Author Topic: SDbot worm (msdirectx.sys) (Read 13489 times)

Catzmagee · « **on:** May 17, 2005, 07:30:55 AM »

hey,

I got a virus/worm of msn messenger last week, the file msdirectx.sys appeared in my userfile, my norton antivirus was disabled and wouldn't open along with task manager and msconfig, and my computer is running very slow and keeps freezing. i tried various things and the file then disappeared. i was advised to uninstall norton and download avast which i did and detected win32trojan/worm and removed that and task manager then ran and msconfig but the computer was still very slow and downloading freezes the computer. The task manager etc are back to not appearing in screen so i think i haven't gotten rid of it and i dont know what there is left to do.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'

\' />

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Thanks Catherine

I ran avast again and it keeps picking up the win32 trojan-gen wand it says its located in c:\Windows\system32\msdirectx.sys

Catzmagee · « **Reply #1 on:** May 17, 2005, 04:04:47 PM »

Here is my hijackthis logfile

Logfile of HijackThis v1.99.1
Scan saved at 13:13:11, on 17/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband
O1 - Hosts: 69.50.166.11 google.co.uk
O1 - Hosts: 69.50.166.11 www.google.es
O1 - Hosts: 69.50.166.11 google.es
O1 - Hosts: 69.50.166.11 google.com.au
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O1 - Hosts: 69.50.166.12 www.go.com
O1 - Hosts: 69.50.166.12 go.com
O1 - Hosts: 69.50.166.13 astalavista.com
O1 - Hosts: 69.50.166.13 www.astalavista.com
O1 - Hosts: 69.50.166.13 astalavista.box.sk
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1474CE44-8057-4AE3-8F3E-ED37C7C63D8A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KnobMonitor] C:\acer\KnobMonitor.exe
O4 - HKLM\..\Run: [MPS] C:\ACER\MPS.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: BT - {287E6E20-83C8-4B93-9D54-A2DECA6D0B98} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {44C0A121-B77B-4532-AD14-97E78F05A586} - http://bt.yahoo.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/providers...yer/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by102fd.bay102.Email Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Knob Service (KNOBSERV) - Acer Inc. - c:\acer\KnobService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

guestolo · « **Reply #2 on:** May 17, 2005, 07:51:56 PM »

Can you do the following for me please before we tackle your log

Go to START>>RUN>>COPY AND PASTE the bold line into the open field and then
Click OK

regedit /e C:\find.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe"

Then see if you can find this text file

Manually navigate too
C:\find.txt
If you find it can you copy and paste the contents back here

Additionally, Do the following
Go to Device Manager
(Right click My Computer > Hardware tab > device manager)
Select View from the menu
Under view, select *Show Hidden Devices*
Then go down to and expand (+)
*Non-Plug and Play Drivers*
Look for this entry:
msdirectx

Let me know if you find it

NEXT:
==Download RKFiles.zip from the link
http://skads.org/special/rkfiles.zip
UNZIP the contents to it's own folder

==Download this virus checker from eScan
Mwav.exe
There's nothing to install, Save to your desktop
Double click to run eScan's Mwav scan
It will self extract
Before running you may want to disable Norton's autoprotect, so it won't get in the way
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
This may take awhile, let it finish
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and Paste it back here

****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

After posting the log from escan's Mwav scan

Could you do the following

Ensure your in Safe mode
Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Open the folder you unzipped rkfiles.zip too
Double click to run Rkfiles.bat
Wait for the scan to finish, give this time
When it's done a log will be produced, save this log
By default, it is saved to C:\Log.txt
Post the log back here

Catzmagee · « **Reply #3 on:** May 18, 2005, 06:58:57 AM »

I couldn't find the find.txt file anywhere, but i found the msdirectx

here is the results from the scan, it said there were 18 virus's and around 300 errors.

My computer won't start in safe mode anymore and the internet has been disabled now saying there is network cable unplugged.

