Status
Not open for further replies.
1 - 14 of 14 Posts
J

· Registered
Joined
·
32 Posts
Discussion Starter · #1 ·
Please help my PC infected by anonymous spywate or something called
"Grogotix"
I cann't running any program since I bootingup my PC.
I cann't open HijackThis Log program.
Please help what I'm suppose to do.

Thanks all
 
J

· Registered
Joined
·
32 Posts
Discussion Starter · #2 · (Edited)
Fyuhhh...At last

this is my Hijackthis Log file. Please Help.
everytime I click a folder, it's always create a new folder that I click but "type " is Application.
and file "NTOSKRNL" is missing so I Cannot running my PC
Thanks

Logfile of HijackThis v1.99.1
Scan saved at 12:17:41 PM, on 12/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\Config\vecin.exe
C:\WINDOWS\Config\xilav.exe
C:\WINDOWS\Config\jiqit.exe
C:\WINDOWS\Config\dijak.exe
I:\xxxx\HijackThis.exe
C:\WINDOWS\Config\kijup.exe
I:\xxxx\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\vecin.exe
O4 - HKLM\..\Run: [Grogotix] C:\WINDOWS\Config\dijak.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe
O23 - Service: QoS RSVP (RSVP) - Unknown owner - C:\WINDOWS\system32\rsvp.exe
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#3 ·
Hello johanes,

Let's begin with this tool:

Download the Gromozon rootkit removal tool & save it to Desktop:

http://pcalsicuro.phpsoft.it/FixGrom.exe

http://aknow.prevx.com/zeroL/FixGrom.exe

-------------------------------------

Close any open browsers.

-------------------------------------


Double-click to run it & follow the prompts.

If an infection is found, it shall reboot your machine & produce a log at C:\armada_log

-------------------------------

Next, download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**


-------------------------------------

Close any open browsers.

-------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-------------------------------------

Run a new scan with HijackThis and save the log.

-------------------------------------

Please include the following in your next reply:

armada.log
ComboFix.txt
New HijackThis log
Update on system behavior
 
Save Share
J

· Registered
Joined
·
32 Posts
Discussion Starter · #4 ·
HijackThis Log file

Logfile of HijackThis v1.99.1
Scan saved at 11:08:39 AM, on 12/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\juhus.exe
C:\WINDOWS\nedeb.exe
C:\WINDOWS\yadul.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\tudim.exe
C:\WINDOWS\pukib.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\juhus.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Grogotix] C:\WINDOWS\nedeb.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe


gromozon_removal

Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Program Files\Common Files


Trojan.Gromozon does not exist - your system is clean.


ComboFix

Windows - 06-12-15 10:54:30.67 Service Pack 2
ComboFix 06-12-01.2W-BetaE - Running from: "C:\Documents and Settings\Windows\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


h:\autorun.inf . . . . failed to delete


((((((((((((((((((((((((((((((( Files Created from 2006-11-15 to 2006-12-15 ))))))))))))))))))))))))))))))))))


