1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Solved: cleaning remnants of winantivirus

Discussion in 'Virus & Other Malware Removal' started by sslevy, Apr 15, 2008.

Thread Status:
Not open for further replies.
  1. sslevy

    sslevy Thread Starter

    Joined:
    Sep 18, 2006
    Messages:
    66
    one coworker has inadvertantly installed winantivirus because she thought it would maer her computer fas. i have uninstalled it as well as ran Super Antispyware, Combofix and Vundo Fix.however there are still straggling files that are still around and she is stiting popups.
    enclosed please find hijack log, combiofx and superantispyware logs. Also i connect to this pc remotely and do not have remotesafemode access. thanksfor any help

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:24, on 2008-04-15
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Automatic Update\AutoUpdate.exe
    C:\WINNT\SYSTEM32\DWRCS.EXE
    C:\WINNT\etlisrv.exe
    C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
    C:\Program Files\CA\eTrust Antivirus\InoRT.exe
    C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\SYSTEM32\DWRCST.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
    C:\WINNT\system32\hkcmd.exe
    C:\PROGRA~1\CA\ETRUST~1\realmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINNT\system32\ctfmon.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\system32\rundll32.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Live Toolbar\msn_sl.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
    O4 - HKLM\..\Run: [SM_IAN] C:\Program Files\AdvancedCleaner Free\ian_monitor.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINNT\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
    O4 - HKLM\..\Run: [BM93571468] Rundll32.exe "C:\WINNT\system32\cftapons.dll",s
    O4 - HKLM\..\Run: [906427f4] rundll32.exe "C:\WINNT\system32\kcmkpxtw.dll",b
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.amadeusproweb.com
    O15 - Trusted Zone: http://*.amadeusvista.com
    O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
    O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
    O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - file://jfkopera/APPLICATIONS/Amadeus/ALTEA%20RESERVATION%20DESKTOP%203.1P120%20CO/ALTEA%20RESERVATION%20DESKTOP%203.1P120%20CO/html/AutoUpdateATL25P401.CAB
    O16 - DPF: {A640B7AC-03CF-11D4-8F5F-0000E87715F0} (PAMain Class) - https://www.elalextra.net/privateark/paweb/pasetup.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = elalusa.com
    O17 - HKLM\Software\..\Telephony: DomainName = elalusa.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = elalusa.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = elalusa.com
    O23 - Service: Amadeus Automatic Update - Amadeus - C:\Program Files\Automatic Update\AutoUpdate.exe
    O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
    O23 - Service: Entrust Login Interface (ELIService) - Entrust Technologies Ltd. - C:\WINNT\etlisrv.exe
    O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
    O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
    O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

    --
    End of file - 6567 bytes

    ComboFix 08-04-10.9 - dmatalon 2008-04-14 12:09:21.2 - NTFSx86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.791 [GMT -5:00]
    Running from: C:\Documents and Settings\dmatalon\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007
    C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\Abbr
    C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ActivationCode
    C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ProductCode
    C:\Documents and Settings\dmatalon\Application Data\WinAntiVirus Pro 2007
    C:\Documents and Settings\dmatalon\Application Data\WinAntiVirus Pro 2007\avtasks.dat
    C:\Documents and Settings\dmatalon\Application Data\WinAntiVirus Pro 2007\history.db
    C:\Documents and Settings\dmatalon\Application Data\WinAntiVirus Pro 2007\Logs\update.log
    C:\Documents and Settings\dmatalon\Application Data\WinAntiVirus Pro 2007\Logs\wa7Support.log
    C:\Documents and Settings\dmatalon\Application Data\WinAntiVirus Pro 2007\Logs\winav.log
    C:\Documents and Settings\dmatalon\Application Data\WinAntiVirus Pro 2007\PGE.dat
    C:\Documents and Settings\dmatalon\err.log
    C:\Documents and Settings\dmatalon\ResErrors.log
    C:\Program Files\Common Files\winantivirus pro 2007
    C:\Program Files\Common Files\winantivirus pro 2007\err.log
    C:\UWA7P
    C:\WINNT\cookies.ini
    C:\WINNT\pskt.ini
    C:\WINNT\system32\ikmllkkj.ini
    C:\WINNT\system32\ikmllkkj.ini2
    C:\WINNT\system32\jugkbsqy.ini
    C:\WINNT\system32\liglsfbp.ini
    C:\WINNT\system32\mvpftyuf.ini
    C:\WINNT\system32\pkdkfjoc.ini
    C:\WINNT\system32\prsvwvut.ini
    C:\WINNT\system32\prsvwvut.ini2
    C:\WINNT\system32\stera.job
    C:\WINNT\system32\stera.log
    C:\WINNT\Web\default.htt

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_FOPN
    -------\Service_FOPN


    ((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
    .

