Result
=====] Looking for suspicious file types in WINDOWS folder:
~ I would strongly recommend deleting the following files to be on the safe side IF you didn't install them yourself:
^ A suspicious screensaver, do you know it?W32i - - - - 417,792 06-01-2004 c:\windows\photoshow.scr
^ Possibly a part of W32/Ronoper-G http://www.sophos.com/security/analy...2ronoperg.html andW16 - - - - 64,608 05-04-2005 c:\windows\secrets.scr
http://www.symantec.com/security_res...631-99&tabid=2
^ Possibly a part of one of the following 2:W32i - - - - 122,880 12-08-2000 c:\windows\ungins.exe
The Spyware Ace Club Casino program, it is recommended to remove it if you still have it installed. Please see this link for further info: http://www.spywaredb.com/remove-ace-club-casino/
or
Visual Zip Password Recovery Processor: http://www.scanspyware.net/info/Visu...yProcessor.htm
~ Delete the following as well:
=====] Looking for suspicious file types in SYSTEM32 folder:21/09/2005 13:50 19,528 002607_.tmp
^ A suspicious, unknown file. Possibly malware related but research further.W32i - - - - 58,904 08-22-2006 c:\windows\system32\azipcontmn.dll
^ Extremely suspicious file, said to cause problem with right-click not working and certain executables not being able to run.W32i - - - - 43,520 04-30-2005 c:\windows\system32\cmdlineext03.dll
Start > Run > regsvr32 /u cmdlineext03.dll and then rename it (change its extension, whatever).
^ Likely to be malware related, possibly a part of Virtumonde infection.W32i - - - - 40,960 10-17-2003 c:\windows\system32\gbtgmt.dll
^ hook.dll is a module which belongs to the Backdoor.Spymon Trojan. This Trojan allows attackers to access your computer fromW32i - - - - 212,992 04-23-2005 c:\windows\system32\hook.dll
remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
See this link for more info: http://www.symantec.com/security_res...016-99&tabid=2
^ This is a component of Virtumonde. Virtumonde is a spyware application that regenerates itself each time you try to terminate theW32i - - - - 692,276 11-01-2006 c:\windows\system32\jkklj.dll
process and remove its files. It delivers ads to your computer screen continuously, interfering with your surfing habits and slowing down your usual computer activities.
^ Likely to be malware related, possibly a part of Virtumonde infection.W32i - - - - 72,192 11-03-2006 c:\windows\system32\njsywkb.dll
^ Likely to be malware related, possibly a part of Virtumonde infection.W32i - - - - 58,904 08-22-2006 c:\windows\system32\sysfolderazipcnt.dll
^ A suspicious, unknown file. Possibly malware related but research further.W32i - - - - 28,672 11-26-2002 c:\windows\system32\ungwum.dll
^ A suspicious, unknown file. Possibly malware related but research further.W32i - - - - 28,672 12-27-2002 c:\windows\system32\uninstgmt.dll
^ A suspicious, unknown file. Possibly malware related but research further.W32i - - - - 94,208 11-03-2006 c:\windows\system32\xobghic.dll
^ A suspicious, unknown file. Possibly malware related but research further.W16 - - - - 11,776 03-25-2003 c:\windows\system32\zport4as.dll
*** The following should be deleted, preferably to Recycle Bin to be on the safe side but unlikely that these temp and/or unknown files are needed:
*** I'd also suggest removing all downloaded programs (IE plug-ins, etc) if they are not identified to be safe, known products because if they are needed, they can always be re-downloaded and re-installed. Even the03/11/2006 17:04 143 mcrh.tmp
27/02/2006 11:21 0 REN40.tmp
27/02/2006 11:21 0 REN41.tmp
24/03/2006 13:36 82,532 mlfcache.dat
02/11/2006 00:39 58 url.dat
30/01/2006 21:41 584,704 LTRVW14n.ocx
24/10/2006 16:44 606,293 wbocx.ocx
W32i - - - - 81,920 10-25-2006 c:\documents and settings\keith\application data\ezpinst.exe
W32i - - 8.0.0.1 shp 94,080 10-25-2006 c:\documents and settings\keith\application data\ezplay.sys
W32i - - - - 171,869 05-04-2006 c:\documents and settings\keith\application data\{36c74587-9c8d-4d87-afb8-8db4a4ca9906}\mia.dll
W32i - - - - 1,978,368 07-29-2004 c:\documents and settings\keith\application data\{36c74587-9c8d-4d87-afb8-8db4a4ca9906}\offline\ifrgmmgcveedol4estftgediffff ff0\pdfdll32.dll
legit yet no longer needed ones should be removed to keep IE and system lean and mean:
=====] List of files located at the root of the C Drive:W32i DLL ENU 58.6.0.0 shp 141,424 08-24-2006 c:\windows\downloaded program files\asinst.dll
DOS - - - - 32 12-07-2004 c:\windows\downloaded program files\bdcore.dll
W32i - - - - 118,784 03-01-2005 c:\windows\downloaded program files\bdupd.dll
W32i DLL ENU 6.0.31.0 shp 356,352 03-12-2004 c:\windows\downloaded program files\inotes6.dll
W32i - - - - 53,248 03-01-2005 c:\windows\downloaded program files\ipsupd.dll
DOS - - - - 32 12-07-2004 c:\windows\downloaded program files\libfn.dll
W32i APP ENU 7.1.9502.1 shp 160,864 05-29-2003 c:\windows\downloaded program files\messengerstatsclient.dll
W32i APP ENU 7.1.9502.1 shp 77,408 05-29-2003 c:\windows\downloaded program files\msgrchkr.dll
W32i DLL ENU 1.0.0.3 shp 113,664 08-13-2005 c:\windows\downloaded program files\msnmessengersetupdownloader.ocx
W32i DLL ENU 1.2.0.7 shp 38,400 09-05-2002 c:\windows\downloaded program files\ntlsignup.dll
W32i DLL - 1.0.0.1 shp 475,136 03-09-2005 c:\windows\downloaded program files\oscan8.ocx
W32i APP ENU 7.1.9502.1 shp 86,112 05-29-2003 c:\windows\downloaded program files\solitaireshowdown.dll
W32i APP ENU 9.4.6479.1 shp 389,160 06-06-2006 c:\windows\downloaded program files\stagingui.ocx
W32i APP ENU 9.4.1227.1 shp 238,120 12-07-2005 c:\windows\downloaded program files\stproxy.dll
W32i APP ENU 1.13.969.0 shp 3,141,472 02-07-2006 c:\windows\downloaded program files\webcleaner.dll
W32i DLL ENU 2004.1.26.1 shp 133,120 01-26-2004 c:\windows\downloaded program files\yinsthelper.dll
W32i APP ENU 9.3.2846.1 shp 194,600 11-17-2004 c:\windows\downloaded program files\zbuddy.ocx
W32i APP ENU 9.3.4246.1 shp 117,800 01-31-2005 c:\windows\downloaded program files\zintro.ocx
W32i APP ENU 9.3.2846.1 shp 456,744 11-17-2004 c:\windows\downloaded program files\zpachat.ocx
W32i APP ENU 9.4.8295.1 shp 378,920 07-25-2006 c:\windows\downloaded program files\zpa_kqrp.ocx
>> Baddie, delete it31/10/2005 15:56 700,416 StubInstaller.exe
!!
Delete the following 'log' files as well:
I would like you to attach (zipped or unzipped) the following file to your next post (but do NOT run it, ok?):17/06/2004 13:14 25 csb.log
30/10/2006 00:00 132 ICSYSINF.log
26/06/2004 10:40 16,846 PkgClnup.log
26/01/2005 23:59 188 Delme.bat
=====] Directory Analysis - PROGRAM FILES:
^ Said to be malware related, unknown to me!01/11/2006 20:27 <DIR> InetGet2
^ Possible cause of the infections in the first place, they should start calling this P2P program the 'MalWire'!21/01/2006 04:36 <DIR> LimeWire
^ YES, Adware. Should be removed!18/01/2006 18:18 <DIR> NoAdware4
^ This Free Virtual Networking software has too many security flaws but ofcourse the program itself is legit.21/05/2006 18:26 <DIR> RealVNC
^ Was this is for the VirusBurst infection (if I am not mistaken). Was that problem resolved? When did you download and run this tool and was someone helping you with it?03/11/2006 01:54 <DIR> Roguescanfix
^ Ultimate Fake Spyware Remover, get rid of it at once! Check the following link for further info:05/11/2006 12:44 <DIR> Ultimate Defender
http://www.spywareremove.com/removeU...eDefender.html
^ Another Baddie, see the following link for further info: http://www.herongyang.com/win/adware_vsadd-in.html01/11/2006 20:38 <DIR> VSAdd-in
^ Another possible cause of infections...try say NO to Online Casino Games.29/10/2006 23:52 <DIR> WH GBP Casino
** When you use Explorer to browse the Program Files folder, is that how the following 2 folders appear? I think they are legit MS programs that were someone truncated/mislabeled since you are in Safe Mode perhaps:
^ Can you browse to see what is in these folders? Very odd...my guess is to delete them an unknown to me!01/11/2006 20:24 <DIR> ?icrosoft
01/11/2006 20:27 <DIR> ??crosoft
=====] Directory Analysis - COMMON FILES (subfolder of Program Files folder):
The following entries are odd and suspicious too, please take a close look by browsing inside to judge for yourself:
Similar to the ??crosoft entries above, this is probably Symantec but somehow mislabeled, please confirm:01/11/2006 20:24 <DIR> {6851E07B-07D9-2057-1222-03050103002c}
03/11/2006 16:54 <DIR> {6851E07B-07DA-2057-1222-03050103002c}
01/11/2006 20:25 <DIR> ??mantec
=====] Directory Analysis - WINDOWS folder:
^ I believe this is belongs to BitDefender AV scanner, if you no longer have the program, you could delete this folder as well.25/02/2006 00:36 <DIR> BDOSCAN8
^ Should be safe but browse to see what is in it!26/06/2004 14:24 <DIR> Cache
^ Delete everything in this folder if you are not sure what it is or if you no longer need it.17/06/2004 15:20 <DIR> Downloaded Installations
^ Browse to see what is in it!01/05/2005 09:05 <DIR> LogFiles
^ When did you download and run this tool and was someone helping you with it?25/09/2005 14:52 <DIR> LQfix
^ Browse to see what is in it!20/02/2005 14:54 <DIR> Minidump
*** All listed process were legit, however, you ran AnalyzerXP in Safe Mode so it is natural for the process list to be bare minimum plus the commands the script uses.
I analyzed the list to my best and also I included my suggestions/opinions but please check with jholland to see what her final suggestions are for you ok? I will let her decided if a custom removal tool is still needed for me to create.
Good Luck,
~TL
Reply With Quote