Need help getting Malware/Virus off

**jholland1964** · 11-21-2007, 09:53 AM

Forget the combofix, there has been a problem with it the past several days.
Instead download and run Deckard's System Scanner
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will be produced - Main.txt(this one will be maximized in Notepad) and Extra.txt (this one will be minimized)
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your thread you started in the PC Questions & Answers Forum.
Please attach extra.txt to your post as well.

**brathbm** · 11-22-2007, 12:51 PM

OK. I tried several times to run the DSS program in normal mode. Everytime I did it, I got the BSOD with the following error: IRQL_NOT_LESS_OR_EQUAL. I then tried to run it in Safe Mode. I was able to get the program to run and the main and extra text file to come out. The one thing that sticks out is this c:\windows\Temp\startdrv.exe. And now when I run the DSS in normal mode the program completes with only the main text file coming out. I am copying the run in safe mode, because I think it has the most correct problems. I am attaching the main run done in normal and the extra run done in Safe Mode:

Deckard's System Scanner v20071014.68
Run by Administrator on 2007-11-22 02:34:51
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

-- Last 4 Restore Point(s) --
4: 2007-11-22 00:07:32 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2007-11-21 14:38:30 UTC - RP3 - Removed McAfee VirusScan Enterprise
2: 2007-11-21 13:11:38 UTC - RP2 - Software Distribution Service 3.0
1: 2007-11-21 01:05:15 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).

-- HijackThis (run as Administrator.exe) ---------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-11-22 02:36:20
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Documents and Settings\Brian\Desktop\Temp\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Palm MulitUser Config] C:\Program Files\Palm\Configtool.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - CmdMapping - (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1133294235765
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} () - http://download.abacast.com/download...basetup161.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\SYSTEM32\ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\SYSTEM32\wwSecure.exe

--
End of file - 7560 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 SSI - c:\windows\system32\drivers\ssi.sys <Not Verified; Webroot Software (www.webroot.com); SpySweeper>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R3 Eacfilt (Eacfilt Miniport) - c:\windows\system32\drivers\eacfilt.sys <Not Verified; Nortel Networks; Filter Driver for CVC>
R3 IPSECSHM (Nortel IPSECSHM Adapter) - c:\windows\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks NA, Inc.; Contivity VPN Client>

S2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 fed63 - c:\windows\system32\fed63.sys
S3 IPSECEXT (Nortel Extranet Access Protocol) - c:\windows\system32\drivers\ipsecw2k.sys <Not Verified; Nortel Networks NA, Inc.; Contivity VPN Client>
S3 pelmouse (Mouse Suite Driver) - c:\windows\system32\drivers\pelmouse.sys <Not Verified; Primax Electronics Ltd.; Primax Mouse>
S3 pelusblf (USB Mouse Low Filter Driver) - c:\windows\system32\drivers\pelusblf.sys <Not Verified; Primax Electronics Ltd.; Primax USB Mouse>
S3 usbbus (LGE CDMA Composite USB Device) - c:\windows\system32\drivers\lgusbbus.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Multi function Driver>
S3 UsbDiag (LGE CDMA USB Serial Port) - c:\windows\system32\drivers\lgusbdiag.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Diagnostics Driver>
S3 USBModem (LGE CDMA USB Modem) - c:\windows\system32\drivers\lgusbmodem.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Modem Driver>
S3 wlanndi5 (wlanndi5 NDIS Protocol Driver) - c:\windows\system32\wlanndi5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe
S2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-11-22 02:02:06 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-11-20 08:55:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-07-08 19:24:29 338 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser.job
2004-09-10 23:32:39 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job

