Disinfecting a PC… part 4



So, AVG has been scanning away finding things we’ve really got a foothold on the system and the malware has a fight on it’s hands. It’s good to see progress. Up to this point we’ve had multiple Spool32 errors (printer related). These errors are what prompted the system to be brought in initially. There’s a lexmark system tray item that loads on boot. No time to investigate that yet. Here’s the log of the AVG antivirus scan…


“Partition table (MBR)”,”ok”,”Quick checked”
“Boot sector of disk C:”,”ok”,”Quick checked”
“System registry SoftwareMicrosoftWindows NTCurrentVersionWindowsLoad”,”",”Scanned”
“System registry SoftwareMicrosoftWindows NTCurrentVersionWindowsRun”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRun”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnceEx”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServices”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServicesOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRun”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnceEx”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServices”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServicesOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionWinlogonUserinit”,”",”Scanned”
“System registry SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell”,”",”Scanned”
“System registry exefileshellopencommand”,”",”Scanned”
“System registry scrfileshellopencommand”,”",”Scanned”
“System registry scrfileshellconfigcommand”,”",”Scanned”
“System registry batfileshellopencommand”,”",”Scanned”
“System registry cmdfileshellopencommand”,”",”Scanned”
“System registry comfileshellopencommand”,”",”Scanned”
“System registry piffileshellopencommand”,”",”Scanned”
“System registry giffileshellopencommand”,”",”Scanned”
“System registry htmlfileshellopencommand”,”",”Scanned”
“System registry htafileshellopencommand”,”",”Scanned”
“System registry jpegfileshellopencommand”,”",”Scanned”
“System registry txtfileshellopencommand”,”",”Scanned”
“System registry regfileshellopencommand”,”",”Scanned”
“System registry cplfileshellcplopencommand”,”",”Scanned”
“System registry Word.Document.8shellopencommand”,”",”Scanned”
“System registry WordPad.Document.1shellopencommand”,”",”Scanned”
“C:PROGRAM FILESREALREALJUKEBOXtsystray.exe”,”ok”,”Quick checked”
“C:PROGRA~1ACCESS~1WORDPAD.EXE”,”ok”,”Quick checked”
“C:PROGRA~1BMCENT~1BMLauncher.exe”,”ok”,”Quick checked”
“C:PROGRA~1ESOFTEBOARDeBoard.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgamsvr.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgcc.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgemc.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgw.exe”,”ok”,”Quick checked”
“C:PROGRA~1INTERN~1IEXPLORE.EXE”,”ok”,”Quick checked”
“C:PROGRA~1MESSEN~1msmsgs.exe”,”ok”,”Quick checked”
“C:PROGRA~1ezulammod.exe”,”ok”,”Quick checked”
“C:Program FilesCommon Filesslmssslmss.exe”,”Trojan horse SecThought.B”,”Infected”
“C:Program FilesCommon filesupdaterwupdater.exe”,”Trojan horse Downloader.Keenval.J”,”Infected”
“C:Program FilesInternet Optimizeroptimize.exe”,”Trojan horse Downloader.Dyfica.2.AC”,”Infected”
“C:Program FilesMicrosoft MoneySystemMoney Express.exe”,”ok”,”Quick checked”
“C:Program FilesMicrosoft OfficeOfficeWINWORD.EXE”,”ok”,”Quick checked”
“C:Program FilesRealRealPlayerrealplay.exe”,”ok”,”Quick checked”
“C:Progra~1ClearSearchLoader.exe”,”Trojan horse BackDoor.Ruledor.D”,”Infected”
“C:WINDOWSLOADQM.EXE”,”ok”,”Quick checked”
“C:WINDOWSNOTEPAD.EXE”,”ok”,”Quick checked”
“C:WINDOWSPCHealthSupportPCHSCHD.EXE”,”ok”,”Quick checked”
“C:WINDOWSREGEDIT.EXE”,”ok”,”Quick checked”
“C:WINDOWSRUNDLL32.EXE”,”ok”,”Quick checked”
“C:WINDOWSSCANREGW.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMLEXSTART.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMMSHTA.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMMSTASK.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMPRINTRAY.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSHELL32.DLL”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSHIMGVW.DLL”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSSDPSRV.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSYSTRAY.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMpecxlc.exe”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMstcloader.exe”,”ok”,”Quick checked”
“C:WINDOWSSystemRestoreSTATEMGR.EXE”,”ok”,”Quick checked”
“C:WINDOWSTASKMON.EXE”,”ok”,”Quick checked”
“C:WINDOWSgoidr.exe”,”ok”,”Quick checked”
“C:WINDOWSmwsvm.exe”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMkernel32.dll”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMwsock32.dll”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMuser32.dll”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMshell32.dll”,”ok”,”Quick checked”
“C:WINDOWSTemporary Internet FilesContent.IE594LN9FJFHyperLinker[1].cab:HyperLinker.exe”,”Trojan horse BackDoor.Small.14.AM”,”Infected, Embedded object”
“C:WINDOWSTemporary Internet FilesContent.IE594LN9FJFHyperLinker[1].cab”,”Trojan horse BackDoor.Small.14.AM”,”Infected, Archive”
“System registry SoftwareMicrosoftWindows NTCurrentVersionWindowsLoad”,”",”Scanned”
