My Pc Is Infected, Pls Help!

Customer

June 11, 2021 12:05

I don't know what to do

Hijack this log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Launch Manager\LaunchAp.exe

C:\Program Files\Launch Manager\PowerKey.exe

C:\Program Files\Launch Manager\HotkeyApp.exe

C:\Program Files\Launch Manager\CtrlVol.exe

C:\Program Files\Launch Manager\Wbutton.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Hmonitor\hmonitor.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\USBPad.exe

c:\FlyCam\CameraServer.exe

C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wwSecure.exe

C:\WINDOWS\explorer.exe

I:\HiJackThis_v2.exe

C:\Program Files\flexlm\i486_nt\obj\ptc_d.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O1 - Hosts: AmsServer

O2 - BHO: C:\WINDOWS\lbbho.dll - {4FD72F7F-E614-435E-B20C-B98EB164DE6A} - C:\WINDOWS\lbbho.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: SuperBar - {3DB86D62-F747-42EB-87E2-7BE3DC330A9A} - C:\Program Files\SUPERBAR\SUPERBAR.dll (file missing)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [LaunchApp] LaunApp

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe

O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"

O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe

O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe

O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [hmonitor] C:\Program Files\Hmonitor\hmonitor.exe

O4 - HKLM\..\Run: [hpcmd] C:\WINDOWS\system32\spool\cmd.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe

O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: Skyscape smARTupdate.lnk = C:\Program Files\Common Files\Skyscape\smARTupdate.exe

O4 - Global Startup: USB KeyPad.lnk = C:\WINDOWS\USBPad.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Broken Internet access because of LSP provider 'rsvp32_2.dll' missing

O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab

O20 - AppInit_DLLs: C:\WINDOWS\system32\systqjx.dll

O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: CameraServer - Unknown owner - c:\FlyCam\CameraServer.exe

O23 - Service: FLEXlm server for PTC - GLOBEtrotter Software Inc. - C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe

O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe

O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\omniServ.exe (file missing)

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

End of file

Also, ever since this happened I get an error mssage:

ptc_d.exe - Application error

The application failed to initialize properly (0xc0000142). Click on OK to terminate the application.

There used to be one ptc.exe process running (I think) but now I have several of these running

Please help me make sense of this

Comments

51 comments

Customer

June 11, 2021 12:05
Hello, and thank you for your reply.

I carried out the procedure above up to the point where I was trying to delete some files. Out of the four listed above, only one was present but I am unable to delete it:

C:\WINDOWS\system32\mszsrn32.dll<---This file
0
Customer

June 11, 2021 12:05
Hello,beginner & Welcome

--------------

Please download ComboFix and save it to your desktop.

( Don't run just Yet )

--------------

View hidden files and folders:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

---------------

1. Please download LSPFix from here.
2. Run the LSPFix.exe that you have just finished downloading.
3. Check the I know what I'm doing box.
4. In the Keep box you should see one or more instances of rsvp32_2.dll.
5. Select every instance of rsvp32_2.dll and move each one to the Remove box by clicking the >> button.
6. When you are done click Finish>>.

----------------

Run HijackThis
Scan and when it finishes, put a check mark only next to these following items : (if present)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O1 - Hosts: AmsServer

O2 - BHO: C:\WINDOWS\lbbho.dll - {4FD72F7F-E614-435E-B20C-B98EB164DE6A} - C:\WINDOWS\lbbho.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: SuperBar - {3DB86D62-F747-42EB-87E2-7BE3DC330A9A} - C:\Program Files\SUPERBAR\SUPERBAR.dll (file missing)

O4 - HKLM\..\Run: [hpcmd] C:\WINDOWS\system32\spool\cmd.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe

O20 - AppInit_DLLs: C:\WINDOWS\system32\systqjx.dll
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll

Close all browsers and any open Windows, making sure that only HijackThis is open
Click Fix Checked
Close HijackThis

----------------

Using Windows Explorer (right-click your Start button and select Explore), please navigate to and delete the following FILES (if they exist):
C:\WINDOWS\system32\spool\cmd.exe<---This file
C:\WINDOWS\system32\ntos.exe<---This file
C:\WINDOWS\system32\systqjx.dll<---This file
C:\WINDOWS\system32\mszsrn32.dll<---This file

---------------

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Backup the Registry:

Navigate to Start | Run and paste the following:

regedit /e c:\registrybackup.reg

Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

-----------------

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)
( Do not copy the word quote)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpcmd"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"userinit"=-

Save this as fix.reg Choose to save as *all files and place it on your Desktop.
It should look like this:
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

----------------

NOTE: Make sure to do a reboot or Regfix will not work.