-- Files created between 2007-10-22 and 2007-11-22 -----------------------------

2007-11-26 05:52:50 61449 --a------ C:\WINDOWS\system32\msdtexch.dll
2007-11-22 02:21:33 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2007-11-22 01:58:52 0 d-------- C:\WINDOWS\CSC
2007-11-21 10:04:04 1495552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll <Not Verified; PGP Corporation; PGPsdk>
2007-11-21 10:04:04 0 d-------- C:\Program Files\Common Files\Cisco Systems
2007-11-21 10:04:04 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-21 10:02:59 0 d-------- C:\Program Files\McAfee
2007-11-21 10:02:59 0 d-------- C:\Program Files\Common Files\McAfee
2007-11-21 09:05:25 0 dr-h----- C:\Documents and Settings\Christopher\Recent
2007-11-20 11:16:03 0 d-------- C:\Program Files\Common Files\Java
2007-11-18 01:15:18 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-17 23:25:12 0 d-------- C:\WINDOWS\BDOSCAN8
2007-11-17 21:10:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-17 21:10:27 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-17 19:48:09 0 d-------- C:\Program Files\Windows Defender
2007-11-17 19:37:41 0 d-------- C:\Documents and Settings\Brian\Application Data\Grisoft
2007-11-17 19:37:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-17 19:24:29 0 d-------- C:\Program Files\HijckT
2007-11-15 23:38:31 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-15 11:25:17 531968 --a------ C:\WINDOWS\mmbin.exe
2007-11-15 11:24:45 531968 --a------ C:\WINDOWS\mmbin3.exe
2007-11-14 18:03:50 185824 --a------ C:\WINDOWS\system32\fed63.sys
2007-11-14 09:54:43 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2007-11-12 16:47:08 0 d-------- C:\Program Files\Living Books
2007-11-12 16:46:36 0 d-------- C:\Documents and Settings\Christopher\WINDOWS
2007-10-29 16:07:02 0 d--hs---- C:\WINDOWS\system32\wsnpoem
2007-10-25 10:26:48 53248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-25 07:28:32 16384 --a------ C:\WINDOWS\xlavba6.exe
2007-10-24 20:17:41 0 d-------- C:\Program Files\PokerStars.NET

-- Find3M Report ---------------------------------------------------------------

2007-11-21 10:04:04 0 d-------- C:\Program Files\Common Files
2007-11-21 09:39:51 0 d-------- C:\Program Files\Network Associates
2007-11-20 22:50:36 2828 --a------ C:\WINDOWS\mozver.dat
2007-11-20 11:17:00 0 d-------- C:\Program Files\Java
2007-11-16 18:22:37 0 d-------- C:\Program Files\Picasa2
2007-08-27 01

45 203776 --a------ C:\WINDOWS\system32\clrviddc.dll <Not Verified; Iterated Systems, Inc.; ClearVideo Decoder DLL>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [09/04/2001 04:24 PM C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 05:59 AM C:\WINDOWS\BCMSMMSG.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [02/02/2004 03:32 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [12/22/2003 04:15 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [03/15/2004 01:04 AM]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [04/11/2004 08:15 PM]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [04/11/2004 11:43 AM]
"Mouse Suite 98 Daemon"="ICO.EXE" [03/14/2002 05:46 PM C:\WINDOWS\SYSTEM32\ico.exe]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [06/18/2006 04:54 PM]
"Palm MulitUser Config"="C:\Program Files\Palm\Configtool.exe" [07/26/2002 12:00 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/27/2007 01:17 AM]
"startdrv"="C:\WINDOWS\Temp\startdrv.exe" [11/22/2007 01:58 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [02/22/2007 08:50 PM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [12/19/2006 11:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 10:09 AM]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
DESKTOP.INI [3/20/2004 12:58:38 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [3/20/2004 12:58:38 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless Utility.lnk
backup=C:\WINDOWS\pss\Belkin Wireless Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Brian^Start Menu^Programs^Startup^Gangsters2Setup.lnk]
path=C:\Documents and Settings\Brian\Start Menu\Programs\Startup\Gangsters2Setup.lnk
backup=C:\WINDOWS\pss\Gangsters2Setup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Brian^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Brian\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Air2Data]
C:\Program Files\Air2Data\a2dservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\mnyexpr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\WINDOWS\mmall2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
C:\Program Files\Webroot\Washer\wwDisp.exe

-- End of Deckard's System Scanner: finished at 2007-11-22 02:37:02 ------------

Thanks for looking at this!

**jholland1964** · 11-22-2007, 01:53 PM

The one thing that sticks out is this c:\windows\Temp\startdrv.exe

It does to me too. From what I can find this is TROJ_AGENT.QET (and this was the most complete info I found which was on the Trend Micro Anti-Virus site so I would go with all this info and removal instructions.

It is only showing in that one scan in safe mode at 2:36. Which sort of has me puzzled...unless it was removed.

This Trojan spams email messages. Have any folks that you email tell you they have received email from you containing what I would call..."soft porn"..."make yourself feel like the king of the world" among other statements and contains an image which seems to be advertising for a product called eLite Herbal?

Was this scan you pasted the first or the last scan that you ran? If it was the first then I would think that, since this doesn't show in the other, that it has been removed. Though this thing also changes the registry and you will need to make changes to get it out of there.
Rather than post all of those instructions I am posting a link below with very simple to read instructions on how to do this. If you feel comfortable doing this then this is what I would advise.
Once you have completed that then reboot in normal mode, because the edit must be done in safe mode, and run a new HJT scan and we will see if it remains.

