Solved: Solved: cleaning remnants of winantivirus

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

sslevy

Thread Starter
Joined
Sep 18, 2006
Messages
66
one coworker has inadvertantly installed winantivirus because she thought it would maer her computer fas. i have uninstalled it as well as ran Super Antispyware, Combofix and Vundo Fix.however there are still straggling files that are still around and she is stiting popups.
enclosed please find hijack log, combiofx and superantispyware logs. Also i connect to this pc remotely and do not have remotesafemode access. thanksfor any help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:24, on 2008-04-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Automatic Update\AutoUpdate.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\etlisrv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\DWRCST.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINNT\system32\hkcmd.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [SM_IAN] C:\Program Files\AdvancedCleaner Free\ian_monitor.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [BM93571468] Rundll32.exe "C:\WINNT\system32\cftapons.dll",s
O4 - HKLM\..\Run: [906427f4] rundll32.exe "C:\WINNT\system32\kcmkpxtw.dll",b
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - file://jfkopera/APPLICATIONS/Amadeus/ALTEA%20RESERVATION%20DESKTOP%203.1P120%20CO/ALTEA%20RESERVATION%20DESKTOP%203.1P120%20CO/html/AutoUpdateATL25P401.CAB
O16 - DPF: {A640B7AC-03CF-11D4-8F5F-0000E87715F0} (PAMain Class) - https://www.elalextra.net/privateark/paweb/pasetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = elalusa.com
O17 - HKLM\Software\..\Telephony: DomainName = elalusa.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = elalusa.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = elalusa.com
O23 - Service: Amadeus Automatic Update - Amadeus - C:\Program Files\Automatic Update\AutoUpdate.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: Entrust Login Interface (ELIService) - Entrust Technologies Ltd. - C:\WINNT\etlisrv.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6567 bytes

ComboFix 08-04-10.9 - dmatalon 2008-04-14 12:09:21.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.791 [GMT -5:00]
Running from: C:\Documents and Settings\dmatalon\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ActivationCode
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ProductCode
C:\Documents and Settings\dmatalon\Application Data\WinAntiVirus Pro 2007
C:\Documents and Settings\dmatalon\Application Data\WinAntiVirus Pro 2007\avtasks.dat
C:\Documents and Settings\dmatalon\Application Data\WinAntiVirus Pro 2007\history.db
C:\Documents and Settings\dmatalon\Application Data\WinAntiVirus Pro 2007\Logs\update.log
C:\Documents and Settings\dmatalon\Application Data\WinAntiVirus Pro 2007\Logs\wa7Support.log
C:\Documents and Settings\dmatalon\Application Data\WinAntiVirus Pro 2007\Logs\winav.log
C:\Documents and Settings\dmatalon\Application Data\WinAntiVirus Pro 2007\PGE.dat
C:\Documents and Settings\dmatalon\err.log
C:\Documents and Settings\dmatalon\ResErrors.log
C:\Program Files\Common Files\winantivirus pro 2007
C:\Program Files\Common Files\winantivirus pro 2007\err.log
C:\UWA7P
C:\WINNT\cookies.ini
C:\WINNT\pskt.ini
C:\WINNT\system32\ikmllkkj.ini
C:\WINNT\system32\ikmllkkj.ini2
C:\WINNT\system32\jugkbsqy.ini
C:\WINNT\system32\liglsfbp.ini
C:\WINNT\system32\mvpftyuf.ini
C:\WINNT\system32\pkdkfjoc.ini
C:\WINNT\system32\prsvwvut.ini
C:\WINNT\system32\prsvwvut.ini2
C:\WINNT\system32\stera.job
C:\WINNT\system32\stera.log
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN
-------\Service_FOPN


