Disinfecting a PC… part 4



So, AVG has been scanning away finding things we’ve really got a foothold on the system and the malware has a fight on it’s hands. It’s good to see progress. Up to this point we’ve had multiple Spool32 errors (printer related). These errors are what prompted the system to be brought in initially. There’s a lexmark system tray item that loads on boot. No time to investigate that yet. Here’s the log of the AVG antivirus scan…


“Partition table (MBR)”,”ok”,”Quick checked”
“Boot sector of disk C:”,”ok”,”Quick checked”
“System registry SoftwareMicrosoftWindows NTCurrentVersionWindowsLoad”,”",”Scanned”
“System registry SoftwareMicrosoftWindows NTCurrentVersionWindowsRun”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRun”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnceEx”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServices”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServicesOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRun”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnceEx”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServices”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServicesOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionWinlogonUserinit”,”",”Scanned”
“System registry SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell”,”",”Scanned”
“System registry exefileshellopencommand”,”",”Scanned”
“System registry scrfileshellopencommand”,”",”Scanned”
“System registry scrfileshellconfigcommand”,”",”Scanned”
“System registry batfileshellopencommand”,”",”Scanned”
“System registry cmdfileshellopencommand”,”",”Scanned”
“System registry comfileshellopencommand”,”",”Scanned”
“System registry piffileshellopencommand”,”",”Scanned”
“System registry giffileshellopencommand”,”",”Scanned”
“System registry htmlfileshellopencommand”,”",”Scanned”
“System registry htafileshellopencommand”,”",”Scanned”
“System registry jpegfileshellopencommand”,”",”Scanned”
“System registry txtfileshellopencommand”,”",”Scanned”
“System registry regfileshellopencommand”,”",”Scanned”
“System registry cplfileshellcplopencommand”,”",”Scanned”
“System registry Word.Document.8shellopencommand”,”",”Scanned”
“System registry WordPad.Document.1shellopencommand”,”",”Scanned”
“C:PROGRAM FILESREALREALJUKEBOXtsystray.exe”,”ok”,”Quick checked”
“C:PROGRA~1ACCESS~1WORDPAD.EXE”,”ok”,”Quick checked”
“C:PROGRA~1BMCENT~1BMLauncher.exe”,”ok”,”Quick checked”
“C:PROGRA~1ESOFTEBOARDeBoard.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgamsvr.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgcc.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgemc.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgw.exe”,”ok”,”Quick checked”
“C:PROGRA~1INTERN~1IEXPLORE.EXE”,”ok”,”Quick checked”
“C:PROGRA~1MESSEN~1msmsgs.exe”,”ok”,”Quick checked”
“C:PROGRA~1ezulammod.exe”,”ok”,”Quick checked”
“C:Program FilesCommon Filesslmssslmss.exe”,”Trojan horse SecThought.B”,”Infected”
“C:Program FilesCommon filesupdaterwupdater.exe”,”Trojan horse Downloader.Keenval.J”,”Infected”
“C:Program FilesInternet Optimizeroptimize.exe”,”Trojan horse Downloader.Dyfica.2.AC”,”Infected”
“C:Program FilesMicrosoft MoneySystemMoney Express.exe”,”ok”,”Quick checked”
“C:Program FilesMicrosoft OfficeOfficeWINWORD.EXE”,”ok”,”Quick checked”
“C:Program FilesRealRealPlayerrealplay.exe”,”ok”,”Quick checked”
“C:Progra~1ClearSearchLoader.exe”,”Trojan horse BackDoor.Ruledor.D”,”Infected”
“C:WINDOWSLOADQM.EXE”,”ok”,”Quick checked”
“C:WINDOWSNOTEPAD.EXE”,”ok”,”Quick checked”
“C:WINDOWSPCHealthSupportPCHSCHD.EXE”,”ok”,”Quick checked”
“C:WINDOWSREGEDIT.EXE”,”ok”,”Quick checked”
“C:WINDOWSRUNDLL32.EXE”,”ok”,”Quick checked”
“C:WINDOWSSCANREGW.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMLEXSTART.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMMSHTA.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMMSTASK.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMPRINTRAY.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSHELL32.DLL”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSHIMGVW.DLL”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSSDPSRV.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSYSTRAY.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMpecxlc.exe”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMstcloader.exe”,”ok”,”Quick checked”
“C:WINDOWSSystemRestoreSTATEMGR.EXE”,”ok”,”Quick checked”
“C:WINDOWSTASKMON.EXE”,”ok”,”Quick checked”
“C:WINDOWSgoidr.exe”,”ok”,”Quick checked”
“C:WINDOWSmwsvm.exe”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMkernel32.dll”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMwsock32.dll”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMuser32.dll”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMshell32.dll”,”ok”,”Quick checked”
“C:WINDOWSTemporary Internet FilesContent.IE594LN9FJFHyperLinker[1].cab:HyperLinker.exe”,”Trojan horse BackDoor.Small.14.AM”,”Infected, Embedded object”
“C:WINDOWSTemporary Internet FilesContent.IE594LN9FJFHyperLinker[1].cab”,”Trojan horse BackDoor.Small.14.AM”,”Infected, Archive”
“System registry SoftwareMicrosoftWindows NTCurrentVersionWindowsLoad”,”",”Scanned”
