massive problem on other computer!!

anil_ks · #1 (**permalink**) 16-02-2008, 10:56 PM

hi the other day the family computer had started playing up and has gradually got worse.

at first i noticed a lot of pos.tmp files in 'my documents' and in the C:\. then i noticed it became very slow and pop up messages warning me about poblems with the computer. i have McAfee internet security but i must admit it is the 2006 edition.

i went on the internet and went on to Kaspersky's website to get an online scan. as it was in progress the internet became very slow and stopped working altogether. from then on nothing has worked. (internet, programs, virus scan, e.t.c) the only thing i can do is click on the start button.

as my computr loads up, none of my desktop icons are visible and windows has changed to the classic look

a message also pops up with the message:

HEADED- important - potential errors found in the system

During a scan of files at sstem startup, potential errors in the system registry were found. p-07-0100 irql: 1f SYSVER 0xff00024
NT_kernel eror 1256
KMODE_EXCEPTION_NOT_HANDLED

after a while another window pops up saying:

a potentail problem has been detected and windows has been shutdown buggy applicatio to prevent damage to your computer.
****WXYZ.SYS - address f73120AE base at C00000, DateStamp 36b072A3
kernel debugger Using: COM2 (Port 0x28f, Baud rate 192000)

A short while after this message another message pops up stating:

this system is shutting down please save all work in progress and log off. any unsaved changes will be lost. this shutdown was initiated by NT AUTHORITY\SYSTEM.

Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly

the computer will then sometimes turn off or freeze so i have to turn it off myself by flicking the power switch!

please someone help!

THANKING YOU IN ADVANCE!

Neal · #2 (**permalink**) 17-02-2008, 04:41 PM

Sounds like it is to late for this computer.

Nothing we can do unless we get a hijackthis log.

If you have to you can burn the program to disk and bring it to your dieing PC.

go here Read This First - IMPORTANT Instructions for instructions on useing hijackthis.

Good luck.

anil_ks · #3 (**permalink**) 17-02-2008, 08:46 PM

hey, took me a while but here's my hijack this list:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:30:46, on 17/02/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S 2.EXE
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\StorageProtector\strpmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\Mp***ent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Documents and Settings\vikrensimraj\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dial.blueyonder.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;<local>
F3 - REG:win.ini: load=C:\WINDOWS\System32\txwaiony\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\txwaiony\csrss.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0802] "C:\Documents and Settings\vikrensimraj\Local Settings\Temporary Internet Files\Content.IE5\CF9JYEVP\WFI[1].exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S 2.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
O4 - HKLM\..\Run: [McafWelcome] C:\Program Files\McAfee.com\Agent\mcwelcom.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\StorageProtector\strpmon.exe" dm=http://storageprotector.com ad=http://storageprotector.com sd=http://inspaid.storageprotector.com
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WinFixer2005] "C:\Program Files\WinFixer_2005\uwfx5.exe" /min
O4 - HKCU\..\Run: [DefySeek] C:\DOCUME~1\VIKREN~1\APPLIC~1\grimlite\Corn does active.exe
O4 - HKCU\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S 2.EXE /P23 "EPSON Stylus C66 Series" /M "Stylus C66" /EF "HKCU"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Policies\Explorer\Run: [WinUpdating] WinUpdating.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinSpooler.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: csrss.lnk = ?
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: worsock.dll
O10 - Unknown file in Winsock LSP: worsock.dll
O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epson-europe.com/sel...g/ESTPTest.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Card Adapter (NETDown) - Unknown owner - C:\WINDOWS\smss.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/VIKREN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/VIKREN~1/LOCALS~1/Temp/msohtml1/01/clip_image001.gif

--
End of file - 10991 bytes

hope it helps!

Neal · #4 (**permalink**) 17-02-2008, 10:37 PM

Please Download MsnVirRem.exe to your desktop from one of the following mirrors.

First close any other programs you have running as this will require a reboot
Double click MsnVirRem.exe to run it
Once open, click the button labelled "Search and Destroy"
<<Your computer will now be scanned for Infected Files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
After the Reboot, you WILL receive file not found errors (usually 4) please acknowledge them and continue.
A Message should popup from MsnVirRem if not, double click the program again and it will finish

Please Post the contents of C:\msnvirrem.log.

Download SDFIX and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Also you do not have any mirosoft security updates, you must get that after the above is done or we cannot help you as you will be infected again in a matter of minutes.