((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-14 12:19 . 2008-04-14 12:19 708,376 ---hs---- C:\WINNT\system32\jugkbsqy.ini
2008-04-14 11:33 . 2008-04-14 11:33 <DIR> d-------- C:\VundoFix Backups
2008-04-14 11:08 . 2004-10-07 13:39 8,704 --a------ C:\WINNT\system32\SpOrder.dll
2008-04-14 10:22 . 2008-04-14 10:21 58,880 --a------ C:\WINNT\system32\wdgjio.exe
2008-04-14 10:22 . 2008-04-14 10:21 58,880 ---h----- C:\Documents and Settings\dmatalon\atccjol.exe
2008-04-14 09:50 . 2008-04-14 09:50 106,560 --a------ C:\WINNT\system32\epimuvvn.dll
2008-04-14 09:47 . 2008-04-14 09:47 96,320 --a------ C:\WINNT\system32\yqsbkguj.dll
2008-04-14 09:43 . 2008-04-14 09:43 3,648 --a------ C:\WINNT\system32\qvraolyj.dll
2008-04-14 09:35 . 2008-04-14 09:35 101,952 --a------ C:\WINNT\system32\cpshphnq.dll
2008-04-12 12:59 . 2008-04-12 12:59 96,320 --------- C:\WINNT\system32\fuytfpvm.dll
2008-04-12 12:56 . 2008-04-12 12:56 106,048 --a------ C:\WINNT\system32\hympfejo.dll
2008-04-12 12:53 . 2008-04-12 12:53 100,416 --a------ C:\WINNT\system32\jbtlpdwa.dll
2008-04-12 12:53 . 2008-04-12 12:53 3,648 --a------ C:\WINNT\system32\bonphpdw.dll
2008-04-11 14:08 . 2008-04-11 14:10 <DIR> d-------- C:\Program Files\AdvancedCleaner Free
2008-04-11 14:08 . 2003-03-19 08:20 1,060,864 --a------ C:\WINNT\system32\mfc71.dll
2008-04-11 12:56 . 2008-04-11 12:56 106,048 --a------ C:\WINNT\system32\bfeomuyo.dll
2008-04-11 12:53 . 2008-04-11 12:53 3,648 --a------ C:\WINNT\system32\etvwuibd.dll
2008-04-11 12:51 . 2008-04-11 12:51 101,440 --a------ C:\WINNT\system32\kfajhirn.dll
2008-04-11 12:50 . 2008-04-11 12:50 369,664 --a------ C:\WINNT\system32\jkkllmki.dll
2008-04-11 12:45 . 2008-04-11 12:45 30,720 --a------ C:\WINNT\system32\iifcbcyw.dll
2008-04-11 11:29 . 2008-04-11 11:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-11 11:29 . 2008-04-11 11:29 <DIR> d-------- C:\Documents and Settings\dmatalon\Application Data\SUPERAntiSpyware.com
2008-04-11 11:29 . 2008-04-11 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-11 11:28 . 2008-04-11 11:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-11 10:33 . 2008-04-11 10:33 111,036 --a------ C:\WINNT\system32\raecqiqy.dll
2008-04-11 10:27 . 2008-04-11 10:27 3,648 --a------ C:\WINNT\system32\adbdeiqq.dll
2008-04-11 10:24 . 2008-04-11 10:25 104,670 --a------ C:\WINNT\system32\iichhgav.dll
2008-04-10 17:02 . 2008-04-10 17:02 30,720 --a------ C:\WINNT\system32\wvuuutst.dll
2008-04-10 12:27 . 2008-04-10 12:29 <DIR> d-------- C:\Documents and Settings\dmatalon\Application Data\Amadeus
2008-04-09 11:12 . 2008-04-09 11:12 57,856 ---h----- C:\Documents and Settings\dmatalon\rxb.exe
2008-04-01 09:39 . 2008-04-10 03:08 <DIR> d-------- C:\WINNT\SxsCaPendDel
2008-03-26 18:24 . 2008-03-26 18:24 79,872 -r-hs---- C:\WINNT\system32\msnuserv.exe
2008-03-24 12:14 . 2008-03-24 13:38 85,504 -r-hs---- C:\WINNT\system32\msnhosts.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 09:40 1,845,888 ----a-w C:\WINNT\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINNT\system32\wininet.dll
2008-02-20 06:52 282,624 ----a-w C:\WINNT\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINNT\system32\dnsrslvr.dll
2006-04-20 15:28 40,520 ----a-w C:\Documents and Settings\mblagman\Application Data\GDIPFONTCACHEV1.DAT
2002-09-23 20:38 271 --sh--w C:\Program Files\desktop.ini
2002-09-23 20:38 21,952 ---ha-w C:\Program Files\folder.htt
.