“System registry SoftwareMicrosoftWindows NTCurrentVersionWindowsRun”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRun”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnceEx”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServices”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServicesOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRun”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnceEx”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServices”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServicesOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionWinlogonUserinit”,”",”Scanned”
“System registry SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell”,”",”Scanned”
“System registry exefileshellopencommand”,”",”Scanned”
“System registry scrfileshellopencommand”,”",”Scanned”
“System registry scrfileshellconfigcommand”,”",”Scanned”
“System registry batfileshellopencommand”,”",”Scanned”
“System registry cmdfileshellopencommand”,”",”Scanned”
“System registry comfileshellopencommand”,”",”Scanned”
“System registry piffileshellopencommand”,”",”Scanned”
“System registry giffileshellopencommand”,”",”Scanned”
“System registry htmlfileshellopencommand”,”",”Scanned”
“System registry htafileshellopencommand”,”",”Scanned”
“System registry jpegfileshellopencommand”,”",”Scanned”
“System registry txtfileshellopencommand”,”",”Scanned”
“System registry regfileshellopencommand”,”",”Scanned”
“System registry cplfileshellcplopencommand”,”",”Scanned”
“System registry Word.Document.8shellopencommand”,”",”Scanned”
“System registry WordPad.Document.1shellopencommand”,”",”Scanned”
“C:PROGRAM FILESREALREALJUKEBOXtsystray.exe”,”ok”,”Quick checked”
“C:PROGRA~1ACCESS~1WORDPAD.EXE”,”ok”,”Quick checked”
“C:PROGRA~1BMCENT~1BMLauncher.exe”,”ok”,”Quick checked”
“C:PROGRA~1ESOFTEBOARDeBoard.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgamsvr.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgcc.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgemc.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgw.exe”,”ok”,”Quick checked”
“C:PROGRA~1INTERN~1IEXPLORE.EXE”,”ok”,”Quick checked”
“C:PROGRA~1MESSEN~1msmsgs.exe”,”ok”,”Quick checked”
“C:PROGRA~1ezulammod.exe”,”ok”,”Quick checked”
“C:Program FilesMicrosoft MoneySystemMoney Express.exe”,”ok”,”Quick checked”
“C:Program FilesMicrosoft OfficeOfficeWINWORD.EXE”,”ok”,”Quick checked”
“C:Program FilesRealRealPlayerrealplay.exe”,”ok”,”Quick checked”
“C:WINDOWSLOADQM.EXE”,”ok”,”Quick checked”
“C:WINDOWSNOTEPAD.EXE”,”ok”,”Quick checked”
“C:WINDOWSPCHealthSupportPCHSCHD.EXE”,”ok”,”Quick checked”
“C:WINDOWSREGEDIT.EXE”,”ok”,”Quick checked”
“C:WINDOWSRUNDLL32.EXE”,”ok”,”Quick checked”
“C:WINDOWSSCANREGW.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMLEXSTART.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMMSHTA.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMMSTASK.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMPRINTRAY.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSHELL32.DLL”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSHIMGVW.DLL”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSSDPSRV.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSYSTRAY.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMpecxlc.exe”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMstcloader.exe”,”ok”,”Quick checked”
“C:WINDOWSSystemRestoreSTATEMGR.EXE”,”ok”,”Quick checked”
“C:WINDOWSTASKMON.EXE”,”ok”,”Quick checked”
“C:WINDOWSgoidr.exe”,”ok”,”Quick checked”
“C:WINDOWSmwsvm.exe”,”ok”,”Quick checked”
“C:updaterInstall_112.exe”,”",”Deleted”
“C:WINDOWSwsem300.dll”,”",”Deleted”
“C:WINDOWSaqadcup.exe”,”",”Deleted”
“C:WINDOWSGuqvqmm.exe”,”",”Deleted”
“C:WINDOWSXecrtyr.exe”,”",”Deleted”
“C:WINDOWSHyperLinker.exe”,”",”Deleted”
“C:WINDOWSHelper100.dll”,”",”Deleted”
“C:WINDOWSSYSTEM2ndsrch.dll”,”",”Deleted”
“C:WINDOWSSYSTEMATPartners.dll”,”",”Deleted”
“C:WINDOWSSYSTEMistinstall_adlogix.exe”,”",”Deleted”
“C:WINDOWSSYSTEMin10b6s.dll”,”",”Deleted”
“C:WINDOWSSYSTEMcdsm32.dll”,”",”Deleted”
“C:WINDOWSTEMPfEGhYef.exe”,”",”Deleted”
“C:WINDOWSTEMPoptimize.exe”,”",”Deleted”
“C:WINDOWSTEMPbdl14173.exe”,”",”Deleted”
“C:WINDOWSbundlesTvm_b5_269.exe”,”",”Deleted”
“C:WINDOWSbundles32wu54rd.exe”,”",”Deleted”
“C:WINDOWSbundlesSSK_B5.EXE”,”",”Deleted”
“C:WINDOWSbundlesshopinst.exe”,”",”Deleted”
“C:WINDOWSbundlessaie1101.exe”,”",”Deleted”
“C:WINDOWSbundlesHelperInstaller.exe”,”",”Deleted”
“C:Program FilesCommon FilesSlmssslmss.exe”,”",”Deleted”
“C:Program FilesCommon Filesupdaterdelupdat.exe”,”",”Deleted”
“C:Program FilesCommon Filesupdaterwupdater.exe”,”",”Deleted”
“C:Program FilesCommon Filesupdatersui.exe”,”",”Deleted”
“C:Program FilesWindows Media PlayerWMPLAYER.EXE”,”",”Deleted”
“C:Program FilesDiallerProgram11145.exe”,”",”Deleted”
“C:Program FilesSTCslmss.exe”,”",”Deleted”
“C:Program FilesSTCCSV5P070.exe”,”",”Deleted”
“C:Program FilesSTCs_win32.exe”,”",”Deleted”
“C:Program FilesClearSearchLoader.exe”,”",”Deleted”
“C:Program FilesInternet Optimizeroptimize.exe”,”",”Deleted”
“C:Program FilesInternet Optimizerinstall.exe”,”",”Deleted”
“C:Program FilesInternet Optimizerupdateinstall.exe”,”",”Deleted”
“C:Program FilesIncrediFindBHOIncFindBHO.dll”,”",”Deleted”