HERE

http://www.microsoft.com/windowsxp/d...1/default.mspx

Do not get service pack 2 on an infected PC only service pack 1a

anil_ks · #5 (**permalink**) 17-02-2008, 10:44 PM

would any of these actions you posted damage files on the computer. e.g documents, pictures, e.t.c

anil_ks · #6 (**permalink**) 17-02-2008, 11:27 PM

hers the report:

MsnVirRem Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to msnvirremOLD.log

Fix running from: C:\Documents and Settings\vikrensimraj\Desktop
17/02/2008
22:04:43

---Infection Files Found---
C:\Documents and Settings\vikrensimraj\Start Menu\Programs\Startup\csrss.lnk
C:\WINDOWS\System32\taskkill.com
C:\WINDOWS\System32\netstat.com

Rebooting...
Fixing Registry Permissions...
Editing Registry...
Fixing Host File...
**Fix Complete!**

anil_ks · #7 (**permalink**) 18-02-2008, 12:36 AM

here is the SDFix report:

SDFix: Version 1.143

Run by vikrensimraj on 17/02/2008 at 22:49

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\VIKREN~1\Desktop\SDFix

Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Checking Files:

Trojan Files Found:

C:\~WRD0001.TMP - Deleted
C:\WINDOWS\system32\afqvnarogm\csrss.ini - Deleted
C:\WINDOWS\system32\ahdxpxy\csrss.ini - Deleted
C:\WINDOWS\system32\ajuoasgy\csrss.ini - Deleted
C:\WINDOWS\system32\aopvdnil\csrss.ini - Deleted
C:\WINDOWS\system32\aqgjuq\csrss.ini - Deleted
C:\WINDOWS\system32\avwtxmlx\csrss.ini - Deleted
C:\WINDOWS\system32\awohopyak\csrss.ini - Deleted
C:\WINDOWS\system32\baqlxg\csrss.ini - Deleted
C:\WINDOWS\system32\bbatwbpw\csrss.ini - Deleted
C:\WINDOWS\system32\bbhisjv\csrss.ini - Deleted
C:\WINDOWS\system32\bdujytmdpm\csrss.ini - Deleted
C:\WINDOWS\system32\bgdmgzlj\csrss.ini - Deleted
C:\WINDOWS\system32\bgwvllxogs\csrss.ini - Deleted
C:\WINDOWS\system32\bgxswg\csrss.ini - Deleted
C:\WINDOWS\system32\bhdfxlrxg\csrss.ini - Deleted
C:\WINDOWS\system32\bmvchcoufz\csrss.ini - Deleted
C:\WINDOWS\system32\bnpjupwk\csrss.ini - Deleted
C:\WINDOWS\system32\bojhfvo\csrss.ini - Deleted
C:\WINDOWS\system32\bpegmo\csrss.ini - Deleted
C:\WINDOWS\system32\bvnzxq\csrss.ini - Deleted
C:\WINDOWS\system32\bwjttsw\csrss.ini - Deleted
C:\WINDOWS\system32\bxgujgvwd\csrss.ini - Deleted
C:\WINDOWS\system32\bycnlpfnvo\csrss.ini - Deleted
C:\WINDOWS\system32\cafctjrq\csrss.ini - Deleted
C:\WINDOWS\system32\cainjzlnv\csrss.ini - Deleted
C:\WINDOWS\system32\cazkcj\csrss.ini - Deleted
C:\WINDOWS\system32\cegmjei\csrss.ini - Deleted
C:\WINDOWS\system32\cfxzeugj\csrss.ini - Deleted
C:\WINDOWS\system32\ckbtnykae\csrss.ini - Deleted
C:\WINDOWS\system32\clquwny\csrss.ini - Deleted
C:\WINDOWS\system32\cpnuuyd\csrss.ini - Deleted
C:\WINDOWS\system32\cqrunokln\csrss.ini - Deleted
C:\WINDOWS\system32\crdqqkm\csrss.ini - Deleted
C:\WINDOWS\system32\cumizxg\csrss.ini - Deleted
C:\WINDOWS\system32\cvowfrm\csrss.ini - Deleted
C:\WINDOWS\system32\cxvlhdf\csrss.ini - Deleted
C:\WINDOWS\system32\cyoocgemf\csrss.ini - Deleted
C:\WINDOWS\system32\dfseyprpde\csrss.ini - Deleted