----------------

After reboot run this tool here.

Double click combofix.exe and follow the prompts.

When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

-----------------

Then come back here with the following logs.

1) HijackThis log

2) ComboFix log

Gogo
0
Customer

June 11, 2021 12:05
Hi,beginner

Download The Avenger Copyright Â© Swandog46
You must extract avenger.exe to your desktop, before you run it.

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!

Copy all the text contained in the code box below to your Clipboard.
NOTE: don't copy the word quote

Files to delete:
C:\WINDOWS\system32\mszsrn32.dll

The above script is for this user only, if you need help please start your own thread.

Start the Avenger.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the entire text in into this window.
Click done, now click on the Green Light
Answer "Yes" twice when prompted.
Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.

After the restart, it will create a log file that should open.
This log file will be located at C:\avenger.txt

Paste the contents of C:\avenger.txt into your reply along with a fresh HijackThis! log.

Also: Avenger has made backups of all the files, etc., that you asked it to delete, located at C:\avenger\backup.zip.

Gogo
0
Customer

June 11, 2021 12:05
Hello

Just to let you know, I am connected to the internet on another machine and not the infected one.

OK I tried the Avenger and this is what it came up with:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kquvmvki

*******************

Script file located at: \??\C:\Documents and Settings\sfngdbbr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\mszsrn32.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
0
Customer

June 11, 2021 12:05
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:46:41 PM, on 4/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\FlyCam\CameraServer.exe
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\flexlm\i486_nt\obj\ptc_d.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hmonitor\hmonitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\USBPad.exe
C:\Documents and Settings\shahzad\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [hmonitor] C:\Program Files\Hmonitor\hmonitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: USB KeyPad.lnk = C:\WINDOWS\USBPad.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CameraServer - Unknown owner - c:\FlyCam\CameraServer.exe
O23 - Service: FLEXlm server for PTC - GLOBEtrotter Software Inc. - C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\omniServ.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 8979 bytes
0
Customer

June 11, 2021 12:05
Hi,beginner

Hmm it seems like he wants to stay,let's go after him like this.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

( Don't run just Yet )

-----------------

Please download and save F-Secure BlackLight to your desktop.

( Don't run just Yet )

-----------------

Restart your computer in Safe Mode.
1. If the computer is running, shut down Windows, and then turn off the power.
2. Wait 30 seconds, and then turn the computer on.
3. Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
4. Ensure that the Safe Mode option is selected.
5. Press Enter. The computer then begins to start in Safe Mode.
6. Login on your usual account.
If you need further assistance with Safe Mode, see To start the computer in safe mode

----------------

Now let's run the tool.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

------------------

After reboot run this tool next before you come back here.

* Double-click blbeta.exe then accept the agreement.
* Click Scan -> Next.
* After the scan you'll see a list of all items found. Please click Next and then Exit. Do NOT choose rename for any items yet! I need to see the log first, because legitimate items can also be present there...
* A log will be created on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx are numbers)
* Please post the contents of the log in your next reply.

-----------------

Then show me the following logs.

1) HijackThis log

2) SDFix log

3) BlackLight log

Gogo
0
Customer

June 11, 2021 12:05
I should have added earlier that for some reason I am unable to boot in safe mode
0
Customer

June 11, 2021 12:05
Hi,beginner

Ok just run BlackLight for now let me have a look at a log.as for the Safe Mode I am having
a look at my files.do not go in to Safe Mode using the Msconfig option,tell we find out what's going on.