    2008-04-14 12:19 . 2008-04-14 12:19 708,376 ---hs---- C:\WINNT\system32\jugkbsqy.ini
    2008-04-14 11:33 . 2008-04-14 11:33 <DIR> d-------- C:\VundoFix Backups
    2008-04-14 11:08 . 2004-10-07 13:39 8,704 --a------ C:\WINNT\system32\SpOrder.dll
    2008-04-14 10:22 . 2008-04-14 10:21 58,880 --a------ C:\WINNT\system32\wdgjio.exe
    2008-04-14 10:22 . 2008-04-14 10:21 58,880 ---h----- C:\Documents and Settings\dmatalon\atccjol.exe
    2008-04-14 09:50 . 2008-04-14 09:50 106,560 --a------ C:\WINNT\system32\epimuvvn.dll
    2008-04-14 09:47 . 2008-04-14 09:47 96,320 --a------ C:\WINNT\system32\yqsbkguj.dll
    2008-04-14 09:43 . 2008-04-14 09:43 3,648 --a------ C:\WINNT\system32\qvraolyj.dll
    2008-04-14 09:35 . 2008-04-14 09:35 101,952 --a------ C:\WINNT\system32\cpshphnq.dll
    2008-04-12 12:59 . 2008-04-12 12:59 96,320 --------- C:\WINNT\system32\fuytfpvm.dll
    2008-04-12 12:56 . 2008-04-12 12:56 106,048 --a------ C:\WINNT\system32\hympfejo.dll
    2008-04-12 12:53 . 2008-04-12 12:53 100,416 --a------ C:\WINNT\system32\jbtlpdwa.dll
    2008-04-12 12:53 . 2008-04-12 12:53 3,648 --a------ C:\WINNT\system32\bonphpdw.dll
    2008-04-11 14:08 . 2008-04-11 14:10 <DIR> d-------- C:\Program Files\AdvancedCleaner Free
    2008-04-11 14:08 . 2003-03-19 08:20 1,060,864 --a------ C:\WINNT\system32\mfc71.dll
    2008-04-11 12:56 . 2008-04-11 12:56 106,048 --a------ C:\WINNT\system32\bfeomuyo.dll
    2008-04-11 12:53 . 2008-04-11 12:53 3,648 --a------ C:\WINNT\system32\etvwuibd.dll
    2008-04-11 12:51 . 2008-04-11 12:51 101,440 --a------ C:\WINNT\system32\kfajhirn.dll
    2008-04-11 12:50 . 2008-04-11 12:50 369,664 --a------ C:\WINNT\system32\jkkllmki.dll
    2008-04-11 12:45 . 2008-04-11 12:45 30,720 --a------ C:\WINNT\system32\iifcbcyw.dll
    2008-04-11 11:29 . 2008-04-11 11:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-04-11 11:29 . 2008-04-11 11:29 <DIR> d-------- C:\Documents and Settings\dmatalon\Application Data\SUPERAntiSpyware.com
    2008-04-11 11:29 . 2008-04-11 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-04-11 11:28 . 2008-04-11 11:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-04-11 10:33 . 2008-04-11 10:33 111,036 --a------ C:\WINNT\system32\raecqiqy.dll
    2008-04-11 10:27 . 2008-04-11 10:27 3,648 --a------ C:\WINNT\system32\adbdeiqq.dll
    2008-04-11 10:24 . 2008-04-11 10:25 104,670 --a------ C:\WINNT\system32\iichhgav.dll
    2008-04-10 17:02 . 2008-04-10 17:02 30,720 --a------ C:\WINNT\system32\wvuuutst.dll
    2008-04-10 12:27 . 2008-04-10 12:29 <DIR> d-------- C:\Documents and Settings\dmatalon\Application Data\Amadeus
    2008-04-09 11:12 . 2008-04-09 11:12 57,856 ---h----- C:\Documents and Settings\dmatalon\rxb.exe
    2008-04-01 09:39 . 2008-04-10 03:08 <DIR> d-------- C:\WINNT\SxsCaPendDel
    2008-03-26 18:24 . 2008-03-26 18:24 79,872 -r-hs---- C:\WINNT\system32\msnuserv.exe
    2008-03-24 12:14 . 2008-03-24 13:38 85,504 -r-hs---- C:\WINNT\system32\msnhosts.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-19 09:40 1,845,888 ----a-w C:\WINNT\system32\win32k.sys
    2008-03-01 13:06 826,368 ----a-w C:\WINNT\system32\wininet.dll
    2008-02-20 06:52 282,624 ----a-w C:\WINNT\system32\gdi32.dll
    2008-02-20 05:32 45,568 ----a-w C:\WINNT\system32\dnsrslvr.dll
    2006-04-20 15:28 40,520 ----a-w C:\Documents and Settings\mblagman\Application Data\GDIPFONTCACHEV1.DAT
    2002-09-23 20:38 271 --sh--w C:\Program Files\desktop.ini
    2002-09-23 20:38 21,952 ---ha-w C:\Program Files\folder.htt
    .