File C:\WINDOWS\System32\msconfig32.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\winjes.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\msconfig32.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\compqs.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\CATZ~1.SYL\MSDIRE~1.SYS infected by "Trojan.Win32.Rootkit.h" Virus! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\Install.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\msgrchkr.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\WinAdCtlX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\YSBactivex.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\DIMM.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\Install.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\WinAdCtlX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\cabmain.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\caleditatl.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires0404.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires0406.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires0407.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires0409.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires040a.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires040b.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires040c.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires0410.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires0413.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires0414.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires041d.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires0804.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\capires0816.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\catcheventatl.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\dbgout.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\dbgout_init.txt". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\ECSCM07Q.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\ecscmext.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\ecscmirc.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\ecscmskt.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\ecscmtpi.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\ecsmoddata.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\ecsnwext.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\ecsphext.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm.h". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm_util.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0404.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0406.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0407.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0408.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0409.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm040A.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm040b.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm040c.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0410.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0413.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0414.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0416.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm041d.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm041f.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0804.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0809.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm080a.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0816.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0c04.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epm0c0c.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\PhoneNameDB_object.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk0404.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk0406.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk0407.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk0409.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk040a.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk040b.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk040c.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk0410.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk0413.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk0414.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk041d.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk0804.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\pinpuk0816.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\setdbgout.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\setregsecurity.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\OCS\ObexHeaderServiceDll.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\OCS\ObexOperationDll.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Capability Manager\CapabilityManager.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Read Me.txt". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\registerCom.bat". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\YSBactivex.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\msgrchkr.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\pxwma.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{00b71cfb-6864-4346-a978-c0a14556272c}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\msgrchkr.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{00FAE562-DACA-11D6-AD30-0050DAD88A02}" refers to invalid object "C:\Program Files\Kodak\Kodak Easyshare Software\bin\Escom.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{00FAE568-DACA-11D6-AD30-0050DAD88A02}" refers to invalid object "C:\Program Files\Kodak\Kodak Easyshare Software\bin\Escom.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{09101CAF-D527-11D6-AD30-0050DAD88A02}" refers to invalid object "C:\Program Files\Kodak\Kodak Easyshare Software\bin\Escom.