2006-12-15 10:57 <DIR> d-------- C:\WINDOWS\erdnt
2006-12-15 10:50 <DIR> d-------- C:\Program Files\WinRAR
2006-12-15 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2006-12-15 10:22 <DIR> d-------- C:\Program Files\WinZip
2006-12-15 10:21 1,272,644 --a------ C:\WINDOWS\grogot.exe
2006-12-14 08:48 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-12-14 08:48 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-12-14 08:48 <DIR> d-------- C:\Documents and Settings\Windows\Application Data\AVG7
2006-12-14 08:47 <DIR> d-------- C:\Program Files\Grisoft
2006-12-14 08:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2006-12-13 19:56 <DIR> dr-h----- C:\Documents and Settings\Windows\SendTo
2006-12-13 19:56 <DIR> dr-h----- C:\Documents and Settings\Windows\Recent
2006-12-13 19:56 <DIR> dr-h----- C:\Documents and Settings\Windows\Application Data\.
2006-12-13 19:56 <DIR> dr-h----- C:\Documents and Settings\Windows\Application Data
2006-12-13 19:56 <DIR> dr------- C:\Documents and Settings\Windows\Start Menu
2006-12-13 19:56 <DIR> dr------- C:\Documents and Settings\Windows\My Documents
2006-12-13 19:56 <DIR> dr------- C:\Documents and Settings\Windows\Favorites
2006-12-13 19:56 <DIR> d--h----- C:\Program Files\Uninstall Information
2006-12-13 19:56 <DIR> d--h----- C:\Documents and Settings\Windows\Templates
2006-12-13 19:56 <DIR> d--h----- C:\Documents and Settings\Windows\PrintHood
2006-12-13 19:56 <DIR> d--h----- C:\Documents and Settings\Windows\NetHood
2006-12-13 19:56 <DIR> d--h----- C:\Documents and Settings\Windows\Local Settings
2006-12-13 19:56 <DIR> d---s---- C:\Documents and Settings\Windows\Cookies
2006-12-13 19:56 <DIR> d---s---- C:\Documents and Settings\Windows\Application Data\Microsoft
2006-12-13 19:56 <DIR> d-------- C:\Documents and Settings\Windows\Desktop
2006-12-13 19:56 <DIR> d-------- C:\Documents and Settings\Windows\Application Data\Identities
2006-12-13 19:56 <DIR> d-------- C:\Documents and Settings\Windows\Application Data\..
2006-12-13 19:56 <DIR> d-------- C:\Documents and Settings\Windows\..
2006-12-13 19:56 <DIR> d-------- C:\Documents and Settings\Windows\.
2006-12-13 19:55 <DIR> d--hs---- C:\System Volume Information
2006-12-13 19:55 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2006-12-13 19:55 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2006-12-13 19:55 <DIR> d-------- C:\WINDOWS\Prefetch
2006-12-13 19:47 0 -rahs---- C:\MSDOS.SYS
2006-12-13 19:47 0 -rahs---- C:\IO.SYS
2006-12-13 19:47 0 --a------ C:\CONFIG.SYS
2006-12-13 19:47 0 --a------ C:\AUTOEXEC.BAT
2006-12-13 19:47 <DIR> d-------- C:\WINDOWS\system32\xircom
2006-12-13 19:47 <DIR> d-------- C:\Program Files\xerox
2006-12-13 19:47 <DIR> d-------- C:\Program Files\microsoft frontpage
2006-12-13 19:46 112,128 --a------ C:\WINDOWS\system32\mapi32.dll
2006-12-13 19:46 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2006-12-13 19:45 <DIR> dr------- C:\WINDOWS\Offline Web Pages
2006-12-13 19:45 <DIR> d--h----- C:\Program Files\WindowsUpdate
2006-12-13 19:45 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2006-12-13 19:45 <DIR> d-------- C:\WINDOWS\system32\DirectX
2006-12-13 19:44 81,920 --a------ C:\WINDOWS\system32\isign32.dll
2006-12-13 19:44 81,920 --a------ C:\WINDOWS\system32\ils.dll
2006-12-13 19:44 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2006-12-13 19:44 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2006-12-13 19:44 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2006-12-13 19:44 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2006-12-13 19:44 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2006-12-13 19:44 678,400 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-12-13 19:44 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2006-12-13 19:44 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2006-12-13 19:44 64,512 --a------ C:\WINDOWS\system32\acctres.dll
2006-12-13 19:44 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2006-12-13 19:44 48,128 --a------ C:\WINDOWS\system32\inetres.dll
2006-12-13 19:44 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2006-12-13 19:44 430,592 --a------ C:\WINDOWS\system32\wuapi.dll
2006-12-13 19:44 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2006-12-13 19:44 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll
2006-12-13 19:44 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2006-12-13 19:44 36,864 --a------ C:\WINDOWS\system32\wups.dll
2006-12-13 19:44 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2006-12-13 19:44 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2006-12-13 19:44 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2006-12-13 19:44 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2006-12-13 19:44 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2006-12-13 19:44 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2006-12-13 19:44 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
