Disinfecting a PC… part 4



So, AVG has been scanning away finding things we’ve really got a foothold on the system and the malware has a fight on it’s hands. It’s good to see progress. Up to this point we’ve had multiple Spool32 errors (printer related). These errors are what prompted the system to be brought in initially. There’s a lexmark system tray item that loads on boot. No time to investigate that yet. Here’s the log of the AVG antivirus scan…


“Partition table (MBR)”,”ok”,”Quick checked”
“Boot sector of disk C:”,”ok”,”Quick checked”
“System registry SoftwareMicrosoftWindows NTCurrentVersionWindowsLoad”,”",”Scanned”
“System registry SoftwareMicrosoftWindows NTCurrentVersionWindowsRun”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRun”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnceEx”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServices”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServicesOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRun”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnceEx”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServices”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServicesOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionWinlogonUserinit”,”",”Scanned”
“System registry SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell”,”",”Scanned”
“System registry exefileshellopencommand”,”",”Scanned”
“System registry scrfileshellopencommand”,”",”Scanned”
“System registry scrfileshellconfigcommand”,”",”Scanned”
“System registry batfileshellopencommand”,”",”Scanned”
“System registry cmdfileshellopencommand”,”",”Scanned”
“System registry comfileshellopencommand”,”",”Scanned”
“System registry piffileshellopencommand”,”",”Scanned”
“System registry giffileshellopencommand”,”",”Scanned”
“System registry htmlfileshellopencommand”,”",”Scanned”
“System registry htafileshellopencommand”,”",”Scanned”
“System registry jpegfileshellopencommand”,”",”Scanned”
“System registry txtfileshellopencommand”,”",”Scanned”
“System registry regfileshellopencommand”,”",”Scanned”
“System registry cplfileshellcplopencommand”,”",”Scanned”
“System registry Word.Document.8shellopencommand”,”",”Scanned”
“System registry WordPad.Document.1shellopencommand”,”",”Scanned”
“C:PROGRAM FILESREALREALJUKEBOXtsystray.exe”,”ok”,”Quick checked”
“C:PROGRA~1ACCESS~1WORDPAD.EXE”,”ok”,”Quick checked”
“C:PROGRA~1BMCENT~1BMLauncher.exe”,”ok”,”Quick checked”
“C:PROGRA~1ESOFTEBOARDeBoard.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgamsvr.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgcc.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgemc.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgw.exe”,”ok”,”Quick checked”
“C:PROGRA~1INTERN~1IEXPLORE.EXE”,”ok”,”Quick checked”
“C:PROGRA~1MESSEN~1msmsgs.exe”,”ok”,”Quick checked”
“C:PROGRA~1ezulammod.exe”,”ok”,”Quick checked”
“C:Program FilesCommon Filesslmssslmss.exe”,”Trojan horse SecThought.B”,”Infected”
“C:Program FilesCommon filesupdaterwupdater.exe”,”Trojan horse Downloader.Keenval.J”,”Infected”
“C:Program FilesInternet Optimizeroptimize.exe”,”Trojan horse Downloader.Dyfica.2.AC”,”Infected”
“C:Program FilesMicrosoft MoneySystemMoney Express.exe”,”ok”,”Quick checked”
“C:Program FilesMicrosoft OfficeOfficeWINWORD.EXE”,”ok”,”Quick checked”
“C:Program FilesRealRealPlayerrealplay.exe”,”ok”,”Quick checked”
“C:Progra~1ClearSearchLoader.exe”,”Trojan horse BackDoor.Ruledor.D”,”Infected”
“C:WINDOWSLOADQM.EXE”,”ok”,”Quick checked”
“C:WINDOWSNOTEPAD.EXE”,”ok”,”Quick checked”
“C:WINDOWSPCHealthSupportPCHSCHD.EXE”,”ok”,”Quick checked”
“C:WINDOWSREGEDIT.EXE”,”ok”,”Quick checked”
“C:WINDOWSRUNDLL32.EXE”,”ok”,”Quick checked”
“C:WINDOWSSCANREGW.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMLEXSTART.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMMSHTA.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMMSTASK.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMPRINTRAY.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSHELL32.DLL”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSHIMGVW.DLL”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSSDPSRV.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSYSTRAY.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMpecxlc.exe”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMstcloader.exe”,”ok”,”Quick checked”
“C:WINDOWSSystemRestoreSTATEMGR.EXE”,”ok”,”Quick checked”
“C:WINDOWSTASKMON.EXE”,”ok”,”Quick checked”
“C:WINDOWSgoidr.exe”,”ok”,”Quick checked”
“C:WINDOWSmwsvm.exe”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMkernel32.dll”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMwsock32.dll”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMuser32.dll”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMshell32.dll”,”ok”,”Quick checked”
“C:WINDOWSTemporary Internet FilesContent.IE594LN9FJFHyperLinker[1].cab:HyperLinker.exe”,”Trojan horse BackDoor.Small.14.AM”,”Infected, Embedded object”
“C:WINDOWSTemporary Internet FilesContent.IE594LN9FJFHyperLinker[1].cab”,”Trojan horse BackDoor.Small.14.AM”,”Infected, Archive”
“System registry SoftwareMicrosoftWindows NTCurrentVersionWindowsLoad”,”",”Scanned”