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{09101CB7-D527-11D6-AD30-0050DAD88A02}" refers to invalid object "C:\Program Files\Kodak\Kodak Easyshare Software\bin\Escom.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{09101CBA-D527-11D6-AD30-0050DAD88A02}" refers to invalid object "C:\Program Files\Kodak\Kodak Easyshare Software\bin\Escom.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{09101CBE-D527-11D6-AD30-0050DAD88A02}" refers to invalid object "C:\Program Files\Kodak\Kodak Easyshare Software\bin\Escom.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0A346871-C8AA-4D8D-B665-4906C9BF371C}" refers to invalid object "C:\Program Files\AVSMedia\VideoConverter3\NCTVideoCompress.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0CCD58A4-02C4-44E6-9DA3-0D144CE8242D}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\MMS Home Studio\mmstimer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0dabacb1-1a16-4082-a610-3d0b3a2a94fc}" refers to invalid object "C:\Program Files\Winamp\Plugins\cddbuiwinamp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0ECDED32-7998-11D4-9039-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{107AC600-8BEA-11D5-9149-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\anubisps.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1D66C29D-08ED-0BB8-8B72-265C69550A0F}" refers to invalid object "C:\Program Files\Microsoft Works\wkwpac.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1FD8D838-74A9-4DF8-936F-0D87ED49AD3C}" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\frcom-7288971.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{234284E3-B3DC-40AF-BE6F-EE564A832C56}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\OCS\ObexHeaderServiceDll.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2A426D47-51C3-4A79-B064-95FD87DAB5D1}" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\frcom-7288971.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2F42F2D4-AF4D-4508-AA49-B32BC29E8167}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\PhoneNameDB_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3251DC78-2D49-43FC-BE4C-A23AF22DB5C8}" refers to invalid object "C:\Program Files\Kodak\Kodak EasyShare software\AddIn\VistaRoadShow.cyx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{341EE246-3B05-4C23-B21A-17F2D4831FC0}" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\frext-7288971.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{36773DF3-37FC-47B6-9F8F-CC4699917938}" refers to invalid object "E:\Acer\tools\LaunchRS.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3A091B81-8FAF-4B7D-85C7-7CB5D3FDD479}" refers to invalid object "C:\Program Files\Kodak\Kodak Easyshare Software\bin\Escom.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3E15374C-3069-11D4-8FD8-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{444600D0-9289-11D3-B305-006008559C91}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\phonebook_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{45137563-F598-4574-A987-A25867AB7068}" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\bwclext.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4549BCA5-7D56-11D3-83F5-006008676AF8}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\phonebook_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4B4B40F0-C9DF-11D4-AA54-00104B49C4F0}" refers to invalid object "E:\R2ctlNS.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5268D8E3-481E-11D4-A1A8-000000000000}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\esirsock_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5268D9E3-481E-11D4-A1A8-765432100098}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\msmeirsock_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5268D9E3-481E-11D4-A1A8-987654321000}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\ms98irsock_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5357DDDC-2FAE-11D4-8FD7-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{56CFF462-F1CB-11D4-A983-0060977EFFD4}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\anubisutils.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5A88E0ED-42A3-11D4-8BFB-0060084C152B}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6100E360-BB4A-4025-95FB-69CA629E4180}" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\vbfrext-7288971.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6701C9E9-3067-11D3-8164-00500403AC07}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epoc_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{69C6BDB0-8162-11d3-81A5-00500403AC07}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\cellphone_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{69E9B473-22E6-471D-8683-84BD1E4BECE1}" refers to invalid object "C:\Program Files\Winamp\Plugins\cddbcontrolwinamp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6ED96182-85EE-11D3-B2F3-006008559C91}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\sms_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{743FF640-2E08-11D3-815C-00500403AC07}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\status_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{762EA5BA-7289-11D4-9028-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{777AAC32-95B0-11D3-B307-006008559C91}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\sms_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7A3BAF1E-8E64-46ef-8684-6FCDC3BB881D}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\sms_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC76603-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC76617-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC76627-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC76637-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC76647-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC76657-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC76667-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC76677-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC76687-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC766A7-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7DC766B7-9051-11D4-9053-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{870A393C-9440-11D4-9056-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{89F307EE-CF23-11D3-820B-00500403AC07}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8DBFE843-D7DF-4cfc-B62C-05A6899139E2}" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\BWTargetInf.