2006-12-13 19:44 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2006-12-13 19:44 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2006-12-13 19:44 22,528 --a------ C:\WINDOWS\system32\fltmc.exe
2006-12-13 19:44 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2006-12-13 19:44 183,296 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-12-13 19:44 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-12-13 19:44 170,496 --a------ C:\WINDOWS\system32\srsvc.dll
2006-12-13 19:44 165,888 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-12-13 19:44 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-12-13 19:44 16,384 --a------ C:\WINDOWS\system32\icfgnt5.dll
2006-12-13 19:44 124,800 --a------ C:\WINDOWS\system32\drivers\fltMgr.sys
2006-12-13 19:44 120,320 --a------ C:\WINDOWS\system32\wuweb.dll
2006-12-13 19:44 12,288 --a------ C:\WINDOWS\system32\nmevtmsg.dll
2006-12-13 19:44 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2006-12-13 19:44 112,640 --a------ C:\WINDOWS\system32\wucltui.dll
2006-12-13 19:44 111,104 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-12-13 19:44 11,264 --a------ C:\WINDOWS\system32\atrace.dll
2006-12-13 19:44 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2006-12-13 19:44 1,134,592 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-12-13 19:44 <DIR> d---s---- C:\WINDOWS\Tasks
2006-12-13 19:44 <DIR> d-------- C:\WINDOWS\system32\Restore
2006-12-13 19:44 <DIR> d-------- C:\WINDOWS\system32\Macromed
2006-12-13 19:44 <DIR> d-------- C:\WINDOWS\srchasst
2006-12-13 19:44 <DIR> d-------- C:\Program Files\Outlook Express
2006-12-13 19:44 <DIR> d-------- C:\Program Files\NetMeeting
2006-12-13 19:44 <DIR> d-------- C:\Program Files\Movie Maker
2006-12-13 19:44 <DIR> d-------- C:\Program Files\Internet Explorer
2006-12-13 19:44 <DIR> d-------- C:\Program Files\Common Files\System
2006-12-13 19:44 <DIR> d-------- C:\Program Files\Common Files\Services
2006-12-13 19:44 <DIR> d-------- C:\Program Files\Common Files\MSSoap
2006-12-13 19:43 <DIR> d-------- C:\WINDOWS\Registration
2006-12-13 19:43 <DIR> d-------- C:\Program Files\ComPlus Applications
2006-12-13 19:42 949,248 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-12-13 19:42 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2006-12-13 19:42 90,112 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-12-13 19:42 9,728 --a------ C:\WINDOWS\system32\reset.exe
2006-12-13 19:42 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2006-12-13 19:42 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2006-12-13 19:42 82,432 --a------ C:\WINDOWS\system32\comrepl.dll
2006-12-13 19:42 80,384 --a------ C:\WINDOWS\system32\charmap.exe
2006-12-13 19:42 73,216 --a------ C:\WINDOWS\system32\avwav.dll
2006-12-13 19:42 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2006-12-13 19:42 655,360 --a------ C:\WINDOWS\system32\mstscax.dll
2006-12-13 19:42 628,224 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-12-13 19:42 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2006-12-13 19:42 62,464 --a------ C:\WINDOWS\system32\colbact.dll
2006-12-13 19:42 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2006-12-13 19:42 60,416 --a------ C:\WINDOWS\system32\remotepg.dll
2006-12-13 19:42 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2006-12-13 19:42 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2006-12-13 19:42 56,832 --a------ C:\WINDOWS\system32\sol.exe
2006-12-13 19:42 55,296 --a------ C:\WINDOWS\system32\freecell.exe
2006-12-13 19:42 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2006-12-13 19:42 54,272 --a------ C:\WINDOWS\system32\stclient.dll
2006-12-13 19:42 538,624 --a------ C:\WINDOWS\system32\spider.exe
2006-12-13 19:42 501,248 --a------ C:\WINDOWS\system32\clbcatq.dll
2006-12-13 19:42 5,632 --a------ C:\WINDOWS\system32\write.exe
2006-12-13 19:42 5,120 --a------ C:\WINDOWS\system32\dcomcnfg.exe
2006-12-13 19:42 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2006-12-13 19:42 44,544 --a------ C:\WINDOWS\system32\hticons.dll
2006-12-13 19:42 425,472 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-12-13 19:42 407,552 --a------ C:\WINDOWS\system32\mstsc.exe
2006-12-13 19:42 4,096 --a------ C:\WINDOWS\system32\rdpcfgex.dll
2006-12-13 19:42 4,096 --a------ C:\WINDOWS\system32\mtxex.dll
2006-12-13 19:42 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll
2006-12-13 19:42 35,328 --a------ C:\WINDOWS\system32\winchat.exe
2006-12-13 19:42 345,088 --a------ C:\WINDOWS\system32\hypertrm.dll
2006-12-13 19:42 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2006-12-13 19:42 33,792 --a------ C:\WINDOWS\system32\regini.exe
2006-12-13 19:42 295,424 --a------ C:\WINDOWS\system32\termsrv.dll
2006-12-13 19:42 25,600 --a------ C:\WINDOWS\system32\comaddin.dll
2006-12-13 19:42 25,088 --a------ C:\WINDOWS\system32\mtxlegih.dll
2006-12-13 19:42 229,888 --a------ C:\WINDOWS\system32\catsrv.dll
2006-12-13 19:42 227,840 --a------ C:\WINDOWS\system32\avtapi.dll
