Options
Need assistance with Win.32.small-ek[trj] + Win.32.Adan-094 and 078 [Adw]
I've been getting Avast warnings constantly about these 3 infections.
Win.32.small-ek[trj]
Win.32.Adan-094[Adw]
Win.32.Adan-078[Adw]
Here's a paste from my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 3:06:28 PM, on 8/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kwij\Desktop\HijackThis.exe
R3 - URLSearchHook: (no name) - {E501D54B-4849-1DAD-6CEB-023C92DF9C68} - dePloy.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [br0ken] NopeZ.exe
O4 - HKLM\..\Run: [StartCpl] Dest068.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [rmseb.exe] C:\WINDOWS\system32\rmseb.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [StatusCheck] iesetupdll.exe
O4 - HKCU\..\Run: [clamav] _ctcp.exe
O4 - HKCU\..\Run: [EXE32EXE] bingo9.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1A3E52C-71FF-4539-B914-497214141346}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
Thanks in advance!
Win.32.small-ek[trj]
Win.32.Adan-094[Adw]
Win.32.Adan-078[Adw]
Here's a paste from my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 3:06:28 PM, on 8/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kwij\Desktop\HijackThis.exe
R3 - URLSearchHook: (no name) - {E501D54B-4849-1DAD-6CEB-023C92DF9C68} - dePloy.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [br0ken] NopeZ.exe
O4 - HKLM\..\Run: [StartCpl] Dest068.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [rmseb.exe] C:\WINDOWS\system32\rmseb.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [StatusCheck] iesetupdll.exe
O4 - HKCU\..\Run: [clamav] _ctcp.exe
O4 - HKCU\..\Run: [EXE32EXE] bingo9.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1A3E52C-71FF-4539-B914-497214141346}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
Thanks in advance!
0
Comments
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
Scan saved at 7:04:02 AM, on 9/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kwij\Desktop\HijackThis.exe
R3 - URLSearchHook: (no name) - {E501D54B-4849-1DAD-6CEB-023C92DF9C68} - dePloy.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [br0ken] NopeZ.exe
O4 - HKLM\..\Run: [StartCpl] Dest068.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [nxoby.exe] C:\WINDOWS\system32\nxoby.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [StatusCheck] iesetupdll.exe
O4 - HKCU\..\Run: [clamav] _ctcp.exe
O4 - HKCU\..\Run: [EXE32EXE] bingo9.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE7EFC8B-1D5E-4D10-A346-B322F125EE13}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BBD7784AC389-1789-9944-4C0B-5153F253{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D266985840EF-D859-9584-6A05-AB63C9CC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}615C6D8376A6-43BB-6784-BEC9-E6743BBF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}113BA85E6E7E-FE69-E324-D076-F2576CB2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0E415F2ABCBF-015A-75C4-7F03-F155B51C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3D9C12208AC7-640A-D314-92CE-9B414F9F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9573CC7F6E88-F918-B744-83FD-7F4F3852{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AE3B12DD2247-447A-CDC4-F582-5C148066{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FDBC8D2782F7-F859-A1F4-6FE9-7B56570A