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{90914AA1-0A85-407B-AA90-AD5BE725D805}" refers to invalid object "E:\Acer\tools\LaunchRS.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{90E882E1-F5C4-11d4-A986-0060977EFFD4}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\anubisutils.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9EFBF860-5685-11D3-AA3D-00C04F4C5275}" refers to invalid object "cdooff.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A1842DD4-481C-11D4-A1A8-000000000000}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\msirsock_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A988112F-808C-11D3-81A4-00500403AC07}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\db_objects.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB65CDD1-1F0E-11D3-8153-00500403AC07}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\cellphone_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB7CDE7C-5FB0-46E5-A3F4-EF118FACE08B}" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\BWfiles-7288971.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BE1793FA-E9E6-453E-9A70-E35DB6151254}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\OCS\ObexOperationDll.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{bfe639ee-762e-46c4-ae7c-3c34ccc317ff}" refers to invalid object "C:\Program Files\Winamp\Plugins\cddbcontrolwinamp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{c2e21ac1-675c-4cae-ba0c-98d25a5e5b84}" refers to invalid object "C:\Program Files\Winamp\Plugins\cddbcontrolwinamp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C6F1797C-32F5-11D4-8FD9-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C6F17992-32F5-11D4-8FD9-006008530540}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\settings_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C9D4128F-64FB-11D3-817F-00500403AC07}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\obex_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CAEF9D56-0816-4984-BE91-B1B2ED801BE5}" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\BWCHelpr-7288971.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CB1CB9C8-B636-11D4-8277-00500403AC07}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\obexsyncreq_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CF6067D7-D10C-4767-B04C-148E6EBB1574}" refers to invalid object "C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\BWfiles-7288971.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DED68E53-3B5B-418c-8F53-C32A4E5FE55F}" refers to invalid object "C:\Program Files\ScanSoft\OmniPageSE\OfficeAddin.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E63650CA-683C-495F-8FBF-122802B1713E}" refers to invalid object "C:\Program Files\Kodak\Kodak EasyShare software\AddIn\VistaRoadShow.cyx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EECB7D0B-38B4-4db7-BC92-0F71A9289DB3}" refers to invalid object "C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\sms_object.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{f1110c60-736a-4d58-8e2a-4935dfcf9ac7}" refers to invalid object "C:\Program Files\Winamp\Plugins\cddbcontrolwinamp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{f2e9891e-0ce2-40bc-a6df-ed87c817b83d}" refers to invalid object "C:\Program Files\Winamp\Plugins\cddbcontrolwinamp.dll". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMSServer.Server" refers to invalid object "{845FB959-4279-11D2-BF23-00805FBE84A6}". Action Taken: No Action Taken.
Entry "HKCR\WMSServer.Server.9" refers to invalid object "{845FB959-4279-11D2-BF23-00805FBE84A6}". Action Taken: No Action Taken.
Entry "HKCR\ZToolbar.activator" refers to invalid object "{FFF5092F-7172-4018-827B-FA5868FB0478}". Action Taken: No Action Taken.
Entry "HKCR\ZToolbar.activator.1" refers to invalid object "{FFF5092F-7172-4018-827B-FA5868FB0478}". Action Taken: No Action Taken.
Entry "HKCR\ZToolbar.ParamWr" refers to invalid object "{D7BF3304-138B-4DD5-86EE-491BB6A2286C}". Action Taken: No Action Taken.
Entry "HKCR\ZToolbar.ParamWr.1" refers to invalid object "{D7BF3304-138B-4DD5-86EE-491BB6A2286C}". Action Taken: No Action Taken.
Entry "HKCR\ZToolbar.StockBar" refers to invalid object "{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}". Action Taken: No Action Taken.
Entry "HKCR\ZToolbar.StockBar.1" refers to invalid object "{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}". Action Taken: No Action Taken.
File C:\WINDOWS\cpa.exe infected by "Trojan.Win32.Pakes" Virus! Action Taken: No Action Taken.
File C:\processview.exe infected by "IM-Worm.Win32.Prex.d" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\cpa.exe infected by "Trojan.Win32.Pakes" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindUpdates1.zip infected by "Password-protected-EXE" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP4\A0000094.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP4\A0000095.exe infected by "Backdoor.Win32.Agobot.abl" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP4\A0000111.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP4\A0000115.exe infected by "Trojan-Downloader.Win32.Small.aqt" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP9\A0002979.exe infected by "Trojan-Downloader.Win32.Small.xk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP9\A0002980.exe infected by "Trojan-Downloader.Win32.Small.xk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0012383.sys infected by "Trojan.Win32.Rootkit.h" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0012384.sys infected by "Trojan.Win32.Rootkit.h" Virus! Action Taken: No Action Taken.