C:\WINDOWS\system32\dgjaxgyfhv\csrss.ini - Deleted
C:\WINDOWS\system32\diascu\csrss.ini - Deleted
C:\WINDOWS\system32\dixhmejgcm\csrss.ini - Deleted
C:\WINDOWS\system32\djnaqsoep\csrss.ini - Deleted
C:\WINDOWS\system32\djzolenfy\csrss.ini - Deleted
C:\WINDOWS\system32\dlipxy\csrss.ini - Deleted
C:\WINDOWS\system32\doobegq\csrss.ini - Deleted
C:\WINDOWS\system32\dufznx\csrss.ini - Deleted
C:\WINDOWS\system32\dwrlpgqy\csrss.ini - Deleted
C:\WINDOWS\system32\dwwqwyct\csrss.ini - Deleted
C:\WINDOWS\system32\ecbdcc\csrss.ini - Deleted
C:\WINDOWS\system32\eelifle\csrss.ini - Deleted
C:\WINDOWS\system32\eessrlyky\csrss.ini - Deleted
C:\WINDOWS\system32\efnpel\csrss.ini - Deleted
C:\WINDOWS\system32\ekyezis\csrss.ini - Deleted
C:\WINDOWS\system32\elzlwpeutp\csrss.ini - Deleted
C:\WINDOWS\system32\eqpcggws\csrss.ini - Deleted
C:\WINDOWS\system32\erpwuer\csrss.ini - Deleted
C:\WINDOWS\system32\esgtrbfgp\csrss.ini - Deleted
C:\WINDOWS\system32\euwdpvjohl\csrss.ini - Deleted
C:\WINDOWS\system32\eybrqv\csrss.ini - Deleted
C:\WINDOWS\system32\eyubvhje\csrss.ini - Deleted
C:\WINDOWS\system32\fbspkuch\csrss.ini - Deleted
C:\WINDOWS\system32\fcmnwauau\csrss.ini - Deleted
C:\WINDOWS\system32\fgunjdsp\csrss.ini - Deleted
C:\WINDOWS\system32\fhpkwdc\csrss.ini - Deleted
C:\WINDOWS\system32\flqpagtdhd\csrss.ini - Deleted
C:\WINDOWS\system32\fnybltihe\csrss.ini - Deleted
C:\WINDOWS\system32\fqnqwxf\csrss.ini - Deleted
C:\WINDOWS\system32\ftqzsqmhs\csrss.ini - Deleted
C:\WINDOWS\system32\fwcdnfpog\csrss.ini - Deleted
C:\WINDOWS\system32\gfqvvhmq\csrss.ini - Deleted
C:\WINDOWS\system32\ghattpd\csrss.ini - Deleted
C:\WINDOWS\system32\ghcefrm\csrss.ini - Deleted
C:\WINDOWS\system32\gpdfwohc\csrss.ini - Deleted
C:\WINDOWS\system32\gqapuxiza\csrss.ini - Deleted
C:\WINDOWS\system32\gqdxqugmxq\csrss.ini - Deleted
C:\WINDOWS\system32\gtivrhsxv\csrss.ini - Deleted
C:\WINDOWS\system32\gyfvpsx\csrss.ini - Deleted
C:\WINDOWS\system32\gygkrzsxe\csrss.ini - Deleted
C:\WINDOWS\system32\gzfnjywlo\csrss.ini - Deleted
C:\WINDOWS\system32\hajifofpha\csrss.ini - Deleted
C:\WINDOWS\system32\haqqwc\csrss.ini - Deleted
C:\WINDOWS\system32\hbckcm\csrss.ini - Deleted
C:\WINDOWS\system32\hbdgob\csrss.ini - Deleted
C:\WINDOWS\system32\hdupri\csrss.ini - Deleted
C:\WINDOWS\system32\hhqblsl\csrss.ini - Deleted
C:\WINDOWS\system32\hkjwzb\csrss.ini - Deleted
C:\WINDOWS\system32\hlbiyfst\csrss.ini - Deleted
C:\WINDOWS\system32\hnjmcy\csrss.ini - Deleted
C:\WINDOWS\system32\hpaugznfa\csrss.ini - Deleted
C:\WINDOWS\system32\hqshbpk\csrss.ini - Deleted
C:\WINDOWS\system32\hqtgfd\csrss.ini - Deleted
C:\WINDOWS\system32\hqxngoezh\csrss.ini - Deleted
C:\WINDOWS\system32\htdyrji\csrss.ini - Deleted
C:\WINDOWS\system32\hvtpaly\csrss.ini - Deleted
C:\WINDOWS\system32\hwhdzrwul\csrss.ini - Deleted
C:\WINDOWS\system32\hxziphk\csrss.ini - Deleted
C:\WINDOWS\system32\imloborro\csrss.ini - Deleted
C:\WINDOWS\system32\infpcavcz\csrss.ini - Deleted
C:\WINDOWS\system32\iuguisnif\csrss.ini - Deleted
C:\WINDOWS\system32\iwchwz\csrss.ini - Deleted
C:\WINDOWS\system32\ixsaztfvz\csrss.ini - Deleted
C:\WINDOWS\system32\jdxvkypai\csrss.ini - Deleted
C:\WINDOWS\system32\jhzyuikoa\csrss.ini - Deleted
C:\WINDOWS\system32\jhzzsosr\csrss.ini - Deleted
C:\WINDOWS\system32\jirmnfpn\csrss.ini - Deleted
C:\WINDOWS\system32\jnzbcpi\csrss.ini - Deleted
C:\WINDOWS\system32\jqbopg\csrss.ini - Deleted
C:\WINDOWS\system32\jqgktsoh\csrss.ini - Deleted
C:\WINDOWS\system32\jqxhnbrh\csrss.ini - Deleted
C:\WINDOWS\system32\jwtcwq\csrss.ini - Deleted
C:\WINDOWS\system32\kaimkvxcc\csrss.ini - Deleted
C:\WINDOWS\system32\kbhhwzaarf\csrss.ini - Deleted
C:\WINDOWS\system32\kejvfda\csrss.ini - Deleted
C:\WINDOWS\system32\kgznjr\csrss.ini - Deleted
C:\WINDOWS\system32\kiokcqekbj\csrss.ini - Deleted
C:\WINDOWS\system32\klaozyz\csrss.ini - Deleted
C:\WINDOWS\system32\kodosl\csrss.ini - Deleted
C:\WINDOWS\system32\kpcripbeh\csrss.ini - Deleted
C:\WINDOWS\system32\kpctecqlmh\csrss.ini - Deleted
C:\WINDOWS\system32\kvovhnyob\csrss.ini - Deleted
C:\WINDOWS\system32\kyaaaiiygj\csrss.ini - Deleted
C:\WINDOWS\system32\lacuuuvzsf\csrss.ini - Deleted
C:\WINDOWS\system32\laegiqwa\csrss.ini - Deleted
C:\WINDOWS\system32\lfuzmalj\csrss.ini - Deleted
C:\WINDOWS\system32\lfyxke\csrss.ini - Deleted
C:\WINDOWS\system32\llnlbl\csrss.ini - Deleted
C:\WINDOWS\system32\lnddhtlp\csrss.ini - Deleted
C:\WINDOWS\system32\lqhdczu\csrss.ini - Deleted
C:\WINDOWS\system32\lrfjkdjrku\csrss.ini - Deleted
C:\WINDOWS\system32\lttgaipoay\csrss.ini - Deleted
C:\WINDOWS\system32\lttgcbil\csrss.ini - Deleted
C:\WINDOWS\system32\maunegpxw\csrss.ini - Deleted
C:\WINDOWS\system32\meufavilh\csrss.ini - Deleted
C:\WINDOWS\system32\mgjavo\csrss.ini - Deleted
C:\WINDOWS\system32\mhdzchgb\csrss.ini - Deleted
C:\WINDOWS\system32\miywrb\csrss.ini - Deleted
C:\WINDOWS\system32\mlehyjboei\csrss.ini - Deleted
C:\WINDOWS\system32\mopwsrjyx\csrss.ini - Deleted
C:\WINDOWS\system32\mzzqqgf\csrss.ini - Deleted
C:\WINDOWS\system32\mzzyvhobl\csrss.ini - Deleted
C:\WINDOWS\system32\najfvww\csrss.ini - Deleted
C:\WINDOWS\system32\ncsghpfc\csrss.ini - Deleted
C:\WINDOWS\system32\nczzwwqif\csrss.ini - Deleted
C:\WINDOWS\system32\ndvitfrgn\csrss.ini - Deleted
C:\WINDOWS\system32\ndwivzjcyw\csrss.ini - Deleted
C:\WINDOWS\system32\nlztarg\csrss.ini - Deleted
C:\WINDOWS\system32\nmidtfsw\csrss.ini - Deleted
C:\WINDOWS\system32\nmuqnrrww\csrss.ini - Deleted
C:\WINDOWS\system32\nqvwsviui\csrss.ini - Deleted
C:\WINDOWS\system32\ntarzqyv\csrss.ini - Deleted
C:\WINDOWS\system32\ntxjdsajop\csrss.ini - Deleted
C:\WINDOWS\system32\nwgcjr\csrss.ini - Deleted
C:\WINDOWS\system32\nxdoasgan\csrss.ini - Deleted
C:\WINDOWS\system32\nxyrxb\csrss.ini - Deleted
C:\WINDOWS\system32\obtlyfvb\csrss.ini - Deleted
C:\WINDOWS\system32\oeyizsimzw\csrss.ini - Deleted
C:\WINDOWS\system32\oezwhhgxbs\csrss.ini - Deleted
C:\WINDOWS\system32\ogoscax\csrss.ini - Deleted
C:\WINDOWS\system32\ogqluwi\csrss.ini - Deleted
C:\WINDOWS\system32\ojcrmxz\csrss.ini - Deleted
C:\WINDOWS\system32\omhnts\csrss.ini - Deleted