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}781A6936E2A3-62E9-8DC4-F499-E4AC8133{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A828AF220147-2DAB-2D74-A74C-A2CF0993{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}971D469848C0-8B49-9294-15E4-78D65629{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3EC20130B40D-B01A-1B54-DDFC-90468107{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}24CC842B44A4-B49B-0F14-858D-D96BB60A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A89FCE408B44-C579-B854-490A-0716F753{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B7C6221B9409-9F7B-25C4-C9CB-1BE1E234{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EF96D952A35E-8E9B-DFA4-88A2-29460B38{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}77659CAC03F2-01AA-F9E4-0270-618F41A0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}28C6FC6C2E4F-B43A-F2B4-4709-8EB262BF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6EB6EC901F34-CFFB-7274-D192-B3DCA1CA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6FE361553753-937A-21B4-808C-853CBD99{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EA0DD6D2B51E-FBDB-21C4-EBE5-0733FCC0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F05295D9D590-D518-5D64-3266-15A856FF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}32E44D7C9F04-D3A8-AB74-6042-BF55BDA4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5BE5A6F41A91-A90A-2094-5D20-E64F5C98{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}89C2CE2484B7-D7CB-0174-6B52-02F98126{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}656B705A36C2-D448-01C4-5B82-80E4ECF3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}87750C5674EB-D8F9-2BF4-4440-39BC97BC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}350166284AB4-996B-F4E4-BCAF-D8CD6D8A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D61671FEDC5B-6958-2664-A0A0-1C363D16{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}041FEB172CC6-0019-F3B4-46CC-EAF96FA7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B80AFD1D1DC9-109B-A294-6CFD-1306FAF6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A453F0157D4A-545B-2DB4-0E99-04CE6151{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}35B50CBE87DF-212A-E5C4-D434-B5D9F9E4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}155643D8DA18-52C9-E944-CD72-FC334805{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}07CE0EA2AC35-00EB-9B94-2B54-4B4EB90F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C88593A3170F-AA2B-62E4-E6A1-A75A9D2C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}98FE6FCD726A-2ECB-E804-D390-70841F69{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EE58C5FB2D9F-8C48-4254-0E1F-716F3647{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}04D4F4CEE211-4B09-4C64-3E56-9DE19572{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}71F629A07D50-069A-6274-E98F-16CBA533{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3A87A5300EBE-E8A8-2AD4-2A8B-B63F0EF9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2390FD841E48-4909-5E44-4FE3-70649D19{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1A88AA294812-5A2A-78E4-A50B-8996224B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7104488C840C-65FB-EB44-6942-714D7924{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}50B8EC9E1D7C-1BBA-1B44-ED7B-DA1E4F82{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}388C5A930955-AB5A-6EF4-CB28-F8213EF1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5D0AE774F07B-5FF8-27E4-3292-E2A3F160{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BFC85A648FCD-D3FB-A354-57CD-15358C4D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