guestolo · « **Reply #4 on:** May 18, 2005, 08:58:41 AM »

Just on my way out the door, but could you run Rkfiles.bat in Normal mode then and post the log please

Catzmagee · « **Reply #5 on:** May 18, 2005, 09:57:48 AM »

Here's the log file from normal mode..

C:\Documents and Settings\Catz\My Documents\Downloads\Catherine\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\t3odm.dll: UPX!
C:\WINDOWS\system32\ASPTV.EXE: UPX!
C:\WINDOWS\system32\ASPFM.EXE: UPX!
C:\WINDOWS\system32\t5rdv.dll: UPX!
C:\WINDOWS\system32\cpwiuy.dll: UPX!
C:\WINDOWS\system32\ecesq.dll: UPX!
C:\WINDOWS\system32\MACDec.dll: UPX!
C:\WINDOWS\system32\MonkeySource.ax: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............

Catzmagee · « **Reply #6 on:** May 18, 2005, 01:32:31 PM »

just thought i should mention that the last time i ran hijack this i had to go into safe mode because when i loaded in normal mode it just closed and now i cant get my computer to run insafe mode at all, it just freezes and i cant get hijack this to run at all now.

thanks

Catzmagee · « **Reply #7 on:** May 19, 2005, 08:32:37 AM »

guestolo · « **Reply #8 on:** May 19, 2005, 05:00:47 PM »

Sorry for the late reply, getting ready for a short vacation

If you can get back to me tonight, can you let me know if you can run an earlier version
of Hijackthis

Please download it from HERE
UNZIP it too a permanent folder and then run a scan and post a fresh log

If you can't get this version to run, could you do the following please

Go to START>>RUN>>COPY AND PASTE the bold line into the open field and then
Click OK

regedit /e C:\find.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"

Can you again do the following
Go to START>>RUN>>COPY AND PASTE the bold line into the open field and then
Click OK

regedit /e C:\find2.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"

Then find these text files

C:\find.txt and C:\find2.txt
When you find them can you copy and paste the contents back here

Catzmagee · « **Reply #9 on:** May 19, 2005, 07:44:24 PM »

hey,
i tried safe mode again and i got it to run for hijack this so i got the new log:

Logfile of HijackThis v1.99.1
Scan saved at 01:34:58, on 20/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HJK\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband
O1 - Hosts: 69.50.166.11 google.co.uk
O1 - Hosts: 69.50.166.11 www.google.es
O1 - Hosts: 69.50.166.11 google.es
O1 - Hosts: 69.50.166.11 google.com.au
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O1 - Hosts: 69.50.166.12 www.go.com
O1 - Hosts: 69.50.166.12 go.com
O1 - Hosts: 69.50.166.13 astalavista.com
O1 - Hosts: 69.50.166.13 www.astalavista.com
O1 - Hosts: 69.50.166.13 astalavista.box.sk
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1474CE44-8057-4AE3-8F3E-ED37C7C63D8A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KnobMonitor] C:\acer\KnobMonitor.exe
O4 - HKLM\..\Run: [MPS] C:\ACER\MPS.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\Run: [Compaq Jes Drivers] winjes.exe
O4 - HKLM\..\Run: [System] wumgrd32.exe
O4 - HKLM\..\RunServices: [Compaq Jes Drivers] winjes.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\RunServices: [System] wumgrd32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Compaq Jes Drivers] winjes.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq Jes Drivers] winjes.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: BT - {287E6E20-83C8-4B93-9D54-A2DECA6D0B98} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {44C0A121-B77B-4532-AD14-97E78F05A586} - http://bt.yahoo.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/providers...yer/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by102fd.bay102.Email Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Knob Service (KNOBSERV) - Acer Inc. - c:\acer\KnobService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

I can't get anything much to work when using the RUN, i cant locate find.txt but i did find find2.txt:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Compaq Jes Drivers"="winjes.exe"
"Compaq32 Service Drivers"="msconfig32.exe"

Sorry i haven't been able to do much to assist you, my computer seems to be getting worse by day.

thanks for your help its very much appreciated.

guestolo · « **Reply #10 on:** May 19, 2005, 11:59:47 PM »

Just so you know I'm not ignoring you, I'm on my way out to collect some last minute
travelling gear

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

I'll make sure I get you started on a fix tonight or I'll post first thing in the morning before I leave
and hope everything is well for you when I get back

guestolo · « **Reply #11 on:** May 20, 2005, 12:03:06 PM »

Can you do the following please
If you can't connect to the Internet, ensure you download msfix.zip and Killbox to one computer and transfer to the infected computer, as we will need them

Do the other download steps when you can connect again

==Download the Pocket Killbox
UNZIP it to a folder of your choice

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
Install for now, don't run a scan yet

==Download and then Install
Ewido Trojan Scanner

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido

==Download and UNZIP to desktop msfix.zip
So you now have msfix.reg extracted to the desktop
[attachment=235:attachment]

Please Print this out or save it too a Notepad file for reference
Disconnect from the Internet

In safe mode

Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off

Run EWIDO and do a Full system scan, save the report afterwards

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Create a new folder on your desktop,
Right click an empty spot>>Select NEW>>FOLDER
Name it Backups
Open your C:\WINDOWS\system32 folder
Left click and DRAG these files into the Backups folder on your desktop
DON'T copy and paste them, we want to remove them from there location, but not delete them until we know there bad guys

t3odm.dll
ASPTV.EXE
ASPFM.EXE
t5rdv.dll
cpwiuy.dll
ecesq.dll

Also, delete msdirectx file again

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html

O1 - Hosts: 69.50.166.11 google.co.uk
O1 - Hosts: 69.50.166.11 www.google.es
O1 - Hosts: 69.50.166.11 google.es
O1 - Hosts: 69.50.166.11 google.com.au
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O1 - Hosts: 69.50.166.12 www.go.com
O1 - Hosts: 69.50.166.12 go.com
O1 - Hosts: 69.50.166.13 astalavista.com
O1 - Hosts: 69.50.166.13 www.astalavista.com
O1 - Hosts: 69.50.166.13 astalavista.box.sk

O2 - BHO: (no name) - {1474CE44-8057-4AE3-8F3E-ED37C7C63D8A} - (no file)

O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\Run: [Compaq Jes Drivers] winjes.exe
O4 - HKLM\..\Run: [System] wumgrd32.exe
O4 - HKLM\..\RunServices: [Compaq Jes Drivers] winjes.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\RunServices: [System] wumgrd32.exe

O4 - HKCU\..\Run: [Compaq Jes Drivers] winjes.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq Jes Drivers] winjes.exe

O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

==Double click on msfix.reg and allow to add or Merge to the registry

==Run Pocket KillBox

In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in
Then click the Delete file button
The Red Circle with the White X
For any files that won't delete, we'll need those in a bit

C:\WINDOWS\System32\msconfig32.exe

Continue to copy and paste the next path to the file below into killbox
Selecting Delete on Reboot afterwards

C:\WINDOWS\system32\winjes.exe
C:\WINDOWS\system32\compqs.exe
C:\WINDOWS\System32\wumgrd32.exe
c:\Windows\system32\msdirectx.sys
C:\WINDOWS\system32\tasker32.exe
C:\WINDOWS\system32\wininit16.exe
C:\DOCUME~1\CATZ~1.SYL\MSDIRE~1.SYS
C:\WINDOWS\Downloaded Program Files\WinAdCtlX.dll
C:\WINDOWS\Downloaded Program Files\YSBactivex.dll
C:\WINDOWS\Downloaded Program Files\Install.dll
C:\WINDOWS\cpa.exe
C:\processview.exe

For any file that won't delete, again copy and paste that entry back into Killbox,
This time
Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO
When you've entered the last path to the file
Allow the computer to Reboot
or Restart the computer anyways

Back in Windows
Go back to
Device Manager
(Right click My Computer > Hardware tab > device manager)
Select View from the menu
Under view, select *Show Hidden Devices*
Then go down to and expand (+)
*Non-Plug and Play Drivers*
Look for this entry:
msdirectx
Disable it (Reboot if prompted)

Then Uninstall it
Reboot again

Back in Windows
==Download and Unzip to a folder Hoster.zip
Open Hoster>>Click on "Restore Original Hosts"
OK it

I suggest that you do an Online Virus scan at Panda's
Save the report afterwards
http://www.pandasoftware.com/products/acti...n_principal.htm

After your done, could you please run another scan with Hijackthis and post a fresh log
Try and run one from Normal mode
Also include the report from Ewidos and the one from Panda's

Catzmagee · « **Reply #12 on:** May 20, 2005, 05:54:28 PM »

Here is the scan report from ewidos:-

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         23:22:02, 20/05/2005
+ Report-Checksum:      6A5D678C

+ Date of database:      20/05/2005
+ Version of scan engine:   v3.0

+ Duration:            34 min
+ Scanned Files:         85479
+ Speed:            41.65 Files/Second
+ Infected files:         14
+ Removed files:         14
+ Files put in quarantine:      14
+ Files that could not be opened:   0
+ Files that could not be cleaned:   0

+ Binder:      Yes
+ Crypter:      Yes
+ Archives:      Yes

+ Scanned items:
   C:\

+ Scan result:
   C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0018458.sys -> Trojan.Rootkit.h -> Cleaned with backup
   C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0018459.sys -> Trojan.Rootkit.h -> Cleaned with backup
   C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0018466.sys -> Trojan.Rootkit.h -> Cleaned with backup
   C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0018467.sys -> Trojan.Rootkit.h -> Cleaned with backup
   C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0018481.sys -> Trojan.Rootkit.h -> Cleaned with backup
   C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0018482.sys -> Trojan.Rootkit.h -> Cleaned with backup
   C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0019488.sys -> Trojan.Rootkit.h -> Cleaned with backup
   C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0020487.sys -> Trojan.Rootkit.h -> Cleaned with backup
   C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0020488.sys -> Trojan.Rootkit.h -> Cleaned with backup
   C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0020499.sys -> Trojan.Rootkit.h -> Cleaned with backup
   C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0021694.sys -> Trojan.Rootkit.h -> Cleaned with backup
   C:\System Volume Information\_restore{8BB5CD45-F3A8-4B25-ABE2-30B5AC5C0DB1}\RP14\A0021695.exe -> Trojan.Pakes -> Cleaned with backup
   C:\!Submit\MSDIRE~1.SYS -> Trojan.Rootkit.h -> Cleaned with backup
   C:\!Submit\cpa.exe -> Trojan.Pakes -> Cleaned with backup

::Report End

And the new hijack this log:-

Logfile of HijackThis v1.98.2
Scan saved at 23:52:33, on 20/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\acer\KnobService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\YPCSER~1.EXE
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\acer\KnobMonitor.exe
C:\ACER\MPS.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\WINDOWS\CNYHKey.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KnobMonitor] C:\acer\KnobMonitor.exe
O4 - HKLM\..\Run: [MPS] C:\ACER\MPS.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: BT - {287E6E20-83C8-4B93-9D54-A2DECA6D0B98} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {44C0A121-B77B-4532-AD14-97E78F05A586} - http://bt.yahoo.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/providers...yer/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by102fd.bay102.Email Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C319C1A1-B0A2-4E7E-89A9-25C970431204}: NameServer = 194.72.9.39 194.74.65.87

I was able to run it from normal mode, the virus seems to have gone everything seems to back to working. i didnt run panda because when i was half way through i got a virus alert up coming from the panda connection and i am very wary now. Thank you very much. You've been great.

guestolo · « **Reply #13 on:** May 23, 2005, 01:55:16 AM »

I'm not sure if I understand this at all, you should of finished the Panda Virus scan

Quote

i didnt run panda because when i was half way through i got a virus alert up coming from the panda connection

Can you go back and finish the virus scan with Panda's please and then include the report
Allow Panda's to fix what it can
You may have to possibly temporarily disable Avast's protection so it won't interfere with the Panda scan

Also

When done, could you then update your version of Hijackthis to the latest and run another scan and post a fresh log
You can redownload Hijackthis 1.99.1 from my signature below

Predogz · « **Reply #14 on:** May 25, 2005, 05:01:32 AM »

My problem was a worm called 'msdirectx.sys'. I ran Microsoft Antispyware, AVG 7.0, and another anti-worm program called Adware Away. Even after running all 3 of these programs i would still have the bug. It had control of my task manager, would not let me update windows, would not let me run McAfee.
Note that some of these programs did in fact find msdirectx.sys and remove it, but it kept reappearing anyways. What it was doing is spawning another file of a simular name called 'mspg.exe' that would recreate the file and put it on my start up programs almost as soon as it was removed.
What i had to do to remove it was boot in safemode, run msconfig utility, remove the secondary file from my Start up list. Then i rebooted in safemode.
I removed all instances of msdirectx from my C: drive. Then i checked windows/ prefetch and searched for any instances of the secondary file 'mspg' and deleted them. Then i searched for msdirectx in the registry, as well as the secondary file. and deleted all entries.
Then i rebooted and i was finally clean. I immediately updated windows, Mcafee, and all other security programs.
Note that niether my Mcafee or windows was up to date, which was completely foolish on my part. Also know that this worm would not even let me on the internet to use Symantec, Mcafee or the Windows sight with any browser i tried. Internet Explorer was totally hijacked by it, so much so that im afraid to use it again. One other thing worth noting is that it was preventing any firewall services from running on my computer by disabling and stopping the service called 'remote accessconnection manager'. When you try to restore the service it would just say 'access is denied'.
This bug was very frustrating and took me a week to figure out how to beat it. I'm currently in school for software development, and i am computer savy - to a point. But ill tell ya -this worm had me thinkin reinstall windows at the worst points of it. Its very much like a personal attack when i cant do what i want on it in my own home. I hope that this information can help you to help anyone else who may get this worm.