“System registry SoftwareMicrosoftWindows NTCurrentVersionWindowsRun”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRun”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnceEx”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServices”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServicesOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRun”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnceEx”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServices”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServicesOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionWinlogonUserinit”,”",”Scanned”
“System registry SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell”,”",”Scanned”
“System registry exefileshellopencommand”,”",”Scanned”
“System registry scrfileshellopencommand”,”",”Scanned”
“System registry scrfileshellconfigcommand”,”",”Scanned”
“System registry batfileshellopencommand”,”",”Scanned”
“System registry cmdfileshellopencommand”,”",”Scanned”
“System registry comfileshellopencommand”,”",”Scanned”
“System registry piffileshellopencommand”,”",”Scanned”
“System registry giffileshellopencommand”,”",”Scanned”
“System registry htmlfileshellopencommand”,”",”Scanned”
“System registry htafileshellopencommand”,”",”Scanned”
“System registry jpegfileshellopencommand”,”",”Scanned”
“System registry txtfileshellopencommand”,”",”Scanned”
“System registry regfileshellopencommand”,”",”Scanned”
“System registry cplfileshellcplopencommand”,”",”Scanned”
“System registry Word.Document.8shellopencommand”,”",”Scanned”
“System registry WordPad.Document.1shellopencommand”,”",”Scanned”
“C:PROGRAM FILESREALREALJUKEBOXtsystray.exe”,”ok”,”Quick checked”
“C:PROGRA~1ACCESS~1WORDPAD.EXE”,”ok”,”Quick checked”
“C:PROGRA~1BMCENT~1BMLauncher.exe”,”ok”,”Quick checked”
“C:PROGRA~1ESOFTEBOARDeBoard.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgamsvr.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgcc.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgemc.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgw.exe”,”ok”,”Quick checked”
“C:PROGRA~1INTERN~1IEXPLORE.EXE”,”ok”,”Quick checked”
“C:PROGRA~1MESSEN~1msmsgs.exe”,”ok”,”Quick checked”
“C:PROGRA~1ezulammod.exe”,”ok”,”Quick checked”
“C:Program FilesMicrosoft MoneySystemMoney Express.exe”,”ok”,”Quick checked”
“C:Program FilesMicrosoft OfficeOfficeWINWORD.EXE”,”ok”,”Quick checked”
“C:Program FilesRealRealPlayerrealplay.exe”,”ok”,”Quick checked”
“C:WINDOWSLOADQM.EXE”,”ok”,”Quick checked”
“C:WINDOWSNOTEPAD.EXE”,”ok”,”Quick checked”
“C:WINDOWSPCHealthSupportPCHSCHD.EXE”,”ok”,”Quick checked”
“C:WINDOWSREGEDIT.EXE”,”ok”,”Quick checked”
“C:WINDOWSRUNDLL32.EXE”,”ok”,”Quick checked”
“C:WINDOWSSCANREGW.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMLEXSTART.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMMSHTA.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMMSTASK.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMPRINTRAY.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSHELL32.DLL”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSHIMGVW.DLL”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSSDPSRV.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSYSTRAY.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMpecxlc.exe”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMstcloader.exe”,”ok”,”Quick checked”
“C:WINDOWSSystemRestoreSTATEMGR.EXE”,”ok”,”Quick checked”
“C:WINDOWSTASKMON.EXE”,”ok”,”Quick checked”
“C:WINDOWSgoidr.exe”,”ok”,”Quick checked”
“C:WINDOWSmwsvm.exe”,”ok”,”Quick checked”
“C:updaterInstall_112.exe”,”",”Deleted”
“C:WINDOWSwsem300.dll”,”",”Deleted”
“C:WINDOWSaqadcup.exe”,”",”Deleted”
“C:WINDOWSGuqvqmm.exe”,”",”Deleted”
“C:WINDOWSXecrtyr.exe”,”",”Deleted”
“C:WINDOWSHyperLinker.exe”,”",”Deleted”
“C:WINDOWSHelper100.dll”,”",”Deleted”
“C:WINDOWSSYSTEM2ndsrch.dll”,”",”Deleted”
“C:WINDOWSSYSTEMATPartners.dll”,”",”Deleted”
“C:WINDOWSSYSTEMistinstall_adlogix.exe”,”",”Deleted”
“C:WINDOWSSYSTEMin10b6s.dll”,”",”Deleted”
“C:WINDOWSSYSTEMcdsm32.dll”,”",”Deleted”
“C:WINDOWSTEMPfEGhYef.exe”,”",”Deleted”
“C:WINDOWSTEMPoptimize.exe”,”",”Deleted”
“C:WINDOWSTEMPbdl14173.exe”,”",”Deleted”
“C:WINDOWSbundlesTvm_b5_269.exe”,”",”Deleted”
“C:WINDOWSbundles32wu54rd.exe”,”",”Deleted”
“C:WINDOWSbundlesSSK_B5.EXE”,”",”Deleted”
“C:WINDOWSbundlesshopinst.exe”,”",”Deleted”
“C:WINDOWSbundlessaie1101.exe”,”",”Deleted”
“C:WINDOWSbundlesHelperInstaller.exe”,”",”Deleted”
“C:Program FilesCommon FilesSlmssslmss.exe”,”",”Deleted”
“C:Program FilesCommon Filesupdaterdelupdat.exe”,”",”Deleted”
“C:Program FilesCommon Filesupdaterwupdater.exe”,”",”Deleted”
“C:Program FilesCommon Filesupdatersui.exe”,”",”Deleted”
“C:Program FilesWindows Media PlayerWMPLAYER.EXE”,”",”Deleted”
“C:Program FilesDiallerProgram11145.exe”,”",”Deleted”
“C:Program FilesSTCslmss.exe”,”",”Deleted”
“C:Program FilesSTCCSV5P070.exe”,”",”Deleted”
“C:Program FilesSTCs_win32.exe”,”",”Deleted”
“C:Program FilesClearSearchLoader.exe”,”",”Deleted”
“C:Program FilesInternet Optimizeroptimize.exe”,”",”Deleted”
“C:Program FilesInternet Optimizerinstall.exe”,”",”Deleted”
“C:Program FilesInternet Optimizerupdateinstall.exe”,”",”Deleted”
“C:Program FilesIncrediFindBHOIncFindBHO.dll”,”",”Deleted”