These steps require the disabling of System Restore and there are instructions on the link on when and how to do it and be sure to follow those instructions also. Follow the instructions exactly that you find there. I would recommend that you print them out because you must not have internet access while doing this fix.
Here is the link; TROJ_AGENT.QET removal

Now once you reboot after editing the registry you are also supposed to use the HouseCall Online Anti-Virus Scan to complete removal. I would recommend doing this for sure.
AFTER all that then run a new HJT scan and post it here.
Judy

**brathbm** · 11-24-2007, 11:21 AM

Hello,
I tried to execute the steps that were provided in the link to Trend Micro. I had some problems. When I tried to edit the registry to remove the "startdrv" key in under HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>Curr entVervison>Run, I got an error saying that it was unable to delete all specified values. Also, I could not find NDnet1 in the HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Servic es. I did not try to remove Runtime since the others did not work. I then tried to manually delete startdrv, but got an error saying access is denied while in Safe Mode as Admin. This program really is hooked into the system. Any other help you can provide to help me remove this is greatly appreciated.

**jholland1964** · 11-24-2007, 11:42 AM

Download PockeKillbox.exe

Place it on the desktop.

Shut down the computer. Disconnect the internet cable from the computer.

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Now you will run PocketKillbox in this manner;
Double Click this on the desktop to open the program. You may get a box warning you about opening the file, and click Run to allow it to start (and not give this security warning in future.

When the program opens choose the option on the left side to Delete on Reboot

In the Full Path of File to Delete type the following;

c:\windows\Temp\startdrv.exe

It will provide a window for your to confirm the delete.
Next it will ask if you now wish to reboot, say yes and let the system reboot and delete the files.

Allow the program then to run, delete and reboot.

If the system does not reboot, do so yourself. Normal mode is fine.

Shut down, re-attach the internet cable and reboot.
Run a new Full Scan with online Kaspersky, save the log.
Then run a new Deckard scan and save the log. In normal mode if possible.
Post back here with both.

**brathbm** · 11-26-2007, 08:26 AM

I was able to run the Killbox program in Safe mode. When I got to removing the startdrv.exe program, I got a response of "PendingFileRenameOperations Registry Data has been Removed by external Process" and the system did not reboot automatically. I rebooted back into normal mode and the program was gone, but the internet connection was slow and dropping. When I rebooted back into SafeMode w/ Networking, I looked to see if the program was still gone, and it had come back! I then ran the Kaspersy scan while in SafeMode. I then tried to boot back into Normal mode. I was able to get a consistent connection, so a again ran the Kaspersy scan. I then ran a Deckard scan. I have posted all logs below.
While I had access to another computer, I tried to look up some stuff on this startdrv. It looks like it is some kind of rootkit. Any advise you can give will help. Thanks.

**jholland1964** · 11-26-2007, 02:40 PM

Please download F-Secure Blacklight:

(fsbl.exe) and save to your C:\ drive.
Open a command window by going to Start > Run and typing: cmd
Copy/paste or type the following in the command window: C:\fsbl.exe /expert
Hit "Enter" to start the program and then close the cmd box.
Accept the user agreement and click "Next".
Click "Scan".
After the scan is complete, click "Next", then "Exit".
BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
The log will have a list of all items found. Do not choose to rename any yet!
I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
Exit Blacklight and post the contents of the log in your next reply.

After you finish with BlackLight and have the log to post, then follow these directions: Note: It appears that comboifx difficulties have been repaired so do this next;
Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop. (I just tested this and I used the second link)

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the log from Blacklight, the log from combofix and a new HJT log.

**brathbm** · 11-27-2007, 11:52 PM

I have run the three scans. It now looks like the computer is running better. However, there still looks like there is something that is running in the background. I know that this rootkit is hard to get off. I have posted the three scans below. Thanks for looking!

**jholland1964** · 11-28-2007, 12:46 AM

BlackLight has found at least one hidden rootkit though it is possible there are/were two.
11/27/07 22:44:43 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\DRIVERS\runtime2.sys
11/27/07 22:44:43 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\DRIVERS\runtime2.sy_

Now it looks as though combofix has removed at least one of these...
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\drivers\runtime2.sys

What I would like you to do is run BlackLight again to make sure that item is gone and see if the other listings remain. Let's not worry about those 2 hidden C:\Program Files\Internet Explorer\iexplore.exe and
Hidden process: C:\Program Files\Internet Explorer\IEXPLORE.EXE for the moment.
Post the log here.
I also would like to see a new Kaspersky scan too.

**brathbm** · 12-01-2007, 08:48 PM

I have run the Blacklight program. It returned no viruses. When I reran the Kaspersky scan. A few things came up. I have posted both log files. Thanks.

Thread: Need help getting Malware/Virus off

Thread Tools

Display

Thread Information

Users Browsing this Thread

Posting Permissions