------- Sigcheck -------

2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINNT\system32\svchost.exe
2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINNT\system32\dllcache\svchost.exe

2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINNT\system32\ws2_32.dll
2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINNT\system32\dllcache\ws2_32.dll

2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINNT\system32\winlogon.exe
2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINNT\system32\dllcache\winlogon.exe

2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINNT\system32\dllcache\ndis.sys
2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e C:\WINNT\system32\drivers\ndis.sys

2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINNT\system32\dllcache\ip6fw.sys
2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINNT\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F02D04B-50B3-4A07-BA6E-DAB1562CE975}]
2008-04-11 12:45 30720 --a------ C:\WINNT\system32\iifcbcyw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63327C31-1AB3-4B13-AE7A-FC4AE625EFDF}]
2008-04-11 12:50 369664 --a------ C:\WINNT\system32\jkkllmki.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d6166a87-125c-4455-84d4-c6faef50a0ac}]
2008-04-14 09:50 106560 --a------ C:\WINNT\system32\epimuvvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="C:\WINNT\system32\mobsync.exe" [2004-08-04 07:00 143360]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 16:51 36864]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 18:28 155648]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [2002-12-04 00:19 155648]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [2002-12-04 00:06 114688]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:14 504080]
"MSN User Services"="msnuserv.exe" [2008-03-26 18:24 79872 C:\WINNT\system32\msnuserv.exe]
"AdvancedCleaner Free"="C:\Program Files\AdvancedCleaner Free\UADC.exe" [2007-10-02 16:11 1558528]
"SM_IAN"="C:\Program Files\AdvancedCleaner Free\ian_monitor.exe" [2007-12-19 10:59 241152]
"906427f4"="C:\WINNT\system32\yqsbkguj.dll" [2008-04-14 09:47 96320]
"wdgjio"="C:\WINNT\system32\wdgjio.exe" [2008-04-14 10:21 58880]
"MSConfig"="C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-12-07 11:43 169984]
"UADC_10916670"="C:\Program Files\AdvancedCleaner Free\UADCcw.exe" [2007-09-27 10:57 180224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 07:00 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2004-08-04 07:00 44544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Run WinVNC (App Mode).lnk - C:\Program Files\ORL\VNC\WinVNC.exe [2003-02-24 16:17:42 200704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{5F02D04B-50B3-4A07-BA6E-DAB1562CE975}"= C:\WINNT\system32\iifcbcyw.dll [2008-04-11 12:45 30720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AUWinLogon]
AUWinLogon.dll 2007-01-09 18:09 45056 C:\WINNT\system32\AUWinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcbcyw]
iifcbcyw.dll 2008-04-11 12:45 30720 C:\WINNT\system32\iifcbcyw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\jkkllmki

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiVirus Pro 2007]
C:\Program Files\WinAntiVirus Pro 2007\WinAv.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\dmatalon\\atccjol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009

R0 ultra66;ultra66;C:\WINNT\system32\DRIVERS\ultra66.sys [1999-09-25 12:11]
R2 Isecdrv;ISECDRV;C:\WINNT\system32\drivers\Isecdrv.sys [1999-12-14 18:25]
S2 NMSSvc;Intel(R) NMS;C:\WINNT\System32\NMSSvc.exe [2002-05-03 13:36]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 14:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 17:25:11 C:\WINNT\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 12:19:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINNT\system32\msnuserv.exe [3328] 0x85C66BC0

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SM_IAN = C:\Program Files\AdvancedCleaner Free\ian_monitor.exe??|[email protected][email protected]????????????????|[email protected]?????????p???????? A?3??|???|[email protected][email protected]???????C????????|[email protected]?????????,[email protected][email protected]?d???u)?|[email protected]??????????)?|???|[email protected]?3??|[email protected][email protected]?????????? A????|[email protected]?d??????

scanning hidden files ...

C:\WINNT\system32\ikmllkkj.ini 6292 bytes
C:\WINNT\system32\ikmllkkj.ini2 320 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\system32\iifcbcyw.dll

PROCESS: C:\WINNT\explorer.exe
-> C:\WINNT\system32\yqsbkguj.dll
-> C:\WINNT\system32\jkkllmki.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Automatic Update\AutoUpdate.exe
C:\WINNT\system32\DWRCS.EXE
C:\WINNT\etlisrv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\DWRCST.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\AdvancedCleaner Free\unins000.exe
C:\DOCUME~1\dmatalon\LOCALS~1\Temp\_iu14D2N.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\WINNT\system32\HPBPRO.EXE
C:\WINNT\system32\verclsid.exe
.
 

Attachments

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top