Gogo
0
Customer

June 11, 2021 12:05
I should have added earlier that for some reason I am unable to boot in safe mode
0
Customer

June 11, 2021 12:05
HJThis,

blacklight log it says nothing found in the scan so I have no log

BTW I tried safe mode in msconfig yesterday, what a bad idea!!
0
Customer

June 11, 2021 12:05
HJThis

Thanks. I tried running safe mode using F8 just now. It allows me to select 'Safe Mode' but a black screen appears with a list of files then at the bottom it says loading sptd.sys, then loading vax347b.sys. It then restarts and boots to the same screen where I can boot windows using the last configuration option.

So my pc does not boot in safe mode
0
Customer

June 11, 2021 12:05
Hey,beginner

Please hold-on I am having a talk with one of the HijackThis God's
I don't want to get you into Safe Mode hell without a way out.
so please don't use Msconfig tell I get a heads-up from this God.

Gogo
0
Customer

June 11, 2021 12:05
HJTHis

I followed the Avenger instructions and here is the log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qkdqqoct

*******************

Script file located at: \??\C:\Program Files\gjyqkmbp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\ntos.exe not found!
Deletion of file C:\WINDOWS\system32\ntos.exe failed!

Could not process line:
C:\WINDOWS\system32\ntos.exe
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.
0
Customer

June 11, 2021 12:05
Hey,beginner

First let's do this here

Download The Avenger Copyright Â© Swandog46
You must extract avenger.exe to your desktop, before you run it.

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!

Copy all the text contained in the code box below to your Clipboard.
NOTE: don't copy the word quote

Files to delete:
C:\WINDOWS\system32\ntos.exe

The above script is for this user only, if you need help please start your own thread.

Start the Avenger.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the entire text in into this window.
Click done, now click on the Green Light
Answer "Yes" twice when prompted.
Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.

After the restart, it will create a log file that should open.
This log file will be located at C:\avenger.txt

Paste the contents of C:\avenger.txt into your reply along with a fresh HijackThis! log.

Also: Avenger has made backups of all the files, etc., that you asked it to delete, located at C:\avenger\backup.zip.

------------

I would also like to have you do this for me.

Click Start>Run

Copy the lines in the box below, and paste it in the run box that opens:

regedit /e c:\safeboot.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot"

Click â€œOkâ€

Double click the My Computer icon, then your C drive

In there, you will see a file called safeboot.txt. Double click to open it.

Copy and paste the text into a reply to this thread.

Gogo
0
Customer

June 11, 2021 12:05
And the new HJThis Log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:53:24 PM, on 4/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\FlyCam\CameraServer.exe
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\flexlm\i486_nt\obj\ptc_d.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hmonitor\hmonitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\USBPad.exe
C:\Documents and Settings\shahzad\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [hmonitor] C:\Program Files\Hmonitor\hmonitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: USB KeyPad.lnk = C:\WINDOWS\USBPad.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CameraServer - Unknown owner - c:\FlyCam\CameraServer.exe
O23 - Service: FLEXlm server for PTC - GLOBEtrotter Software Inc. - C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\omniServ.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 9012 bytes
0
Customer

June 11, 2021 12:05
And finally,

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Minimal]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Network]

Thanks
0
Customer

June 11, 2021 12:05
Hi,beginner

First when you ran the Avenger fix you did not add the word quote did you
if so it will not work.make sure I am looking at the other logfile now.

Gogo
0
Customer

June 11, 2021 12:05
Hey,beginner

Sorry had my head into something else give this tool a try.

Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".
Click the button: All Files (!important!)
Now it should flash green.

Now copy the next bold part:

C:\WINDOWS\system32\ntos.exe

Open 'file' in the killboxmenu on top and choose Paste from clipboard

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer should reboot now.

Gogo
0
Customer

June 11, 2021 12:05
Hey,beginner

One of the Gods here let me know you did not post the ComboFix log as asked
I should have picked up on that.my bad if you could please run and post it for
me,it will be a big help to get you out of here.

Gogo
0
Customer

June 11, 2021 12:05
Hi

I tried avenger again and the same thing happened
0
Customer

June 11, 2021 12:05
Hi

When I tried killbox i got this message:

PendingFileRenameOperations Registry Data has been removed by External Process!