35 items deleted, 5 others identified as virus, quarantined, the archive is not movable at this time. (Manually delete later.) Details on the bugs in the next entry.

Related Posts

Blog Traffic Exchange Related Posts
  • Zero-day ( 0-day) Microsoft Word exploit There was some news on this last night at Incidents.org, today F-secure has some details as well on the trojan that's dropped in this circulating, exploit. It seems as though the initial attack was very targetted against a specific organization. Antivirus packages did not recognize the trojan that the exploit......
  • Windows Vista? OK, I'm just seeing the news that Microsoft has announced the name for the next version of Windows which has gone under the working name of Longhorn. It's going to be Windows Vista That may take some getting used to. I guess it's better than Windows View? There are some......
  • How to Remove Antivirus 360 This should not be confused with Norton 360 which is a legitimate antivirus program (although if you need help removing Norton 360 to reinstall it or another antivirus program you may want to visit my antivirus removal tool list.) What we are talking about this time is a rogue security......
Blog Traffic Exchange Related Websites
  • Finding the Snow for Skiing in the Spring When it comes to skiing in the spring, we need to be able to find the snow, no matter what the costs are. Before we head out to the slopes to participate in spring skiing, we are going to have to find the snow. A quick check at certain websites......
  • Stop Registry Error Message - How to Fix Windows Registry Errors the Easy Way It is very annoying when your computer displays a registry error message because it really affects the performance of your system. It is not recognized to a lot of people that this is one everyday problem that computer users are experiencing every so often. The performance of the computer is......
  • Shopping at a Perfume Outlet Your local mall probably has at least one perfume outlet. You can find these stores sometimes in strip malls, kiosks and even online. But is it a good idea to shop at a perfume outlet, or are you getting an inferior product for the smaller price tag? A perfume outlet......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site