C:\WINDOWS\system32\otpefd\csrss.ini - Deleted
C:\WINDOWS\system32\oynsijj\csrss.ini - Deleted
C:\WINDOWS\system32\panhzhgxb\csrss.ini - Deleted
C:\WINDOWS\system32\pattfzxr\csrss.ini - Deleted
C:\WINDOWS\system32\pdcvozoud\csrss.ini - Deleted
C:\WINDOWS\system32\petkdi\csrss.ini - Deleted
C:\WINDOWS\system32\piquamsij\csrss.ini - Deleted
C:\WINDOWS\system32\pqblfoj\csrss.ini - Deleted
C:\WINDOWS\system32\pqwqxocgo\csrss.ini - Deleted
C:\WINDOWS\system32\psmidw\csrss.ini - Deleted
C:\WINDOWS\system32\pzuyrb\csrss.ini - Deleted
C:\WINDOWS\system32\qdvmafcos\csrss.ini - Deleted
C:\WINDOWS\system32\qgwbhpjk\csrss.ini - Deleted
C:\WINDOWS\system32\qjeflhxx\csrss.ini - Deleted
C:\WINDOWS\system32\qluqhh\csrss.ini - Deleted
C:\WINDOWS\system32\qluzjozhm\csrss.ini - Deleted
C:\WINDOWS\system32\qpraff\csrss.ini - Deleted
C:\WINDOWS\system32\qrltcpffp\csrss.ini - Deleted
C:\WINDOWS\system32\qtshgurtgy\csrss.ini - Deleted
C:\WINDOWS\system32\qtwpelhco\csrss.ini - Deleted
C:\WINDOWS\system32\qurkvzdlfb\csrss.ini - Deleted
C:\WINDOWS\system32\rchvyr\csrss.ini - Deleted
C:\WINDOWS\system32\regqjwfcms\csrss.ini - Deleted
C:\WINDOWS\system32\rewpysxj\csrss.ini - Deleted
C:\WINDOWS\system32\rfxgwlhmp\csrss.ini - Deleted
C:\WINDOWS\system32\rjxytaz\csrss.ini - Deleted
C:\WINDOWS\system32\rncdpa\csrss.ini - Deleted
C:\WINDOWS\system32\royyihtwal\csrss.ini - Deleted
C:\WINDOWS\system32\rqixbig\csrss.ini - Deleted
C:\WINDOWS\system32\rtrrghpu\csrss.ini - Deleted
C:\WINDOWS\system32\sdzpdqmjg\csrss.ini - Deleted
C:\WINDOWS\system32\shybndarqm\csrss.ini - Deleted
C:\WINDOWS\system32\skfqnubmme\csrss.ini - Deleted
C:\WINDOWS\system32\sogykww\csrss.ini - Deleted
C:\WINDOWS\system32\srrozqtqf\csrss.ini - Deleted
C:\WINDOWS\system32\ssqinoolf\csrss.ini - Deleted
C:\WINDOWS\system32\swjlnvbgzc\csrss.ini - Deleted
C:\WINDOWS\system32\szteuo\csrss.ini - Deleted
C:\WINDOWS\system32\tahpcwv\csrss.ini - Deleted
C:\WINDOWS\system32\tbbqchyts\csrss.ini - Deleted
C:\WINDOWS\system32\tdnjnewc\csrss.ini - Deleted
C:\WINDOWS\system32\thrrbd\csrss.ini - Deleted
C:\WINDOWS\system32\tkubxwnfy\csrss.ini - Deleted
C:\WINDOWS\system32\tkwnjywj\csrss.ini - Deleted
C:\WINDOWS\system32\tnjpno\csrss.ini - Deleted
C:\WINDOWS\system32\tqqxerckp\csrss.ini - Deleted
C:\WINDOWS\system32\trijbbsdtp\csrss.ini - Deleted
C:\WINDOWS\system32\tuvmbe\csrss.ini - Deleted
C:\WINDOWS\system32\tweoldx\csrss.ini - Deleted
C:\WINDOWS\system32\txwaiony\csrss.ini - Deleted
C:\WINDOWS\system32\ubxppyv\csrss.ini - Deleted
C:\WINDOWS\system32\ugidmp\csrss.ini - Deleted
C:\WINDOWS\system32\uifofknm\csrss.ini - Deleted
C:\WINDOWS\system32\uiywqdc\csrss.ini - Deleted
C:\WINDOWS\system32\uiyxmprn\csrss.ini - Deleted
C:\WINDOWS\system32\uloikjvvi\csrss.ini - Deleted
C:\WINDOWS\system32\unvxmupno\csrss.ini - Deleted
C:\WINDOWS\system32\uopxpzk\csrss.ini - Deleted
C:\WINDOWS\system32\upqnpmm\csrss.ini - Deleted
C:\WINDOWS\system32\uryaxfjbg\csrss.ini - Deleted
C:\WINDOWS\system32\utuefrnwd\csrss.ini - Deleted