    ------- Sigcheck -------

    2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINNT\system32\svchost.exe
    2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINNT\system32\dllcache\svchost.exe

    2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINNT\system32\ws2_32.dll
    2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINNT\system32\dllcache\ws2_32.dll

    2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINNT\system32\winlogon.exe
    2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINNT\system32\dllcache\winlogon.exe

    2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINNT\system32\dllcache\ndis.sys
    2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINNT\system32\drivers\ndis.sys

    2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINNT\system32\dllcache\ip6fw.sys
    2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINNT\system32\drivers\ip6fw.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F02D04B-50B3-4A07-BA6E-DAB1562CE975}]
    2008-04-11 12:45 30720 --a------ C:\WINNT\system32\iifcbcyw.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63327C31-1AB3-4B13-AE7A-FC4AE625EFDF}]
    2008-04-11 12:50 369664 --a------ C:\WINNT\system32\jkkllmki.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d6166a87-125c-4455-84d4-c6faef50a0ac}]
    2008-04-14 09:50 106560 --a------ C:\WINNT\system32\epimuvvn.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
    "ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 07:00 15360]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Synchronization Manager"="C:\WINNT\system32\mobsync.exe" [2004-08-04 07:00 143360]
    "StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 16:51 36864]
    "TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 18:28 155648]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
    "IgfxTray"="C:\WINNT\system32\igfxtray.exe" [2002-12-04 00:19 155648]
    "HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [2002-12-04 00:06 114688]
    "Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:14 504080]
    "MSN User Services"="msnuserv.exe" [2008-03-26 18:24 79872 C:\WINNT\system32\msnuserv.exe]
    "AdvancedCleaner Free"="C:\Program Files\AdvancedCleaner Free\UADC.exe" [2007-10-02 16:11 1558528]
    "SM_IAN"="C:\Program Files\AdvancedCleaner Free\ian_monitor.exe" [2007-12-19 10:59 241152]
    "906427f4"="C:\WINNT\system32\yqsbkguj.dll" [2008-04-14 09:47 96320]
    "wdgjio"="C:\WINNT\system32\wdgjio.exe" [2008-04-14 10:21 58880]
    "MSConfig"="C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-12-07 11:43 169984]
    "UADC_10916670"="C:\Program Files\AdvancedCleaner Free\UADCcw.exe" [2007-09-27 10:57 180224]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 07:00 214528]
    "tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2004-08-04 07:00 44544]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
    Run WinVNC (App Mode).lnk - C:\Program Files\ORL\VNC\WinVNC.exe [2003-02-24 16:17:42 200704]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableCAD"= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
    "{5F02D04B-50B3-4A07-BA6E-DAB1562CE975}"= C:\WINNT\system32\iifcbcyw.dll [2008-04-11 12:45 30720]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AUWinLogon]
    AUWinLogon.dll 2007-01-09 18:09 45056 C:\WINNT\system32\AUWinLogon.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcbcyw]
    iifcbcyw.dll 2008-04-11 12:45 30720 C:\WINNT\system32\iifcbcyw.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\jkkllmki

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiVirus Pro 2007]
    C:\Program Files\WinAntiVirus Pro 2007\WinAv.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Documents and Settings\\dmatalon\\atccjol.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009

    R0 ultra66;ultra66;C:\WINNT\system32\DRIVERS\ultra66.sys [1999-09-25 12:11]
    R2 Isecdrv;ISECDRV;C:\WINNT\system32\drivers\Isecdrv.sys [1999-12-14 18:25]
    S2 NMSSvc;Intel(R) NMS;C:\WINNT\System32\NMSSvc.exe [2002-05-03 13:36]
    S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
    S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 14:05]

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-14 17:25:11 C:\WINNT\Tasks\Check Updates for Windows Live Toolbar.job"
    - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
    .
    **************************************************************************

    catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-14 12:19:54
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    C:\WINNT\system32\msnuserv.exe [3328] 0x85C66BC0

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    SM_IAN = C:\Program Files\AdvancedCleaner Free\ian_monitor.exe??|[email protected][email protected]????????????????|[email protected]?????????p???????? A?3??|???|[email protected][email protected]???????C????????|[email protected]?????????,[email protected][email protected]?d???u)?|[email protected]??????????)?|???|[email protected]?3??|[email protected][email protected]?????????? A????|[email protected]?d??????

    scanning hidden files ...

    C:\WINNT\system32\ikmllkkj.ini 6292 bytes
    C:\WINNT\system32\ikmllkkj.ini2 320 bytes

    scan completed successfully
    hidden files: 2

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINNT\system32\winlogon.exe
    -> C:\WINNT\system32\iifcbcyw.dll

    PROCESS: C:\WINNT\explorer.exe
    -> C:\WINNT\system32\yqsbkguj.dll
    -> C:\WINNT\system32\jkkllmki.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Automatic Update\AutoUpdate.exe
    C:\WINNT\system32\DWRCS.EXE
    C:\WINNT\etlisrv.exe
    C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
    C:\Program Files\CA\eTrust Antivirus\InoRT.exe
    C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\DWRCST.EXE
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\system32\rundll32.exe
    C:\Program Files\AdvancedCleaner Free\unins000.exe
    C:\DOCUME~1\dmatalon\LOCALS~1\Temp\_iu14D2N.tmp
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Live Toolbar\msn_sl.exe
    C:\WINNT\system32\HPBPRO.EXE
    C:\WINNT\system32\verclsid.exe
    .
     

    Attached Files:

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/704074

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice