Hi,

Don't post any files yet. I need to see the GMER report before knowing whether we have killed the rootkit file or not. If we have, then I will want a second MBR boot image and then the two of them should be zipped together and posted for me.

Internet: Yes, that's correct. Now, it is important that you make sure to grab all the settings in TCP/IP before doing this, because some specific non-default settings may be required by your ISP. What I am doing is deleting the entire TCP/IP protocol and replacing it with a factory fresh version with default settings. So, if there are ISP specific settings, after the new protocol is installed, you will need to go through the settings and change the defaults to those needed by your ISP.

Rootkit: I don't know yet.

I've got to thank PCB for stepping into this thread in my absence. He is the one I would have asked to take over anyway, and I can see he is doing an exceptional job (as usual) - so I will let him carry on.

Thanks!! PCB - and Arc - you are in GREAT hands! I think I will grab that sample from Unknown Files and infect my VPC.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Hi,

I ran into some problems.

I have to get some stuff done at work but I'll post the details and a few questions in an hour or 2. I just wanted to keep you posted.

Hey neg I'll try and get the other files up soon. Ciao.

Arc

Hio,

I did the TCP/IP thing but I still got the same error with my isp's software. So in my brilliance I thought hey maybe its the software. Therefore I un-installed it and went to reinstall it.

However...yes I have a however...when I went to install it, it said it was already installed.

I tried a few times...rebooted everything etc... so internet go boom! I think I'm going to call my isp and see if they can help me out with that specifically.

However, I can get you guys the log and the files. BTW I still think it's there by looking at the gmer log. Something there besides the registry entries...but I'll let you guys of course have the final word.

I just have one question was is the likely hood of transferring the root kit to my other computer if I'm transferring files...like any files, WORD or jpegs etc. Could it some how sneak on say a usb drive? Thanks.

Regards,

Arc

Hi,

The way malware passes from system to system using a USB device is via the use of an auto-runner on the USB device. Since the files will be zipped, the only way they could infect your other system is that the USB device have an auto-runner specifically designed to unzip the file, know which one is the infected MBR and know to install it in a very particular way on Track 0 of your other system's hard drive. It also means that that auto-runner had to be on your USB device from some earlier time. So, whoever designed the malware would have had to figure out who would be infected in the future by his crap, exactly which USB device to get the auto-runner on in advance, know what the zip file is going to be called, and what the names assigned to the image files will be, and all this before the fact. Not very likely.

I think you had an incomplete uninstall of your ISP's software. If they can't help you, I can help you to manually get rid of any remaining traces before you try to reinstall. That usually takes care of the problem.

Work with them, and then if they can't solve it for you, I will attempt it for you.

Please post that GMER log for me to review.

PC:

I don't think I explained what I meant correctly. I mean any file via a usb...that isn't zipped. Basically is there anyway that the file is going to hide on the usb regardless of what I put on there zipped or not...jpegs, tiff's word files excel sheets whatever?

So I think hey I only have a note pad file on here and I plug it into my lap top and then...bam! Nmonopronto or whatever is having a field day on that computer as well.?

I suspect not just want to be sure because my laptop is much easier to throw out the window.

I think you're right about the incomplete install. Thanks for the offer...if you think that will be better I'll try manually getting rid of the traces first if it's no trouble?

You are one patient guy. Thanks.

Arc

Sure, go ahead and remove the traces if you want. If you run into problems, just post.

OK, I think I get your question now. In order for your USB device to become infected, it has to be plugged into a system that is infected by a USB malware loader. They watch for USB devices to be attached and infect them with auto-run malware to infect any other system that the USB device gets plugged into. This process is practically invisible until the infection is noticed, and then we can usually track the source to an infected USB device.

There is a very practical way to totally prevent any infected USB device to spread its' malware onto any of your systems. Simply turn off auto-play system wide.

To turn off auto-play system wide for W2K and XP:

• Click Start, click Run, type gpedit.msc, and then click OK.
  
• Expand User Configuration, expand Administrative Templates, and then expand System.
  
• Double-click the Turn off Autoplay policy.
  
• Select Disabled, click Apply, and then click OK.

Yeah that's what I meant. Thanks!!! Going by your last sentence...To erase autoplay files on a usb these will be visible? Or is this automatic once I plug it in a system with autoplay turned off? I hate auto play too!

Oh and how do remove the traces of the isp's program I can't find the directory or anything to do with it. I thought you had method or something? Sorry if I misunderstood.

Thanks.

Arc

Hi,

No, it won't be automatic, but an autoplay file is almost always called autoplay.inf. In any case, since with auto-play turned off nothing will run, you can simply open the USB drive in Explorer and erase the suspect file(s) as long as you are careful not to double click on them to cause them to run. And, they should be visible, yes. At worst, you can just reformat the USB device and they will be gone even if they were invisible. We also have some specialized software to remove all traces from USB devices.

Usually, the directories have name derived from the ISP's name. You can use search to try to find the folders the software was in. The other place where remnants may reside is in your registry. If there are orphaned registry entries using the Registry cleaner in CCleaner ought to remove those without having to manually find and edit those entries manually.

First, I don't recall if I had you run through the steps here:

http://wiki.castlecops.com/User:PCBruiser/Registry_Maintenance

If not, do so now.

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free Basic or Slim versions instead of the Standard Build.

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click on the Registry button on the left hand side, then click on Scan for Issues, next Fix Selected Issues, and then permit CCleaner to make a backup of whatever it is deleting from your Registry.
8. Then click on Tools in the left hand side, then Uninstall, and you can delete here any entries in your Add/Remove CP where the software is already gone, but the entry remains. You can also use that panel to run uninstallers when they exist.
9. Click "exit" when done.

Thanks for the usb stuff.

Yes, you did have me do the registry back up etc. Quite cool.

I'll use CCleaner and see if that fixes the problem.

Then with any luck we can ninja whatever is left on my computer. ...and by ninja I mean murder.

Have to wait until tonight. Ciao.

Arc

Hi,

I made one minor error in my prior post, the correct file name is autorun.inf not autoplay.inf - sorry about that. BTW, that is a text file, and you can safely view it in Notepad by opening it via the File menu in Notepad, it should be just a few bytes. Inside the text file it will have the names of software it wants to autoplay, that is usually the infecter that you want to delete as well.

Ah cool. Thanks.

GMER 1.0.14.14316 - http://www.gmer.net
Rootkit scan 2008-04-21 22:57:56
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.14 ----

SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwAllocateVirtualMemory [0xB7A1CC90] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwAssignProcessToJobObject [0xB7A1D0C0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwClose [0xB71A11C2] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwConnectPort [0xB7A1C580] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateDirectoryObject [0xB71A10AE] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateFile [0xB71A0184] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB78AECB8] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwCreatePort [0xB7A1C440] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateProcess [0xB719FA36] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwCreateSection [0xB71A0B4C] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwCreateThread [0xB7A1B580] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwDeleteFile [0xB7A1EC30] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwDeleteKey [0xB7A1E050] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB78AF12A] <-- ROOTKIT !!!
SSDT IPVNMon.sys (IPVNMon/Visual Networks) ZwDeviceIoControlFile [0xBFEA4B23] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB78AE8AA] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwEnumerateKey [0xB7A1E5B0] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwEnumerateValueKey [0xB7A1E5C0] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwLoadDriver [0xB7A1CB00] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwLoadKey [0xB7A1FD50] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwOpenFile [0xB71A06AA] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB78AED2E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB78AE7C8] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwOpenSection [0xB7A1AE00] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB78AE83C] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwProtectVirtualMemory [0xB7A1CE00] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwQueryKey [0xB7A1E590] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB78AEE42] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwReplaceKey [0xB7A1E210] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwRequestWaitReplyPort [0xB7A1C7D0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB78AEE02] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwResumeThread [0xB7A1C1C0] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwSaveKey [0xB7A1E580] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwSetContextThread [0xB7A1BCC0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwSetInformationFile [0xB71A0ED8] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB78AEF84] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwShutdownSystem [0xB7A1CA40] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwSuspendThread [0xB7A1C060] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwSystemDebugControl [0xB7A1BF40] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwTerminateProcess [0xB7A1B430] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwTerminateThread [0xB7A1BB50] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswMon.SYS (avast! File System Filter Driver for Windows NT/2000/ALWIL Software) ZwWriteFile [0xB71A0E10] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys ZwWriteVirtualMemory [0xB7A1CF60] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINNT\system32\drivers\OAnet.sys Access is denied.
? C:\WINNT\system32\drivers\OAmon.sys Access is denied.
? C:\WINNT\system32\drivers\OADriver.sys Access is denied.
? C:\WINNT\TEMP\mc21.tmp The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

GMER 1.0.14.14316 - http://www.gmer.net
Autostart scan 2008-04-21 23:03:42
Windows 5.0.2195 Service Pack 4


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINNT\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
AtiExtEvent@DLLName = Ati2evxx.dll
PCANotify@DLLName = PCANotify.dll
wzcnotif@DLLName = wzcdlg.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv@ = "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
ATI Smart@ = C:\WINNT\system32\ati2sgag.exe
avast! Antivirus@ = "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
Avg7Alrt@ = C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
Avg7UpdSvc@ = C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
AVGEMS@ = C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
BBDemon@ = C:\Program Files\Dassault Systemes\B15\intel_a\code\bin\CATSysDemon.exe -service /*file not found*/
C-DillaSrv@ = C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
F-Prot Antivirus Update Monitor@ = "C:\Program Files\FSI\F-Prot\fpavupdm.exe" /*file not found*/
PPPoEService@ = C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
RemoteRegistry@ = %SystemRoot%\system32\regsvc.exe
StiSvc@ = %systemroot%\system32\stisvc.exe
SvcOnlineArmor@ = "C:\Program Files\Tall Emu\Online Armor\oasrv.exe"
WinMgmt@ = %SystemRoot%\System32\WBEM\WinMgmt.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CmaudioRunDll32 cmicnfg.cpl,CMICtrlWnd = RunDll32 cmicnfg.cpl,CMICtrlWnd
@NeroCheckC:\WINNT\System32\NeroCheck.exe = C:\WINNT\System32\NeroCheck.exe
@IPInSightLAN 01"C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l = "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
@IPInSightMonitor 01"C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe" = "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
@Synchronization Managermobsync.exe /logon = mobsync.exe /logon
@ATIPTAC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
@OnlineArmor GUI"C:\Program Files\Tall Emu\Online Armor\oaui.exe" = "C:\Program Files\Tall Emu\Online Armor\oaui.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@msnmsgr"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
@Yahoo! PagerC:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

HKLM\Software\Classes\.hta@ =

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{4F07DA45-8170-4859-9B5F-037EF2970034} = C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{41E300E0-78B6-11ce-849B-444553540000} /*PlusPack CPL Extension*/plustab.dll = plustab.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/(null) =
@{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} /*Thumbnails*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{EAB841A0-9550-11CF-8C16-00805F1408F3} /*HTML Thumbnail Extractor*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{1AEB1360-5AFC-11D0-B806-00C04FD706EC} /*Office Graphics Filters Thumbnail Extractor*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{9DBD2C50-62AD-11D0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{500202A0-731E-11D0-B829-00C04FD706EC} /*LNK file thumbnail interface delegator*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{fe1290f0-cfbd-11cf-a330-00aa00c16e65} /*Directory Namespace*/dsfolder.dll = dsfolder.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/dsfolder.dll = dsfolder.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{5464D816-CF16-4784-B9F3-75C0DB52B499} /*Yahoo! Mail*/C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll = C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll
@{1E2CDF40-419B-11D2-A5A1-002018648BA7} /*AVG Shell Extension*/(null) =
@{6DEA92E9-8682-4b6a-97DE-354772FE5727} /*Autodesk DWF Preview*/C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll = C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll
@{AC1DB655-4F9A-4c39-8AD2-A65324A4C446} /*Autodesk Drawing Preview*/C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll = C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll
@{36A21736-36C2-4C11-8ACB-D4136F2B57BD} /*AutoCAD Digital Signatures Icon Overlay Handler*/C:\WINNT\system32\AcSignIcon.dll = C:\WINNT\system32\AcSignIcon.dll
@{73B24247-042E-4EF5-ADC2-42F62E6FD654} /*ICQ Lite Shell Extension*/C:\Program Files\ICQLite\ICQLiteShell.dll = C:\Program Files\ICQLite\ICQLiteShell.dll
@{1474F601-9B4B-4EB0-81FA-20F753C0E1A4} /*FRISK extension*/C:\Program Files\FSI\F-Prot\shexthk.dll /*file not found*/ = C:\Program Files\FSI\F-Prot\shexthk.dll /*file not found*/
@{E443A8D5-D905-4401-8789-16AE23A8A96D} /*FRISK extension*/C:\Program Files\FSI\F-Prot\shexthk.dll /*file not found*/ = C:\Program Files\FSI\F-Prot\shexthk.dll /*file not found*/
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Program Files\Alwil Software\Avast4\ashShell.dll = C:\Program Files\Alwil Software\Avast4\ashShell.dll
@{4F07DA46-8170-4859-9B5F-037EF2970034} /*Online Armor Shell Extension*/C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll = C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Web Folders*/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
ICQLiteMenu@{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll
OnlineArmorShell@{4F07DA46-8170-4859-9B5F-037EF2970034} = C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
Yahoo! Mail@{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
FRISK@{1474F601-9B4B-4EB0-81FA-20F753C0E1A4} = C:\Program Files\FSI\F-Prot\shexthk.dll /*file not found*/
ICQLiteMenu@{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
InventorMenu@{6FDE7A70-351B-11d6-988B-0010B57A8BB7} = C:\Program Files\Autodesk\Inventor 9\Bin\DT.dll
OnlineArmorShell@{4F07DA46-8170-4859-9B5F-037EF2970034} = C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}C:\Program Files\Yahoo!\Common\yiesrvc.dll = C:\Program Files\Yahoo!\Common\yiesrvc.dll
@{65D886A2-7CA7-479B-BB95-14D1EFB7946A}C:\Program Files\Yahoo!\Common\YIeTagBm.dll = C:\Program Files\Yahoo!\Common\YIeTagBm.dll
@{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Page =
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.yahoo.com/ = http://www.yahoo.com/
@Local PageC:\WINNT\system32\blank.htm = C:\WINNT\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
its@CLSID = C:\WINNT\System32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINNT\System32\itss.dll
vnd.ms.radio@CLSID = C:\WINNT\System32\msdxm.ocx

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001@LibraryPath = %SystemRoot%\System32\rnr20.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000002@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000003@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000009@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000010@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000011@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000012@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000013@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000014@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000015@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000016@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000017@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000018@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000019@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000020@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000021@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

C:\Documents and Settings\X\Start Menu\Programs\Startup = ERUNT AutoBackup.lnk

---- EOF - GMER 1.0.14 ----

GMER 1.0.14.14316 - http://www.gmer.net
Autostart scan 2008-04-21 23:03:42
Windows 5.0.2195 Service Pack 4


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINNT\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
AtiExtEvent@DLLName = Ati2evxx.dll
PCANotify@DLLName = PCANotify.dll
wzcnotif@DLLName = wzcdlg.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv@ = "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
ATI Smart@ = C:\WINNT\system32\ati2sgag.exe
avast! Antivirus@ = "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
Avg7Alrt@ = C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
Avg7UpdSvc@ = C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
AVGEMS@ = C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
BBDemon@ = C:\Program Files\Dassault Systemes\B15\intel_a\code\bin\CATSysDemon.exe -service /*file not found*/
C-DillaSrv@ = C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
F-Prot Antivirus Update Monitor@ = "C:\Program Files\FSI\F-Prot\fpavupdm.exe" /*file not found*/
PPPoEService@ = C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
RemoteRegistry@ = %SystemRoot%\system32\regsvc.exe
StiSvc@ = %systemroot%\system32\stisvc.exe
SvcOnlineArmor@ = "C:\Program Files\Tall Emu\Online Armor\oasrv.exe"
WinMgmt@ = %SystemRoot%\System32\WBEM\WinMgmt.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CmaudioRunDll32 cmicnfg.cpl,CMICtrlWnd = RunDll32 cmicnfg.cpl,CMICtrlWnd
@NeroCheckC:\WINNT\System32\NeroCheck.exe = C:\WINNT\System32\NeroCheck.exe
@IPInSightLAN 01"C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l = "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
@IPInSightMonitor 01"C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe" = "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
@Synchronization Managermobsync.exe /logon = mobsync.exe /logon
@ATIPTAC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
@OnlineArmor GUI"C:\Program Files\Tall Emu\Online Armor\oaui.exe" = "C:\Program Files\Tall Emu\Online Armor\oaui.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@msnmsgr"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
@Yahoo! PagerC:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

HKLM\Software\Classes\.hta@ =

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{4F07DA45-8170-4859-9B5F-037EF2970034} = C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{41E300E0-78B6-11ce-849B-444553540000} /*PlusPack CPL Extension*/plustab.dll = plustab.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/(null) =
@{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} /*Thumbnails*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{EAB841A0-9550-11CF-8C16-00805F1408F3} /*HTML Thumbnail Extractor*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{1AEB1360-5AFC-11D0-B806-00C04FD706EC} /*Office Graphics Filters Thumbnail Extractor*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{9DBD2C50-62AD-11D0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{500202A0-731E-11D0-B829-00C04FD706EC} /*LNK file thumbnail interface delegator*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{fe1290f0-cfbd-11cf-a330-00aa00c16e65} /*Directory Namespace*/dsfolder.dll = dsfolder.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/dsfolder.dll = dsfolder.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{5464D816-CF16-4784-B9F3-75C0DB52B499} /*Yahoo! Mail*/C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll = C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll
@{1E2CDF40-419B-11D2-A5A1-002018648BA7} /*AVG Shell Extension*/(null) =
@{6DEA92E9-8682-4b6a-97DE-354772FE5727} /*Autodesk DWF Preview*/C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll = C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll
@{AC1DB655-4F9A-4c39-8AD2-A65324A4C446} /*Autodesk Drawing Preview*/C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll = C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll
@{36A21736-36C2-4C11-8ACB-D4136F2B57BD} /*AutoCAD Digital Signatures Icon Overlay Handler*/C:\WINNT\system32\AcSignIcon.dll = C:\WINNT\system32\AcSignIcon.dll
@{73B24247-042E-4EF5-ADC2-42F62E6FD654} /*ICQ Lite Shell Extension*/C:\Program Files\ICQLite\ICQLiteShell.dll = C:\Program Files\ICQLite\ICQLiteShell.dll
@{1474F601-9B4B-4EB0-81FA-20F753C0E1A4} /*FRISK extension*/C:\Program Files\FSI\F-Prot\shexthk.dll /*file not found*/ = C:\Program Files\FSI\F-Prot\shexthk.dll /*file not found*/
@{E443A8D5-D905-4401-8789-16AE23A8A96D} /*FRISK extension*/C:\Program Files\FSI\F-Prot\shexthk.dll /*file not found*/ = C:\Program Files\FSI\F-Prot\shexthk.dll /*file not found*/
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Program Files\Alwil Software\Avast4\ashShell.dll = C:\Program Files\Alwil Software\Avast4\ashShell.dll
@{4F07DA46-8170-4859-9B5F-037EF2970034} /*Online Armor Shell Extension*/C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll = C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Web Folders*/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
ICQLiteMenu@{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll
OnlineArmorShell@{4F07DA46-8170-4859-9B5F-037EF2970034} = C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
Yahoo! Mail@{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
FRISK@{1474F601-9B4B-4EB0-81FA-20F753C0E1A4} = C:\Program Files\FSI\F-Prot\shexthk.dll /*file not found*/
ICQLiteMenu@{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
InventorMenu@{6FDE7A70-351B-11d6-988B-0010B57A8BB7} = C:\Program Files\Autodesk\Inventor 9\Bin\DT.dll
OnlineArmorShell@{4F07DA46-8170-4859-9B5F-037EF2970034} = C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}C:\Program Files\Yahoo!\Common\yiesrvc.dll = C:\Program Files\Yahoo!\Common\yiesrvc.dll
@{65D886A2-7CA7-479B-BB95-14D1EFB7946A}C:\Program Files\Yahoo!\Common\YIeTagBm.dll = C:\Program Files\Yahoo!\Common\YIeTagBm.dll
@{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Page =
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.yahoo.com/ = http://www.yahoo.com/
@Local PageC:\WINNT\system32\blank.htm = C:\WINNT\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
its@CLSID = C:\WINNT\System32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINNT\System32\itss.dll
vnd.ms.radio@CLSID = C:\WINNT\System32\msdxm.ocx

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Cata