I will try the Combofix now, wont be a minute
0
Customer

June 11, 2021 12:05
COMBOFIX LOG:

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\tmp_t47.exe
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\vbzip11.dll
C:\WINDOWS\system32\winsub.xml

((((((((((((((((((((((((((((((( Files Created from 2007-03-16 to 2007-04-16 ))))))))))))))))))))))))))))))))))

2007-04-16 17:14 <DIR> d-------- C:\avenger
2007-04-16 01:20 <DIR> d-------- C:\!KillBox
2007-04-15 00:16 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
2007-04-15 00:16 2 -rahs---- C:\WINDOWS\winstart.bat
2007-04-15 00:15 <DIR> d-------- C:\Program Files\Greatis
2007-04-14 21:51 97,040 --a------ C:\WINDOWS\system32\zup.exe.exe
2007-04-14 21:51 91,920 --a------ C:\WINDOWS\system32\3ti.exe.exe
2007-04-14 21:51 40,720 --a------ C:\WINDOWS\system32\pdp.exe.exe
2007-04-14 21:51 <DIR> d--hs---- C:\WINDOWS\system32\wsnpoem
2007-04-12 21:19 <DIR> d-------- C:\Program Files\Sage Payroll
2007-04-11 20:12 1,060,864 --a------ C:\WINDOWS\system32\cdintf210.dll
2007-04-11 20:10 86,016 --a------ C:\WINDOWS\system32\SageBankPayments.dll
2007-04-11 20:10 86,016 --------- C:\WINDOWS\system32\SageNatWestBankline.dll
2007-04-11 20:10 81,920 --a------ C:\WINDOWS\system32\sageebanking.dll
2007-04-11 20:10 81,920 --------- C:\WINDOWS\system32\SageNatWestOnline.dll
2007-04-11 20:10 81,920 --------- C:\WINDOWS\system32\SageBarclaysOnline.dll
2007-04-11 20:10 81,920 --------- C:\WINDOWS\system32\SageBarclaysBusinessMasterII.dll
2007-04-11 20:10 69,632 --a------ C:\WINDOWS\system32\SageBankBalances.dll
2007-04-11 20:10 61,440 --a------ C:\WINDOWS\system32\BankServiceUtilities.dll
2007-04-11 20:10 192,512 --a------ C:\WINDOWS\system32\SageBankReconciliation.dll
2007-04-11 20:10 <DIR> d-------- C:\Program Files\Sage EBanking
2007-04-11 20:09 322,832 --------- C:\WINDOWS\system32\MFC30.DLL
2007-04-11 20:09 303,104 --------- C:\WINDOWS\system32\S12DBC32.dll
2007-04-11 20:05 <DIR> d-------- C:\Program Files\Common Files\Sage Line50
2007-04-11 20:04 <DIR> d-------- C:\Program Files\Common Files\Sage SBD
2007-04-11 20:03 <DIR> d-------- C:\Program Files\Sage
2007-04-03 20:45 140,416 -ra------ C:\WINDOWS\system32\drivers\rt2500usb.sys
2007-04-02 21:49 <DIR> d-------- C:\Program Files\Power Software
2007-03-26 00:54 162,304 --------- C:\UNWISE.EXE
2007-03-23 01:19 <DIR> d-------- C:\Program Files\PocketFMS
2007-03-17 23:35 <DIR> d-------- C:\Program Files\ifs Competence Development Tool
2007-03-16 16:13 <DIR> d-------- C:\Program Files\AccessData