C:\WINDOWS\system32\uyjxluuckc\csrss.ini - Deleted
C:\WINDOWS\system32\veufaxcd\csrss.ini - Deleted
C:\WINDOWS\system32\vgbwvbsfdi\csrss.ini - Deleted
C:\WINDOWS\system32\vhaqhfu\csrss.ini - Deleted
C:\WINDOWS\system32\vlztcntvh\csrss.ini - Deleted
C:\WINDOWS\system32\vomwbqgurz\csrss.ini - Deleted
C:\WINDOWS\system32\vpeaua\csrss.ini - Deleted
C:\WINDOWS\system32\vqaupbu\csrss.ini - Deleted
C:\WINDOWS\system32\vquafiuitx\csrss.ini - Deleted
C:\WINDOWS\system32\vquzhcned\csrss.ini - Deleted
C:\WINDOWS\system32\vrqkawdjqg\csrss.ini - Deleted
C:\WINDOWS\system32\vslhpqfv\csrss.ini - Deleted
C:\WINDOWS\system32\vsoqiaspzg\csrss.ini - Deleted
C:\WINDOWS\system32\vwlzklgmwt\csrss.ini - Deleted
C:\WINDOWS\system32\vwmyozr\csrss.ini - Deleted
C:\WINDOWS\system32\vxgxvsxfh\csrss.ini - Deleted
C:\WINDOWS\system32\vxjfujoo\csrss.ini - Deleted
C:\WINDOWS\system32\vyyiuwgu\csrss.ini - Deleted
C:\WINDOWS\system32\wcuvks\csrss.ini - Deleted
C:\WINDOWS\system32\wecfbmf\csrss.ini - Deleted
C:\WINDOWS\system32\wfbbidxle\csrss.ini - Deleted
C:\WINDOWS\system32\wllutf\csrss.ini - Deleted
C:\WINDOWS\system32\wnheou\csrss.ini - Deleted
C:\WINDOWS\system32\wr***t\csrss.ini - Deleted
C:\WINDOWS\system32\xmafcgend\csrss.ini - Deleted
C:\WINDOWS\system32\xnaxygv\csrss.ini - Deleted
C:\WINDOWS\system32\xqjrzrtkv\csrss.ini - Deleted
C:\WINDOWS\system32\xryvaelqb\csrss.ini - Deleted
C:\WINDOWS\system32\xtivsfzf\csrss.ini - Deleted
C:\WINDOWS\system32\xvymahpw\csrss.ini - Deleted
C:\WINDOWS\system32\xwwlxcst\csrss.ini - Deleted
C:\WINDOWS\system32\xzaqhezrd\csrss.ini - Deleted
C:\WINDOWS\system32\xzgcnx\csrss.ini - Deleted
C:\WINDOWS\system32\yajaas\csrss.ini - Deleted
C:\WINDOWS\system32\ybgsbb\csrss.ini - Deleted
C:\WINDOWS\system32\yduovuko\csrss.ini - Deleted
C:\WINDOWS\system32\yeuijsgitr\csrss.ini - Deleted
C:\WINDOWS\system32\ygazdbdoja\csrss.ini - Deleted
C:\WINDOWS\system32\yjnceyj\csrss.ini - Deleted
C:\WINDOWS\system32\ynorhuf\csrss.ini - Deleted
C:\WINDOWS\system32\yqrtwtlug\csrss.ini - Deleted
C:\WINDOWS\system32\ytaoxeik\csrss.ini - Deleted
C:\WINDOWS\system32\ywjqjxs\csrss.ini - Deleted
C:\WINDOWS\system32\yxgqez\csrss.ini - Deleted
C:\WINDOWS\system32\yyzbfxevi\csrss.ini - Deleted
C:\WINDOWS\system32\zbdgpzkul\csrss.ini - Deleted
C:\WINDOWS\system32\zkasxx\csrss.ini - Deleted
C:\WINDOWS\system32\zmhixoea\csrss.ini - Deleted
C:\WINDOWS\system32\znbggadxf\csrss.ini - Deleted
C:\WINDOWS\system32\zovnsutr\csrss.ini - Deleted
C:\WINDOWS\system32\zozworqec\csrss.ini - Deleted
C:\WINDOWS\system32\zqlhsunx\csrss.ini - Deleted
C:\WINDOWS\system32\zwxdmrbngb\csrss.ini - Deleted
C:\DOCUME~1\VIKREN~1\LOCALS~1\Temp\temp_01.exe - Deleted
C:\WINDOWS\system32\alog.txt - Deleted
C:\WINDOWS\system32\cmds.txt - Deleted
C:\WINDOWS\system32\conf.dat - Deleted
C:\WINDOWS\system32\cs.dat - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\rc.dat - Deleted
C:\WINDOWS\system32\unifff.dll - Deleted
C:\WINDOWS\system32\WinSpooler.exe - Deleted
C:\WINDOWS\system32\WinUpdating.exe - Deleted