* csr.exe C:\WINDOWS\System32\CSEMJ.EXE
* csr.exe C:\WINDOWS\System32\{352F3~1.EXE
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSEMJ.EXE 51,293 2006-07-08
Other suspects
Directory of C:\WINDOWS\system32
{D4C85351-DC75-453A-BF3D-DCF846A58CFB}.exe
{061F3A2E-2923-4E72-8FF5-B70F477EA0D5}.exe
{1FE3128F-82BC-4FE6-A5BA-559039A5C883}.exe
{28F4E1AD-B7DE-44B1-ABB1-C7D1E9CE8B05}.exe
{4297D417-2496-44BE-BF56-C048C8844017}.exe
{B4226998-B05A-4E87-A2A5-218492AA88A1}.exe
{91D94607-3EF4-44E5-9094-84E148DF0932}.exe
{9FE0F36B-B8A2-4DA2-8A8E-EBE0035A78A3}.exe
{335ABC61-F89E-4726-A960-05D70A926F17}.exe
{27591ED9-65E3-46C4-90B4-112EEC4F4D40}.exe
{7463F617-F1E0-4524-84C8-F9D2BF5C85EE}.exe
{96F14807-093D-408E-BCE2-A627DCF6EF89}.exe
{C2D9A57A-1A6E-4E26-B2AA-F0713A39588C}.exe
{F09BE4B4-45B2-49B9-BE00-53CA2AE0EC70}.exe
{508433CF-27DC-449E-9C25-81AD8D346551}.exe
{4E9F9D5B-434D-4C5E-A212-FD78EBC05B53}.exe
{1516EC40-99E0-4BD2-B545-A4D7510F354A}.exe
{6FAF6031-DFC6-492A-B901-9CD1D1DFA08B}.exe
{7AF69FAE-CC64-4B3F-9100-6CC271BEF140}.exe
{61D363C1-0A0A-4662-8596-B5CDEF17616D}.exe
{A8D6DC8D-FACB-4E4F-B699-4BA482661053}.exe
{CB79CB93-0444-4FB2-9F8D-BE4765C05778}.exe
{3FCE4E08-28B5-4C10-844D-2C63A507B656}.exe
{62189F20-25B6-4710-BC7D-7B4842EC2C98}.exe
{4ADB55FB-2406-47BA-8A3D-40F9C7D44E23}.exe
{FF658A51-6623-46D5-815D-095D9D59250F}.exe
{0CCF3370-5EBE-4C12-BDBF-E15B2D6DD0AE}.exe
{99DBC358-C808-4B12-A739-357355163EF6}.exe
{AC1ACD3B-291D-4727-BFFC-43F109CE6BE6}.exe
{FB262BE8-9074-4B2F-A34B-F4E2C6CF6C82}.exe
{0A14F816-0720-4E9F-AA10-2F30CAC95677}.exe
{83B06492-2A88-4AFD-B9E8-E53A259D69FE}.exe
{432E1EB1-BC9C-4C52-B7F9-9049B1226C7B}.exe
{357F6170-A094-458B-975C-44B804ECF98A}.exe
{A06BB69D-D858-41F0-B94B-4A44B248CC42}.exe
{70186409-CFDD-45B1-A10B-D04B03102CE3}.exe
{92656D87-4E51-4929-94B8-0C848964D179}.exe
{3990FC2A-C47A-47D2-BAD2-741022FA828A}.exe
{3318CA4E-994F-4CD8-9E26-3A2E6396A187}.exe
{A07565B7-9EF6-4F1A-958F-7F2872D8CBDF}.exe
{660841C5-285F-4CDC-A744-7422DD21B3EA}.exe
{2583F4F7-DF38-447B-819F-88E6F7CC3759}.exe
{F9F414B9-EC29-413D-A046-7CA80221C9D3}.exe
{C15B551F-30F7-4C57-A510-FBCBA2F514E0}.exe
{2BC6752F-670D-423E-96EF-E7E6E58AB311}.exe
{FBB3476E-9CEB-4876-BB34-6A6738D6C516}.exe
{CC9C36BA-50A6-4859-958D-FE048589662D}.exe
{352F3515-B0C4-4499-9871-983CA4877DBB}.exe
R3 - URLSearchHook: (no name) - {E501D54B-4849-1DAD-6CEB-023C92DF9C68} - dePloy.dll (file missing)
O4 - HKLM\..\Run: [br0ken] NopeZ.exe
O4 - HKLM\..\Run: [StartCpl] Dest068.exe
O4 - HKLM\..\Run: [rmseb.exe] C:\WINDOWS\system32\rmseb.exe
O4 - HKCU\..\Run: [StatusCheck] iesetupdll.exe
O4 - HKCU\..\Run: [clamav] _ctcp.exe
O4 - HKCU\..\Run: [EXE32EXE] bingo9.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1A3E52C-71FF-4539-B914-497214141346}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.
Please download FixWareout again from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
After doing this it seems the only warning i'm getting from avast! is the Win32:Small-EL [Trj]. I havn't seen the other two warnings again thus far.
Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BBD7784AC389-1789-9944-4C0B-5153F253{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D266985840EF-D859-9584-6A05-AB63C9CC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}615C6D8376A6-43BB-6784-BEC9-E6743BBF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}113BA85E6E7E-FE69-E324-D076-F2576CB2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0E415F2ABCBF-015A-75C4-7F03-F155B51C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3D9C12208AC7-640A-D314-92CE-9B414F9F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9573CC7F6E88-F918-B744-83FD-7F4F3852{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AE3B12DD2247-447A-CDC4-F582-5C148066{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FDBC8D2782F7-F859-A1F4-6FE9-7B56570A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}781A6936E2A3-62E9-8DC4-F499-E4AC8133{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A828AF220147-2DAB-2D74-A74C-A2CF0993{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}971D469848C0-8B49-9294-15E4-78D65629{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3EC20130B40D-B01A-1B54-DDFC-90468107{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}24CC842B44A4-B49B-0F14-858D-D96BB60A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A89FCE408B44-C579-B854-490A-0716F753{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B7C6221B9409-9F7B-25C4-C9CB-1BE1E234{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EF96D952A35E-8E9B-DFA4-88A2-29460B38{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}77659CAC03F2-01AA-F9E4-0270-618F41A0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}28C6FC6C2E4F-B43A-F2B4-4709-8EB262BF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6EB6EC901F34-CFFB-7274-D192-B3DCA1CA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6FE361553753-937A-21B4-808C-853CBD99{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EA0DD6D2B51E-FBDB-21C4-EBE5-0733FCC0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F05295D9D590-D518-5D64-3266-15A856FF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}32E44D7C9F04-D3A8-AB74-6042-BF55BDA4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5BE5A6F41A91-A90A-2094-5D20-E64F5C98{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}89C2CE2484B7-D7CB-0174-6B52-02F98126{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}656B705A36C2-D448-01C4-5B82-80E4ECF3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}87750C5674EB-D8F9-2BF4-4440-39BC97BC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}350166284AB4-996B-F4E4-BCAF-D8CD6D8A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D61671FEDC5B-6958-2664-A0A0-1C363D16{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}041FEB172CC6-0019-F3B4-46CC-EAF96FA7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B80AFD1D1DC9-109B-A294-6CFD-1306FAF6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A453F0157D4A-545B-2DB4-0E99-04CE6151{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}35B50CBE87DF-212A-E5C4-D434-B5D9F9E4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}155643D8DA18-52C9-E944-CD72-FC334805{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}07CE0EA2AC35-00EB-9B94-2B54-4B4EB90F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C88593A3170F-AA2B-62E4-E6A1-A75A9D2C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}98FE6FCD726A-2ECB-E804-D390-70841F69{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EE58C5FB2D9F-8C48-4254-0E1F-716F3647{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}04D4F4CEE211-4B09-4C64-3E56-9DE19572{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}71F629A07D50-069A-6274-E98F-16CBA533{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3A87A5300EBE-E8A8-2AD4-2A8B-B63F0EF9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2390FD841E48-4909-5E44-4FE3-70649D19{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1A88AA294812-5A2A-78E4-A50B-8996224B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7104488C840C-65FB-EB44-6942-714D7924{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}50B8EC9E1D7C-1BBA-1B44-ED7B-DA1E4F82{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}388C5A930955-AB5A-6EF4-CB28-F8213EF1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5D0AE774F07B-5FF8-27E4-3292-E2A3F160{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BFC85A648FCD-D3FB-A354-57CD-15358C4D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