“System registry SoftwareMicrosoftWindows NTCurrentVersionWindowsRun”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRun”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnceEx”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServices”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServicesOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRun”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunOnceEx”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServices”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionRunServicesOnce”,”",”Scanned”
“System registry SoftwareMicrosoftWindowsCurrentVersionWinlogonUserinit”,”",”Scanned”
“System registry SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell”,”",”Scanned”
“System registry exefileshellopencommand”,”",”Scanned”
“System registry scrfileshellopencommand”,”",”Scanned”
“System registry scrfileshellconfigcommand”,”",”Scanned”
“System registry batfileshellopencommand”,”",”Scanned”
“System registry cmdfileshellopencommand”,”",”Scanned”
“System registry comfileshellopencommand”,”",”Scanned”
“System registry piffileshellopencommand”,”",”Scanned”
“System registry giffileshellopencommand”,”",”Scanned”
“System registry htmlfileshellopencommand”,”",”Scanned”
“System registry htafileshellopencommand”,”",”Scanned”
“System registry jpegfileshellopencommand”,”",”Scanned”
“System registry txtfileshellopencommand”,”",”Scanned”
“System registry regfileshellopencommand”,”",”Scanned”
“System registry cplfileshellcplopencommand”,”",”Scanned”
“System registry Word.Document.8shellopencommand”,”",”Scanned”
“System registry WordPad.Document.1shellopencommand”,”",”Scanned”
“C:PROGRAM FILESREALREALJUKEBOXtsystray.exe”,”ok”,”Quick checked”
“C:PROGRA~1ACCESS~1WORDPAD.EXE”,”ok”,”Quick checked”
“C:PROGRA~1BMCENT~1BMLauncher.exe”,”ok”,”Quick checked”
“C:PROGRA~1ESOFTEBOARDeBoard.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgamsvr.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgcc.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgemc.exe”,”ok”,”Quick checked”
“C:PROGRA~1GRISOFTAVGFRE~1avgw.exe”,”ok”,”Quick checked”
“C:PROGRA~1INTERN~1IEXPLORE.EXE”,”ok”,”Quick checked”
“C:PROGRA~1MESSEN~1msmsgs.exe”,”ok”,”Quick checked”
“C:PROGRA~1ezulammod.exe”,”ok”,”Quick checked”
“C:Program FilesMicrosoft MoneySystemMoney Express.exe”,”ok”,”Quick checked”
“C:Program FilesMicrosoft OfficeOfficeWINWORD.EXE”,”ok”,”Quick checked”
“C:Program FilesRealRealPlayerrealplay.exe”,”ok”,”Quick checked”
“C:WINDOWSLOADQM.EXE”,”ok”,”Quick checked”
“C:WINDOWSNOTEPAD.EXE”,”ok”,”Quick checked”
“C:WINDOWSPCHealthSupportPCHSCHD.EXE”,”ok”,”Quick checked”
“C:WINDOWSREGEDIT.EXE”,”ok”,”Quick checked”
“C:WINDOWSRUNDLL32.EXE”,”ok”,”Quick checked”
“C:WINDOWSSCANREGW.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMLEXSTART.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMMSHTA.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMMSTASK.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMPRINTRAY.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSHELL32.DLL”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSHIMGVW.DLL”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSSDPSRV.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMSYSTRAY.EXE”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMpecxlc.exe”,”ok”,”Quick checked”
“C:WINDOWSSYSTEMstcloader.exe”,”ok”,”Quick checked”
“C:WINDOWSSystemRestoreSTATEMGR.EXE”,”ok”,”Quick checked”
“C:WINDOWSTASKMON.EXE”,”ok”,”Quick checked”
“C:WINDOWSgoidr.exe”,”ok”,”Quick checked”
“C:WINDOWSmwsvm.exe”,”ok”,”Quick checked”
“C:updaterInstall_112.exe”,”",”Deleted”
“C:WINDOWSwsem300.dll”,”",”Deleted”
“C:WINDOWSaqadcup.exe”,”",”Deleted”
“C:WINDOWSGuqvqmm.exe”,”",”Deleted”
“C:WINDOWSXecrtyr.exe”,”",”Deleted”
“C:WINDOWSHyperLinker.exe”,”",”Deleted”
“C:WINDOWSHelper100.dll”,”",”Deleted”
“C:WINDOWSSYSTEM2ndsrch.dll”,”",”Deleted”
“C:WINDOWSSYSTEMATPartners.dll”,”",”Deleted”
“C:WINDOWSSYSTEMistinstall_adlogix.exe”,”",”Deleted”
“C:WINDOWSSYSTEMin10b6s.dll”,”",”Deleted”
“C:WINDOWSSYSTEMcdsm32.dll”,”",”Deleted”
“C:WINDOWSTEMPfEGhYef.exe”,”",”Deleted”
“C:WINDOWSTEMPoptimize.exe”,”",”Deleted”
“C:WINDOWSTEMPbdl14173.exe”,”",”Deleted”
“C:WINDOWSbundlesTvm_b5_269.exe”,”",”Deleted”
“C:WINDOWSbundles32wu54rd.exe”,”",”Deleted”
“C:WINDOWSbundlesSSK_B5.EXE”,”",”Deleted”
“C:WINDOWSbundlesshopinst.exe”,”",”Deleted”
“C:WINDOWSbundlessaie1101.exe”,”",”Deleted”
“C:WINDOWSbundlesHelperInstaller.exe”,”",”Deleted”
“C:Program FilesCommon FilesSlmssslmss.exe”,”",”Deleted”
“C:Program FilesCommon Filesupdaterdelupdat.exe”,”",”Deleted”
“C:Program FilesCommon Filesupdaterwupdater.exe”,”",”Deleted”
“C:Program FilesCommon Filesupdatersui.exe”,”",”Deleted”
“C:Program FilesWindows Media PlayerWMPLAYER.EXE”,”",”Deleted”
“C:Program FilesDiallerProgram11145.exe”,”",”Deleted”
“C:Program FilesSTCslmss.exe”,”",”Deleted”
“C:Program FilesSTCCSV5P070.exe”,”",”Deleted”
“C:Program FilesSTCs_win32.exe”,”",”Deleted”
“C:Program FilesClearSearchLoader.exe”,”",”Deleted”
“C:Program FilesInternet Optimizeroptimize.exe”,”",”Deleted”
“C:Program FilesInternet Optimizerinstall.exe”,”",”Deleted”
“C:Program FilesInternet Optimizerupdateinstall.exe”,”",”Deleted”
“C:Program FilesIncrediFindBHOIncFindBHO.dll”,”",”Deleted”