Folder C:\WINDOWS\Fonts\' - Removed

Removing Temp Files...

ADS Check:

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 23:04:27
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:e6,3e,b2,ae,cc,ef,bc,2d,a4,e6,8d,c6,91 ,5c,06,38,00,c6,a4,d7,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:e6,3e,b2,ae,cc,ef,bc,2d,a4,e6,8d,c6,91 ,5c,06,38,00,c6,a4,d7,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\s ptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:e6,3e,b2,ae,cc,ef,bc,2d,a4,e6,8d,c6,91 ,5c,06,38,00,c6,a4,d7,81,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000046
"TracesSuccessful"=dword:00000010

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1

Remaining Services:

Authorized Application Key Export:

Remaining Files:

File Backups: - C:\DOCUME~1\VIKREN~1\Desktop\SDFix\backups\backups .zip

Files with Hidden Attributes:

Sun 17 Feb 2008 19,128 ..SH. --- "C:\WINDOWS\system32\ipeztqga.dllbox"
Mon 6 Sep 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 6 Sep 2004 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv15.bak"
Mon 6 Sep 2004 400 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Mon 6 Sep 2004 48 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Sun 29 Feb 2004 58,368 ...H. --- "C:\Documents and Settings\vikrensimraj\My Documents\My Received Files\~WRL0464.tmp"
Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Wed 4 Oct 2006 3,072,000 A..H. --- "C:\Documents and Settings\vikrensimraj\Application Data\U3\temp\Launchpad Removal.exe"
Mon 6 Sep 2004 4,348 ...H. --- "C:\Documents and Settings\vikrensimraj\My Documents\My Music\License Backup\drmv1key.bak"
Sun 10 Oct 2004 401 A..H. --- "C:\Documents and Settings\vikrensimraj\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 6 Sep 2004 400 ...H. --- "C:\Documents and Settings\vikrensimraj\My Documents\My Music\License Backup\drmv2key.bak"
Sun 10 Oct 2004 1,536 A..H. --- "C:\Documents and Settings\vikrensimraj\My Documents\My Music\License Backup\drmv2lic.bak"

Finished!

anil_ks · #8 (**permalink**) 18-02-2008, 12:43 AM

and this is the new hijackthis report, hope it helps:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:41:23, on 17/02/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S 2.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\Mp***ent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\vikrensimraj\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dial.blueyonder.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0802] "C:\Documents and Settings\vikrensimraj\Local Settings\Temporary Internet Files\Content.IE5\CF9JYEVP\WFI[1].exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S 2.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
O4 - HKLM\..\Run: [McafWelcome] C:\Program Files\McAfee.com\Agent\mcwelcom.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WinFixer2005] "C:\Program Files\WinFixer_2005\uwfx5.exe" /min
O4 - HKCU\..\Run: [DefySeek] C:\DOCUME~1\VIKREN~1\APPLIC~1\grimlite\Corn does active.exe
O4 - HKCU\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S 2.EXE /P23 "EPSON Stylus C66 Series" /M "Stylus C66" /EF "HKCU"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: worsock.dll
O10 - Unknown file in Winsock LSP: worsock.dll
O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epson-europe.com/sel...g/ESTPTest.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Card Adapter (NETDown) - Unknown owner - C:\WINDOWS\smss.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/VIKREN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/VIKREN~1/LOCALS~1/Temp/msohtml1/01/clip_image001.gif

--
End of file - 10372 bytes

Neal · #9 (**permalink**) 18-02-2008, 01:48 AM

Quote:

would any of these actions you posted damage files on the computer. e.g documents, pictures, e.t.c

No but the infections you have can!

You should have a little breathing room now.

I need you to uninstall Messenger plus 3 as it has given you a LOP infection, from the add/remove program. Reboot after the uninstall.

Download and unzip the following to a new folder:
http://metallica.geekstogo.com/findlop.zip

Inside the folder locate findlop.bat

Double click it and it will create the file C:\findlop.txt
Find that file and copy and paste the contents into your next post.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Open Hijackthis.

Click the "Open the Misc Tools" section Button.

Click the "Open Uninstall Manager" Button.

Click the "Save list..." Button.

Save it to your desktop. Copy and paste the contents into your reply.

New hijackthis log also please.

anil_ks · #10 (**permalink**) 18-02-2008, 04:33 AM

i did what you said but vundofix could not delete one file. it was system32\cbxvtrr.dll.
i tried deleting it about 5 times but it never went even when it rebooted.

here's the vundofix:

VundoFix V6.7.8

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 01:07:47 18/02/2008

Listing files found while scanning....

C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\cbxvtrr.dll
C:\WINDOWS\system32\cfgoieyf.dll
C:\WINDOWS\system32\iiffgfe.dll
C:\WINDOWS\system32\iifggdd.dll
C:\WINDOWS\System32\ipeztqga.dll
C:\windows\system32\ipeztqga.dllbox
C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\nqtwa.ini2
C:\WINDOWS\system32\opnmnll.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\awtqn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxvtrr.dll
C:\WINDOWS\system32\cbxvtrr.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\cfgoieyf.dll
C:\WINDOWS\system32\cfgoieyf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iiffgfe.dll
C:\WINDOWS\system32\iiffgfe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifggdd.dll
C:\WINDOWS\system32\iifggdd.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\ipeztqga.dll
C:\WINDOWS\System32\ipeztqga.dll Has been deleted!

Attempting to delete C:\windows\system32\ipeztqga.dllbox
C:\windows\system32\ipeztqga.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\nqtwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtwa.ini2
C:\WINDOWS\system32\nqtwa.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnmnll.dll
C:\WINDOWS\system32\opnmnll.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cbxvtrr.dll
C:\WINDOWS\system32\cbxvtrr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.7.8

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 01:41:25 18/02/2008

Listing files found while scanning....