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-16 17:13 2305280 --a------ C:\blockstrain.dat
2007-04-16 17:12 12 --a------ C:\WINDOWS\bthservsdp.dat
2007-03-17 18:31 724992 --a------ C:\WINDOWS\iun6002.exe
2007-03-13 22:52 -------- d-------- C:\Program Files\puppetmaster
2007-03-13 17:08 -------- d-------- C:\Program Files\brother
2007-03-08 15:02 -------- d-------- C:\Program Files\blaze media pro
2007-03-06 21:25 -------- d-------- C:\Program Files\microsoft works
2007-03-06 21:24 -------- d-------- C:\Program Files\msbuild
2007-03-06 21:19 -------- d-------- C:\Program Files\microsoft.net
2007-03-06 21:05 -------- d-------- C:\Program Files\microsoft visual studio 8
2007-03-05 16:30 74752 --a------ C:\WINDOWS\st6unst.exe
2007-03-05 16:30 253952 --------- C:\WINDOWS\setup1.exe
2007-02-28 15:32 20992 --a------ C:\WINDOWS\jestertb.dll
2007-02-18 21:01 -------- d-------- C:\Program Files\quark
2007-02-08 15:49 668672 --a------ C:\WINDOWS\system32\adjmmseng.dll
2007-01-25 13:46 1077248 --a------ C:\WINDOWS\system32\nmsdvdx.dll
2007-01-25 13:45 1101824 --a------ C:\WINDOWS\system32\nmsdvdxu.dll
2007-01-25 08:52 65536 --a------ C:\WINDOWS\system32\nmsaccess.exe
2007-01-22 21:56 733696 --a------ C:\WINDOWS\gpinstall.exe
2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
{AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LaunchApp"="LaunApp"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"LaunchAp"="C:\\Program Files\\Launch Manager\\LaunchAp.exe"
"PowerKey"="\"C:\\Program Files\\Launch Manager\\PowerKey.exe\""
"HotkeyApp"="C:\\Program Files\\Launch Manager\\HotkeyApp.exe"
"CtrlVol"="C:\\Program Files\\Launch Manager\\CtrlVol.exe"
"Wbutton"="\"C:\\Program Files\\Launch Manager\\Wbutton.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"hmonitor"="C:\\Program Files\\Hmonitor\\hmonitor.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe"
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"userinit"="C:\\WINDOWS\\system32\\ntos.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F552DDE6-2090-4bf4-B924-6141E87789A5}"="RegRun Script Checker Shell Hook DLL"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\
Notification Packages REG_MULTI_SZ scecli\

SafeBoot registry key needs to be repaired. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
HTTPFilter REG_MULTI_SZ HTTPFilter\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\
bthsvcs REG_MULTI_SZ BthServ\
WudfServiceGroup REG_MULTI_SZ WUDFSvc\

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-16 18:32:55
C:\ComboFix-quarantined-files.txt ... 07-04-16 18:32
0

Customer

June 11, 2021 12:05

Also the quarantine file:

03-01-26 15:48	  147456	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\vbzip11.dll.vir

07-04-14 21:51	  141	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\svcp.csv.vir

07-04-14 21:51	  4	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\winsub.xml.vir

07-04-14 21:52	  8654	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp_t47.exe.vir





Folder PATH listing for volume xxxx

Volume serial number is xxxx

C:\QOOBOX

\---Quarantine

+---Registry_backups

\---C

	\---WINDOWS

		\---system32

				tmp_t47.exe.vir

				svcp.csv.vir

				vbzip11.dll.vir

				winsub.xml.vir

Customer

June 11, 2021 12:05
Thanks. Here is the avenger log again:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mlclfnli

*******************

Script file located at: \??\C:\WINDOWS\dguehvtk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\zup.exe.exe deleted successfully.
File C:\WINDOWS\system32\3ti.exe.exe deleted successfully.
File C:\WINDOWS\system32\pdp.exe.exe deleted successfully.

Error: C:\WINDOWS\system32\wsnpoem is a folder, not a file!
Deletion of file C:\WINDOWS\system32\wsnpoem failed!

Could not process line:
C:\WINDOWS\system32\wsnpoem
Status: 0xc00000ba

File C:\UNWISE.EXE deleted successfully.
File C:\WINDOWS\gpinstall.exe deleted successfully.

File Registry keys to delete not found!
Deletion of file Registry keys to delete failed!

Could not process line:
Registry keys to delete
Status: 0xc0000034

Could not open file [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] for deletion
Deletion of file [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] failed!

Could not process line:
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
Status: 0xc000003a

File userinit"=- not found!
Deletion of file userinit"=- failed!

Could not process line:
userinit"=-
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.
0
Customer

June 11, 2021 12:05
Hey,beginner

Nice work now it looks like my Cable is trying to kill me again, if it seems like I loged off
just give me about 5 or 10 Mins and I should be back.