2006-12-13 19:42 22,016 --a------ C:\WINDOWS\system32\qwinsta.exe
2006-12-13 19:42 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2006-12-13 19:42 20,992 --a------ C:\WINDOWS\system32\msg.exe
2006-12-13 19:42 20,480 --a------ C:\WINDOWS\system32\qprocess.exe
2006-12-13 19:42 20,480 --a------ C:\WINDOWS\system32\mtxdm.dll
2006-12-13 19:42 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll
2006-12-13 19:42 183,808 --a------ C:\WINDOWS\system32\accwiz.exe
2006-12-13 19:42 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-12-13 19:42 16,896 --a------ C:\WINDOWS\system32\tsshutdn.exe
2006-12-13 19:42 16,896 --a------ C:\WINDOWS\system32\qappsrv.exe
2006-12-13 19:42 16,384 --a------ C:\WINDOWS\system32\tskill.exe
2006-12-13 19:42 16,384 --a------ C:\WINDOWS\system32\avmeter.dll
2006-12-13 19:42 15,872 --a------ C:\WINDOWS\system32\rwinsta.exe
2006-12-13 19:42 15,872 --a------ C:\WINDOWS\system32\cdmodem.dll
2006-12-13 19:42 15,360 --a------ C:\WINDOWS\system32\logoff.exe
2006-12-13 19:42 147,968 --a------ C:\WINDOWS\system32\rdchost.dll
2006-12-13 19:42 147,456 --a------ C:\WINDOWS\system32\comsnap.dll
2006-12-13 19:42 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe
2006-12-13 19:42 14,848 --a------ C:\WINDOWS\system32\tsdiscon.exe
2006-12-13 19:42 14,848 --a------ C:\WINDOWS\system32\tscon.exe
2006-12-13 19:42 14,848 --a------ C:\WINDOWS\system32\shadow.exe
2006-12-13 19:42 139,400 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2006-12-13 19:42 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2006-12-13 19:42 131,584 --a------ C:\WINDOWS\system32\sndrec32.exe
2006-12-13 19:42 13,824 --a------ C:\WINDOWS\system32\rdsaddin.exe
2006-12-13 19:42 126,976 --a------ C:\WINDOWS\system32\mshearts.exe
2006-12-13 19:42 123,392 --a------ C:\WINDOWS\system32\mplay32.exe
2006-12-13 19:42 12,040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2006-12-13 19:42 119,808 --a------ C:\WINDOWS\system32\winmine.exe
2006-12-13 19:42 114,688 --a------ C:\WINDOWS\system32\calc.exe
2006-12-13 19:42 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-12-13 19:42 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
2006-12-13 19:42 11,264 --a------ C:\WINDOWS\system32\icaapi.dll
2006-12-13 19:42 102,912 --a------ C:\WINDOWS\system32\clipbrd.exe
2006-12-13 19:42 1,251,840 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-12-13 19:42 1,161 --a------ C:\WINDOWS\system32\usrlogon.cmd
2006-12-13 19:42 <DIR> d-------- C:\WINDOWS\system32\MsDtc
2006-12-13 19:42 <DIR> d-------- C:\WINDOWS\system32\Com
2006-12-13 19:42 <DIR> d-------- C:\Program Files\Windows NT
2006-12-13 19:42 <DIR> d-------- C:\Program Files\Windows Media Player
2006-12-13 19:42 <DIR> d-------- C:\Program Files\Online Services
2006-12-13 19:42 <DIR> d-------- C:\Program Files\MSN Gaming Zone
2006-12-13 19:42 <DIR> d-------- C:\Program Files\MSN
2006-12-13 19:42 <DIR> d-------- C:\Program Files\Messenger
2006-12-13 19:41 58,880 --a------ C:\WINDOWS\system32\licwmi.dll
2006-12-13 19:41 56,320 --a------ C:\WINDOWS\system32\servdeps.dll
2006-12-13 19:41 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2006-12-13 19:41 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2006-12-13 19:41 185,344 --a------ C:\WINDOWS\system32\cmprops.dll
2006-12-13 19:41 17,408 --a------ C:\WINDOWS\system32\mmfutil.dll
2006-12-12 19:39 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2006-12-12 19:39 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2006-12-12 19:39 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2006-12-12 19:39 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2006-12-12 19:39 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2006-12-12 19:39 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2006-12-12 19:39 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2006-12-12 19:38 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2006-12-12 19:38 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2006-12-12 19:38 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2006-12-12 19:38 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2006-12-12 19:38 171,776 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2006-12-12 19:37 96,256 --a------ C:\WINDOWS\system32\drivers\ac97intc.sys
2006-12-12 19:37 86,016 --a------ C:\WINDOWS\system32\mdmxsdk.dll
2006-12-12 19:37 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2006-12-12 19:37 685,056 --a------ C:\WINDOWS\system32\drivers\HSFCXTS2.sys
2006-12-12 19:37 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-12-12 19:37 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2006-12-12 19:37 42,368 --a------ C:\WINDOWS\system32\drivers\AGP440.SYS
2006-12-12 19:37 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2006-12-12 19:37 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-12-12 19:37 32,285 --a------ C:\WINDOWS\system32\HSFCISP2.dll
2006-12-12 19:37 220,032 --a------ C:\WINDOWS\system32\drivers\HSFBS2S2.sys