Good Luck All - Predogz

Catzmagee · « **Reply #15 on:** May 29, 2005, 02:06:46 PM »

hey,

sorry it's taken me ages to reply, kept having problems, i tried the panda virus scan again but when the screen came up to choose what i wanted to scan it kept saying there was an error, i used latest hijackthis and got the new log:-

Logfile of HijackThis v1.99.1
Scan saved at 19:23:33, on 29/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\acer\KnobService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\YPCSER~1.EXE
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\acer\KnobMonitor.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Techclinic Help\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [KnobMonitor] C:\acer\KnobMonitor.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [System32] crsvvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/providers...yer/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by102fd.bay102.Email Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Knob Service (KNOBSERV) - Acer Inc. - c:\acer\KnobService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

guestolo · « **Reply #16 on:** May 29, 2005, 02:11:59 PM »

What error? Try again and post the results of the scan
Seems you just waited until you were reinfected to post back
Your log is no longer clean

guestolo · « **Reply #17 on:** May 29, 2005, 03:32:14 PM »

I've been reminded that the issue may be out of your control
Thanks to CreteMon. for reminding me

Can you do the following please and see if it is any help

Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"

Also, Can you check the following please to see if they are correct

Under the Security tab | Custom Level
Check ActiveX security settings:
Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled) or prompt
o Script ActiveX controls marked safe for scripting (Prompt)

Then try the scan at Panda's again, see if that is any help

Could you also do the following
Download: Registry Search Tool from this link
http://billsway.com/vbspage/

Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run

In the open field copy and paste the below in bold then hit OK

msdirectx

Wait for the results and post them back here

Catzmagee · « **Reply #18 on:** May 30, 2005, 11:55:57 AM »

I had exams and wasnt on my computer much but when i did go on i kept getting virus warnings saying it was back, i kept repeating the process and did before i sent you the new hijackthis log. I have finally managed to get panda scan working thanx

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\a95kfrhe.ini
Spyware:Spyware/YourSiteBar No disinfected Windows Registry
Virus:W32/Gaobot.FAI.worm Disinfected C:\WINDOWS\system32\TFTP2648
Virus:W32/Sdbot.CUU.worm Disinfected C:\WINDOWS\system32\systeminfos.exe
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\baur5s9q.dat
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\q10pvbrv.dat
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\ap9h4qmo.ini
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\ritsacnk.dat
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\a95kfrhe.ini
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\ap2nqrd4.dat
Virus:W32/Gaobot.FCZ.worm Disinfected C:\WINDOWS\system32\msmsngr.exe
Adware:Adware/AzeSearch No disinfected C:\Program Files\HijackThis\backups\backup-20050520-214537-547.inf

And this is the report from registry search tool :-

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "msdirectx" 30/05/2005 17:53:55

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_MSDIRECTX]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_MSDIRECTX]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_MSDIRECTX]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_MSDIRECTX]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_MSDIRECTX]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\msdirectx]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\msdirectx]
"DisplayName"="msdirectx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\msdirectx\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_MSDIRECTX]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_MSDIRECTX]

Thought i should send new hijack this log file: sorry if it isnt needed

Logfile of HijackThis v1.99.1
Scan saved at 17:55:14, on 30/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\acer\KnobService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\YPCSER~1.EXE
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\acer\KnobMonitor.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Techclinic Help\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [KnobMonitor] C:\acer\KnobMonitor.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ST5UNST Uninstaller.LNK = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://courses.learndirect.co.uk/providers...yer/awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by102fd.bay102.Email Removed.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C319C1A1-B0A2-4E7E-89A9-25C970431204}: NameServer = 194.72.9.39 194.74.65.87
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Knob Service (KNOBSERV) - Acer Inc. - c:\acer\KnobService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Thanx

Catzmagee · « **Reply #19 on:** June 01, 2005, 02:17:19 PM »

News:

Author Topic: SDbot worm (msdirectx.sys) (Read 13489 times)

Predogz