Next

This here should fix the problme with Safe Mode but do not go there yet.

Download and run AVZ

Download avz4en.zip here

Unzip it to a folder on your desktop

Double click on AVZ.exe

Click on the file tab and then click on System recovery

Put a checkmark next to Restore SafeBoot registry keys

Click on Execute selected operations

---------------

Download The Avenger Copyright Â© Swandog46
You must extract avenger.exe to your desktop, before you run it.

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!

Copy all the text contained in the code box below to your Clipboard.
NOTE: don't copy the word quote

Files to delete:
C:\WINDOWS\system32\zup.exe.exe

C:\WINDOWS\system32\3ti.exe.exe

C:\WINDOWS\system32\pdp.exe.exe

C:\WINDOWS\system32\wsnpoem

C:\UNWISE.EXE

C:\WINDOWS\gpinstall.exe

Registry keys to delete

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"userinit"=-

The above script is for this user only, if you need help please start your own thread.

Start the Avenger.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the entire text in into this window.
Click done, now click on the Green Light
Answer "Yes" twice when prompted.
Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.

After the restart, it will create a log file that should open.
This log file will be located at C:\avenger.txt

Paste the contents of C:\avenger.txt into your reply along with a fresh HijackThis! log.

Also: Avenger has made backups of all the files, etc., that you asked it to delete, located at C:\avenger\backup.zip.

-------------

Then come back here with a new HijackThis logfile and avenger.txt

Gogo
0
Customer

June 11, 2021 12:05
Hey,beginner

Sorry my bad I should have seen what I did wrong there

--------------

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Backup the Registry:

Navigate to Start | Run and paste the following:

regedit /e c:\registrybackup.reg

Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

---------------

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)
( Do not copy the word quote)

REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"userinit"=-

Save this as fix.reg Choose to save as *all files and place it on your Desktop.
It should look like this:
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

--------------

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!

Copy all the text contained in the code box below to your Clipboard.
NOTE: don't copy the word quote

Folders to delete:
C:\WINDOWS\system32\wsnpoem

The above script is for this user only, if you need help please start your own thread.

Start the Avenger.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the entire text in into this window.
Click done, now click on the Green Light
Answer "Yes" twice when prompted.
Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.

After the restart, it will create a log file that should open.
This log file will be located at C:\avenger.txt

Paste the contents of C:\avenger.txt into your reply along with a fresh HijackThis! log.

Also: Avenger has made backups of all the files, etc., that you asked it to delete, located at C:\avenger\backup.zip.

-------------

And once again let's see if this will get you out of here.

Gogo
0
Customer

June 11, 2021 12:05
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:24, on 07-04-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\FlyCam\CameraServer.exe
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\flexlm\i486_nt\obj\ptc_d.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hmonitor\hmonitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\USBPad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\shahzad\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [hmonitor] C:\Program Files\Hmonitor\hmonitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: USB KeyPad.lnk = C:\WINDOWS\USBPad.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CameraServer - Unknown owner - c:\FlyCam\CameraServer.exe
O23 - Service: FLEXlm server for PTC - GLOBEtrotter Software Inc. - C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\omniServ.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 8881 bytes
0
Customer

June 11, 2021 12:05
AVENGER LOG:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kjwosmsm

*******************

Script file located at: \??\C:\WINDOWS\jnjjgtnk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder C:\WINDOWS\system32\wsnpoem deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
0
Customer

June 11, 2021 12:05
IGNORE THIS, psoting the new log
0
Customer

June 11, 2021 12:05
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20:00, on 07-04-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\FlyCam\CameraServer.exe
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\flexlm\i486_nt\obj\ptc_d.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hmonitor\hmonitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\USBPad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\shahzad\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [hmonitor] C:\Program Files\Hmonitor\hmonitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: USB KeyPad.lnk = C:\WINDOWS\USBPad.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CameraServer - Unknown owner - c:\FlyCam\CameraServer.exe
O23 - Service: FLEXlm server for PTC - GLOBEtrotter Software Inc. - C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\omniServ.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 8881 bytes
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?