2006-12-12 19:37 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2006-12-12 19:37 11,868 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys
2006-12-12 19:37 1,897,408 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2006-12-12 19:37 1,041,536 --a------ C:\WINDOWS\system32\drivers\HSFDPSP2.sys
2006-12-12 19:35 9,936 --a------ C:\WINDOWS\system\LZEXPAND.DLL
2006-12-12 19:35 9,008 --a------ C:\WINDOWS\system\VER.DLL
2006-12-12 19:35 85,020 --a------ C:\WINDOWS\system32\dgsetup.dll
2006-12-12 19:35 82,944 --a------ C:\WINDOWS\system\OLECLI.DLL
2006-12-12 19:35 8,704 --a------ C:\WINDOWS\system32\batt.dll
2006-12-12 19:35 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll
2006-12-12 19:35 74,752 --a------ C:\WINDOWS\system32\storprop.dll
2006-12-12 19:35 7,168 -ra------ C:\WINDOWS\system32\kbdcz.dll
2006-12-12 19:35 69,584 --a------ C:\WINDOWS\system\AVICAP.DLL
2006-12-12 19:35 69,120 --a------ C:\WINDOWS\notepad.exe
2006-12-12 19:35 68,768 --a------ C:\WINDOWS\system\MMSYSTEM.DLL
2006-12-12 19:35 6,656 -ra------ C:\WINDOWS\system32\kbdycl.dll
2006-12-12 19:35 6,656 -ra------ C:\WINDOWS\system32\kbdsl1.dll
2006-12-12 19:35 6,656 -ra------ C:\WINDOWS\system32\kbdsl.dll
2006-12-12 19:35 6,656 -ra------ C:\WINDOWS\system32\kbdpl.dll
2006-12-12 19:35 6,656 -ra------ C:\WINDOWS\system32\kbdhu.dll
2006-12-12 19:35 6,656 -ra------ C:\WINDOWS\system32\kbdhela3.dll
2006-12-12 19:35 6,656 -ra------ C:\WINDOWS\system32\kbdcz2.dll
2006-12-12 19:35 6,656 -ra------ C:\WINDOWS\system32\kbdcz1.dll
2006-12-12 19:35 6,656 -ra------ C:\WINDOWS\system32\kbdcr.dll
2006-12-12 19:35 6,656 -ra------ C:\WINDOWS\system32\KBDAL.DLL
2006-12-12 19:35 6,144 -ra------ C:\WINDOWS\system32\kbdtuq.dll
2006-12-12 19:35 6,144 -ra------ C:\WINDOWS\system32\kbdtuf.dll
2006-12-12 19:35 6,144 -ra------ C:\WINDOWS\system32\kbdlv1.dll
2006-12-12 19:35 6,144 -ra------ C:\WINDOWS\system32\kbdlv.dll
2006-12-12 19:35 6,144 -ra------ C:\WINDOWS\system32\kbdhela2.dll
2006-12-12 19:35 6,144 -ra------ C:\WINDOWS\system32\kbdgkl.dll
2006-12-12 19:35 6,144 -ra------ C:\WINDOWS\system32\kbdest.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdycc.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbduzb.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdur.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdtat.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdru1.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdru.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdro.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdpl1.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdmon.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdlt1.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdlt.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdkyr.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdkaz.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdhu1.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdhe319.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdhe220.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdhe.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdbu.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdblr.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdazel.dll
2006-12-12 19:35 5,632 -ra------ C:\WINDOWS\system32\kbdaze.dll
2006-12-12 19:35 5,120 --a------ C:\WINDOWS\system\SHELL.DLL
2006-12-12 19:35 32,816 --a------ C:\WINDOWS\system\COMMDLG.DLL
2006-12-12 19:35 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-12-12 19:35 24,064 --a------ C:\WINDOWS\system\OLESVR.DLL
2006-12-12 19:35 19,200 --a------ C:\WINDOWS\system\TAPI.DLL
2006-12-12 19:35 176,157 --a------ C:\WINDOWS\system32\dgrpsetu.dll
2006-12-12 19:35 15,360 --a------ C:\WINDOWS\taskman.exe
2006-12-12 19:35 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-12-12 19:35 126,912 --a------ C:\WINDOWS\system\MSVIDEO.DLL
2006-12-12 19:35 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2006-12-12 19:35 109,456 --a------ C:\WINDOWS\system\AVIFILE.DLL
2006-12-12 19:35 103,424 --a------ C:\WINDOWS\system32\EqnClass.Dll
2006-12-12 19:35 <DIR> dr------- C:\Program Files\Common Files\..
2006-12-12 19:35 <DIR> dr------- C:\Program Files\.
2006-12-12 19:35 <DIR> dr------- C:\Program Files
2006-12-12 19:35 <DIR> dr------- C:\Documents and Settings\All Users\Start Menu
2006-12-12 19:35 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2006-12-12 19:35 <DIR> d--hs---- C:\WINDOWS\Installer
2006-12-12 19:35 <DIR> d--h----- C:\Documents and Settings\All Users\Templates
2006-12-12 19:35 <DIR> d-------- C:\Program Files\Common Files\SpeechEngines
2006-12-12 19:35 <DIR> d-------- C:\Program Files\Common Files\ODBC
2006-12-12 19:35 <DIR> d-------- C:\Program Files\Common Files\Microsoft Shared
2006-12-12 19:35 <DIR> d-------- C:\Program Files\Common Files\.
2006-12-12 19:35 <DIR> d-------- C:\Program Files\Common Files
2006-12-12 19:35 <DIR> d-------- C:\Program Files\..
2006-12-12 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Favorites