C:\WINDOWS\system32\cbxvtrr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cbxvtrr.dll
C:\WINDOWS\system32\cbxvtrr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cbxvtrr.dll
C:\WINDOWS\system32\cbxvtrr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Beginning removal...

VundoFix V6.7.8

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 02:13:00 18/02/2008

Listing files found while scanning....

C:\WINDOWS\system32\cbxvtrr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cbxvtrr.dll
C:\WINDOWS\system32\cbxvtrr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cbxvtrr.dll
C:\WINDOWS\system32\cbxvtrr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

uninstall list:

Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
Adobe Shockwave Player
Apple Software Update
AVG 7.5
Azureus Vuze
blueyonder Instant Support Tool
Citrix ICA Web Client
EPSON PhotoQuicker3.5
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Web-To-Page
ESC66 Reference Guide
ESC66 Software Guide
FinePixViewer Ver.4.2
FUJIFILM USB Driver
HijackThis 2.0.2
ImageMixer VCD2 for FinePix
iTunes
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment Standard Edition v1.3.1_04
Kaspersky Online Scanner
LimeWire
LimeWire 4.14.12
McAfee Uninstall Wizard
Medi@Show
Microsoft Data Access Components KB870669
Microsoft Internet Explorer 6 SP1
Microsoft Office XP Professional with FrontPage
Microsoft Windows Journal Viewer
MicroStaff WINASPI
My DSC
Nero - Burning Rom
NVIDIA Drivers
Outlook Express Q823353
Packard Bell Portable MP3 Player
PowerDVD
Presto! Mr.Photo 3
QuickTime
RAW FILE CONVERTER LE
RealPlayer
ScanToWeb
SigmaTel MSCN Audio Player
Sony USB Driver
SopCast 2.0.4
SoundMAX
Spybot - Search & Destroy 1.3
TVAnts 1.0
VIA Rhine-Family Fast Ethernet Adapter
Viewpoint Manager (Remove Only)
WinAce Archiver
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Application Compatibility Update[Q319580]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839643
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB887822
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Hotfix (SP1) [See Q311889 for more information]
Windows XP Hotfix (SP1) [See Q311967 for more information]
Windows XP Hotfix (SP1) [See Q313450 for more information]
Windows XP Hotfix (SP1) [See Q314862 for more information]
Windows XP Hotfix (SP1) [See Q315000 for more information]
Windows XP Hotfix (SP1) [See Q315403 for more information]
Windows XP Hotfix (SP1) [See Q317277 for more information]
Windows XP Hotfix (SP1) [See Q318138 for more information]
Windows XP Hotfix (SP1) [See Q323172 for more information]
Windows XP Hotfix (SP1) [See Q324096 for more information]
Windows XP Hotfix (SP1) [See Q324380 for more information]
Windows XP Hotfix (SP1) [See Q326830 for more information]
Windows XP Hotfix (SP1) [See Q328940 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q811493
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP1) Q819696
Windows XP Hotfix (SP2) [See Q329115 for more information]

hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:28:54, on 18/02/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S 2.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\Mp***ent.exe
C:\Documents and Settings\vikrensimraj\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dial.blueyonder.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {25BE2418-6C95-418F-BE03-0D9B9354A167} - C:\WINDOWS\system32\cbxvtrr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {465047D5-856C-66A1-625E-6C9A6AE9514E} - C:\DOCUME~1\VIKREN~1\APPLIC~1\filelies\popdupe.exe (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B0DD4019-81B2-42A3-B76F-5D8E8EBD8A05} - C:\WINDOWS\System32\awtqn.dll (file missing)
O2 - BHO: {e2ecce1a-fce6-1e9a-d464-1ff0f64076ab} - {ba67046f-0ff1-464d-a9e1-6ecfa1ecce2e} - C:\WINDOWS\System32\hyafflgi.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0802] "C:\Documents and Settings\vikrensimraj\Local Settings\Temporary Internet Files\Content.IE5\CF9JYEVP\WFI[1].exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S 2.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
O4 - HKLM\..\Run: [McafWelcome] C:\Program Files\McAfee.com\Agent\mcwelcom.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WinFixer2005] "C:\Program Files\WinFixer_2005\uwfx5.exe" /min
O4 - HKCU\..\Run: [DefySeek] C:\DOCUME~1\VIKREN~1\APPLIC~1\grimlite\Corn does active.exe
O4 - HKCU\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S 2.EXE /P23 "EPSON Stylus C66 Series" /M "Stylus C66" /EF "HKCU"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: worsock.dll
O10 - Unknown file in Winsock LSP: worsock.dll
O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epson-europe.com/sel...g/ESTPTest.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Card Adapter (NETDown) - Unknown owner - C:\WINDOWS\smss.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/VIKREN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/VIKREN~1/LOCALS~1/Temp/msohtml1/01/clip_image001.gif

--
End of file - 11617 bytes

hope to hear from you soon !!!