35 items deleted, 5 others identified as virus, quarantined, the archive is not movable at this time. (Manually delete later.) Details on the bugs in the next entry.

Related Posts

Blog Traffic Exchange Related Posts
  • Disinfecting a PC… part 3 Picking up from last time... AVG was failing to install with a peculiar registry error. (Which I didn't see much reference to online.) OK, so here is another fruit of the online search (so many bugs to identify...) jawa32.exe is listed as spyware.seekseek in sarc's database. OK - let's see......
  • Zero-day ( 0-day) Microsoft Word exploit There was some news on this last night at Incidents.org, today F-secure has some details as well on the trojan that's dropped in this circulating, exploit. It seems as though the initial attack was very targetted against a specific organization. Antivirus packages did not recognize the trojan that the exploit......
  • Update on Long registry entries bug Incidents.org has an update on yesterdays story of very long registry entries not being visible in most registry tools (regedit among others.) They have an updated list of what does and does not read these long keys. They've alluded to nasties in the wild that are already taking advantage of......
Blog Traffic Exchange Related Websites
  • Funny Windows Errors - How to Fix Registry Errors in Windows Have you ever wondered why your computer sometimes encounters funny windows errors after several weeks from your purchase? Your windows operating system may behave unusually, and if you think about it this happens when you install and uninstall programs in your computer. It is also common that over time, you......
  • Ever Changing Windows Registry – Here's the Way to Counter Registry Errors Windows registry is information loaded in files to direct the behaviors of operating system and other programs. Any change or deviation just leads to crashes unwanted. Whenever you install few files are registered in Windows registry as program guidance files and during uninstall they are either removed or let remain......
  • Shopping at a Perfume Outlet Your local mall probably has at least one perfume outlet. You can find these stores sometimes in strip malls, kiosks and even online. But is it a good idea to shop at a perfume outlet, or are you getting an inferior product for the smaller price tag? A perfume outlet......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site