2006-12-12 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Desktop
2006-12-12 19:32 <DIR> dr-h----- C:\Documents and Settings\All Users\Application Data\.
2006-12-12 19:32 <DIR> dr-h----- C:\Documents and Settings\All Users\Application Data
2006-12-12 19:32 <DIR> d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2006-12-12 19:32 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2006-12-12 19:32 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2006-12-12 19:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\..
2006-12-12 19:32 <DIR> d-------- C:\Documents and Settings\All Users\..
2006-12-12 19:32 <DIR> d-------- C:\Documents and Settings\All Users\.
2006-12-12 19:32 <DIR> d-------- C:\Documents and Settings
2006-12-12 19:27 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2006-12-12 19:27 <DIR> dr--s---- C:\WINDOWS\Fonts
2006-12-12 19:27 <DIR> dr------- C:\WINDOWS\Web
2006-12-12 19:27 <DIR> d--h----- C:\WINDOWS\inf
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\WinSxS
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\twain_32
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\Temp
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\wins
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\wbem
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\usmt
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\spool
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\ShellExt
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\Setup
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\ras
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\oobe
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\npp
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\mui
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\inetsrv
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\IME
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\icsxml
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\ias
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\export
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\drivers\etc
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\drivers\disdn
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\drivers\..
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\drivers\.
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\drivers
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\dhcp
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\config
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\3com_dmi
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\3076
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\2052
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\1054
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\1042
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\1041
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\1037
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\1033
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\1031
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\1028
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\1025
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\..
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32\.
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system32
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system\..
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system\.
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\system
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\security
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\Resources
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\repair
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\Provisioning
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\PeerNet
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\pchealth
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\mui
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\msapps
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\msagent
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\Media
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\java
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\ime
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\Help
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\ehome
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\Driver Cache
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\Debug
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\Cursors
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\Connection Wizard
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\Config
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\AppPatch
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\addins
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\..
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS\.
2006-12-12 19:27 <DIR> d-------- C:\WINDOWS