35 items deleted, 5 others identified as virus, quarantined, the archive is not movable at this time. (Manually delete later.) Details on the bugs in the next entry.

Related Posts

Blog Traffic Exchange Related Posts
  • Remove Windows Police Pro I'm seeing a lot of searches for how to remove Windows Police Pro this evening. It looks like it's ALSO the latest flavor of the minute in the rogue security application crowd (take a look at remove Green AV for another rogue). As stated before... my usual path for removing......
  • How to Remove Data Doctor 2010 | Data Doctor 2010 Removal Guide Data Doctor 2010 is a rogue antivirus application. It will pop up warnings and claim that your system is infected with viruses or has other security problems. In reality the worst problem you have is that Data Doctor 2010 is on your system. It will further claim that it can......
  • Cleaning up after WMF exploit - BHO removal Browser helper objects (BHO's) are listed in the registry and load with explorer when it runs (Internet Explorer/ File explorer are so closely tied it affects both.) I've used BHOdemon in the past to identify and disable BHO's and a tool like that is the preferred method. However, in my......
Blog Traffic Exchange Related Websites
  • How Do I Check My Federal Income Tax Return Status? If you have received your W-2's and are anticipating a Federal income tax refund, it is important to file your taxes as early as possible to receive your refund quickly. In today's economic crisis, American's are awaiting tax time to receive funds that have been held by the government for......
  • Ever Changing Windows Registry – Here's the Way to Counter Registry Errors Windows registry is information loaded in files to direct the behaviors of operating system and other programs. Any change or deviation just leads to crashes unwanted. Whenever you install few files are registered in Windows registry as program guidance files and during uninstall they are either removed or let remain......
  • Shopping at a Perfume Outlet Your local mall probably has at least one perfume outlet. You can find these stores sometimes in strip malls, kiosks and even online. But is it a good idea to shop at a perfume outlet, or are you getting an inferior product for the smaller price tag? A perfume outlet......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site