* csr.exe C:\WINDOWS\System32\CSEMJ.EXE
* csr.exe C:\WINDOWS\System32\{352F3~1.EXE
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSEMJ.EXE 51,293 2006-07-08
Other suspects
Directory of C:\WINDOWS\system32
{D4C85351-DC75-453A-BF3D-DCF846A58CFB}.exe
{061F3A2E-2923-4E72-8FF5-B70F477EA0D5}.exe
{1FE3128F-82BC-4FE6-A5BA-559039A5C883}.exe
{28F4E1AD-B7DE-44B1-ABB1-C7D1E9CE8B05}.exe
{4297D417-2496-44BE-BF56-C048C8844017}.exe
{B4226998-B05A-4E87-A2A5-218492AA88A1}.exe
{91D94607-3EF4-44E5-9094-84E148DF0932}.exe
{9FE0F36B-B8A2-4DA2-8A8E-EBE0035A78A3}.exe
{335ABC61-F89E-4726-A960-05D70A926F17}.exe
{27591ED9-65E3-46C4-90B4-112EEC4F4D40}.exe
{7463F617-F1E0-4524-84C8-F9D2BF5C85EE}.exe
{96F14807-093D-408E-BCE2-A627DCF6EF89}.exe
{C2D9A57A-1A6E-4E26-B2AA-F0713A39588C}.exe
{F09BE4B4-45B2-49B9-BE00-53CA2AE0EC70}.exe
{508433CF-27DC-449E-9C25-81AD8D346551}.exe
{4E9F9D5B-434D-4C5E-A212-FD78EBC05B53}.exe
{1516EC40-99E0-4BD2-B545-A4D7510F354A}.exe
{6FAF6031-DFC6-492A-B901-9CD1D1DFA08B}.exe
{7AF69FAE-CC64-4B3F-9100-6CC271BEF140}.exe
{61D363C1-0A0A-4662-8596-B5CDEF17616D}.exe
{A8D6DC8D-FACB-4E4F-B699-4BA482661053}.exe
{CB79CB93-0444-4FB2-9F8D-BE4765C05778}.exe
{3FCE4E08-28B5-4C10-844D-2C63A507B656}.exe
{62189F20-25B6-4710-BC7D-7B4842EC2C98}.exe
{4ADB55FB-2406-47BA-8A3D-40F9C7D44E23}.exe
{FF658A51-6623-46D5-815D-095D9D59250F}.exe
{0CCF3370-5EBE-4C12-BDBF-E15B2D6DD0AE}.exe
{99DBC358-C808-4B12-A739-357355163EF6}.exe
{AC1ACD3B-291D-4727-BFFC-43F109CE6BE6}.exe
{FB262BE8-9074-4B2F-A34B-F4E2C6CF6C82}.exe
{0A14F816-0720-4E9F-AA10-2F30CAC95677}.exe
{83B06492-2A88-4AFD-B9E8-E53A259D69FE}.exe
{432E1EB1-BC9C-4C52-B7F9-9049B1226C7B}.exe
{357F6170-A094-458B-975C-44B804ECF98A}.exe
{A06BB69D-D858-41F0-B94B-4A44B248CC42}.exe
{70186409-CFDD-45B1-A10B-D04B03102CE3}.exe
{92656D87-4E51-4929-94B8-0C848964D179}.exe
{3990FC2A-C47A-47D2-BAD2-741022FA828A}.exe
{3318CA4E-994F-4CD8-9E26-3A2E6396A187}.exe
{A07565B7-9EF6-4F1A-958F-7F2872D8CBDF}.exe
{660841C5-285F-4CDC-A744-7422DD21B3EA}.exe
{2583F4F7-DF38-447B-819F-88E6F7CC3759}.exe
{F9F414B9-EC29-413D-A046-7CA80221C9D3}.exe
{C15B551F-30F7-4C57-A510-FBCBA2F514E0}.exe
{2BC6752F-670D-423E-96EF-E7E6E58AB311}.exe
{FBB3476E-9CEB-4876-BB34-6A6738D6C516}.exe
{CC9C36BA-50A6-4859-958D-FE048589662D}.exe
{352F3515-B0C4-4499-9871-983CA4877DBB}.exe
Logfile of HijackThis v1.99.1
Scan saved at 9:01:06 PM, on 9/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Kwij\Desktop\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [zorec.exe] C:\WINDOWS\system32\zorec.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1A3E52C-71FF-4539-B914-497214141346}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE7EFC8B-1D5E-4D10-A346-B322F125EE13}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
The Wareout infection is refusing to be removed. Let's try again. Launch HijackThis and place a tick by the following entries:
O4 - HKLM\..\Run: [zorec.exe] C:\WINDOWS\system32\zorec.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1A3E52C-71FF-4539-B914-497214141346}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE7EFC8B-1D5E-4D10-A346-B322F125EE13}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.
Rescan with HijackThis and post the new log in your nect reply. Thanks.
Scan saved at 9:50:24 AM, on 12/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kwij\Desktop\HijackThis.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [fsoge.exe] C:\WINDOWS\system32\fsoge.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS1\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O17 - HKLM\System\CS2\Services\Tcpip\..\{6902CA89-6B86-41CB-BB93-73B0E8D975A7}: NameServer = 85.255.115.43,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.185
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
:S