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-15 10:22 1448586 --a------ C:\HijackThis.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Grogotix"="C:\\WINDOWS\\nedeb.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoFolderOptions"=dword:00000001
"NoRecentDocsMenu"=dword:00000001
"NoViewContextMenu"=dword:00000001
"NoTrayContextMenu"=dword:00000001
"NoSetFolders"=dword:00000001
"NoFind"=dword:00000001
"NoRun"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

Completion time: 06-12-15 10:59:15.57


My PC still create a new folder that i Click, but when i plug my flash disc into a Public Internet that folder cleanup by program named "AVG anti virus"

thanks
 
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#5 ·
Hello johanes,

You have a few infections aboard and we need to go after them in stages.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------------------------

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. (it's important that you get version v2.0.0.175)

---------------------------

Delete your current version of Combofix.exe and download it again:

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

-----------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

-----------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\juhus.exe
O4 - HKLM\..\Run: [Grogotix] C:\WINDOWS\nedeb.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


Click 'Fix Checked' and close HijackThis.

-----------------------------------

Launch KillBox.exe & select the following options:
  • delete on Reboot
Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\yadul.exe
C:\WINDOWS\tudim.exe
C:\WINDOWS\pukib.exe
C:\WINDOWS\juhus.exe
C:\WINDOWS\nedeb.exe
C:\WINDOWS\grogot.exe


Go to the File menu, and choose Paste from Clipboard
*Click on the dropdown menu next to Full Path of File to Delete field.
*Verify that the filenames you pasted are found there

Select/tick the following:

* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting".
Click the RED X button.

Click Yes at the 'Delete on Reboot' prompt. Click No at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe[/color]. Then try Killbox again.


------------------------------------------------

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware.
**AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on
    located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on
    then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

-------------------------------------

Close any open browsers.

-------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-----------------------------------

  • Please download Autoruns and AutoCmd.
  • Extract the contents of Autoruns into a new folder.
  • Now extract the contents of AutoCmd into the same folder as Autoruns. This is important!
  • Double-click on AutoCmd.cmd & select option '1'
  • It will produce a log called autoruns_X_Y.txt (where X and Y are the date and time respectively). Please attach the log in your next reply.
-----------------------------------

One of the infection you may have recognizes HijackThis and prevents HJT from reading the registry locations where it resides as well as hiding other infections in those locations.

I'd like you to rename HijackThis.exe to johanes.exe.
  • Navigate to C:\HijackThis.exe
  • Right click on HijackThis.exe
  • Select 'Rename'
  • Type in johanes.exe
  • Press Enter.
-----------------------------------

Run a scan with the newly named johanes.exe and save the log.

----------------------------------

Please include the following in your next reply:

AVG Anti-Spyware results
Panda results
ComboFix.txt
HijackThis log (johanes.exe)
Autoruns log <--attached, not posted
 
Save Share
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#7 ·
This is a difficult infection--just do your best. :sayyes:

If you have any difficulties carrying out any of the steps, just keep moving through the remaining steps and post the logs you do have. Let me know of any problems you may have run into, at the same time you post those logs. :smile:
 
Save Share
J

· Registered
Joined
·
32 Posts
Discussion Starter · #8 ·
Logfile of HijackThis v1.99.1
Scan saved at 9:57:52 AM, on 12/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\johanes.exe.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe



fyuuh..at last.
Hi Ried
This is my log. but sorry i cann't do panda activescan on my PC, because my conection speed is very very slow. it's that ok.
and then my program file that i saved in my hard drive is gone could I get them all if this all done?
my mouse doesn't want to right click.

Thanks
 

Attachments

Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#9 · (Edited)
Hi,

This infection is still interfering with the HijackThis program. I'll need you to use another tool and attach it's log here as well:

Please download this tool > http://www.kztechs.com/sreng/sreng2.zip

1. Extract it to Desktop & double click SREng.exe to run it

2. Select 'Smart Scan' & tick "Verify Digital Signatures"

3. Click on the [Scan] button

4. When finished, click on the [Save Reports] button & save the log to Desktop

5. Attach the log in your next reply. Dont post it

These logs are going to take me some time to go through, I may not have a reply for you until tomorrow. I will do my best to reply sooner.
then my program file that i saved in my hard drive is gone could I get them all if this all done
Click to expand...
What programs are gone?
 
Save Share
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#12 ·
Hello johanes,

I must tell you this doesn't look good and we may ultimately end up having to reformat as this worm has infected most of your programs. As there isn't much information yet about this worm, I don't know if any AV program will be able to effectively clean the infection without also taking out the programs it has infected. If you're up to it, I'd like to try some other programs and see if we can salvage anything. :sayyes:

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is very IMPORTANT that you perform these steps in the exact order I've layed out.

***************************************************

Please download the Suspicious File Packer --> http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop, but do not run it yet.

------------

Please download this excellent and FREE anti-virus program: **Do not install or run it yet!**

Please download Active Virus Shield (powered by Kaspersky) and save it to your desktop.
  • Please remember to register for your Activation Code using a legitimate email address.
Note: You must only use 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other.


-------------------------------------

Close any open browsers.

-------------------------------------


**Pause now to uninstall AVG Free AntiVirus via the Add/Remove programs in your Control Panel**

-------------------------------------------------------

Before we continue, we're going to restore everything AVG A-S has quarantined for 2 reasons:
  1. It would be of great service on your part to provide us some samples of the infected files so the experts can get a good look at them. :sayyes:
  2. Let's see if Active Virus Shield can clean them without removing the programs.
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • At the top of the main menu select Infections
  • Select the Quarantine tab
Select all of the files it has quarantined

Click the Restore button located in the lower portion of the box.

-------------------------------------------------------

Run the Suspicious File Packer you downloaded earlier (it should be on your desktop.

Copy/Paste the following list of filepaths into the Suspicious File Packer window:

E:\WavCutter.exe
D:\Program Installer\CRACK PATCH SERIAL NUMBER\Adobe Premiere v4.2 - Boot Ma pc_boot2.zip/ADOBE_PR.EXE
D:\Program Installer\Active Key Logger 1.9\Active Key Logger 1.9.exe
D:\Petchara.part12.rar/PETCHARA.EXE
D:\My Document\UNOCAL.zip/UNOCAL.EXE
D:\My Document\UNOCAL1.zip/UNOCAL1.EXE
D:\FirefoxPortable\panda_lokal_negeri_jiran_02.zip/PANDA_LO.EXE

Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site ---> http://www.bleepingcomputer.com/submit-malware.php?channel=4
Please include a link to this topic in the message.

-------------------------------------------------------

**Now please proceed with the installation of Active Virus Shield:
  • Double-click avs.msi to run the installer, but please uncheck "Install Security Toolbar" during the installation process:



  • Then please update the program and run a systemwide scan by selecting My Computer. Allow it to neutralize all that it finds.
  • When done, launch Active Virus Shield's main window.



  • Click the Scan button on the left, and then click Detected.

  • In the ensuing window, click the Save As button to save a copy of the log.
  • Copy and paste that log in your next reply along with a new HijackThis log.
 
Save Share
Ried

· TSF Security Manager, Emeritus
Joined
·
42,952 Posts
#14 ·
I'm afraid it may turn out that way if no tools will be able to clean those programs. Try the above steps I gave you, in the exact order given and we'll see.
 
Save Share
1 - 14 of 14 Posts
Status
Not open for further replies.
About this Discussion
13 Replies
2 Participants
Last post:
Ried
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top