Disinfecting a PC… part 4
So, AVG has been scanning away finding things we’ve really got a foothold on the system and the malware has a fight on it’s hands. It’s good to see progress. Up to this point we’ve had multiple Spool32 errors (printer related). These errors are what prompted the system to be brought in initially. There’s a lexmark system tray item that loads on boot. No time to investigate that yet. Here’s the log of the AVG antivirus scan…
“Partition table (MBR)”,”ok”,”Quick checked”
“Boot sector of disk C:”,”ok”,”Quick checked”
“System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load”,””,”Scanned”
“System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\Run”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\RunOnce”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\RunServices”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\Run”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\RunOnce”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\RunServices”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit”,””,”Scanned”
“System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell”,””,”Scanned”
“System registry exefile\shell\open\command”,””,”Scanned”
“System registry scrfile\shell\open\command”,””,”Scanned”
“System registry scrfile\shell\config\command”,””,”Scanned”
“System registry batfile\shell\open\command”,””,”Scanned”
“System registry cmdfile\shell\open\command”,””,”Scanned”
“System registry comfile\shell\open\command”,””,”Scanned”
“System registry piffile\shell\open\command”,””,”Scanned”
“System registry giffile\shell\open\command”,””,”Scanned”
“System registry htmlfile\shell\open\command”,””,”Scanned”
“System registry htafile\shell\open\command”,””,”Scanned”
“System registry jpegfile\shell\open\command”,””,”Scanned”
“System registry txtfile\shell\open\command”,””,”Scanned”
“System registry regfile\shell\open\command”,””,”Scanned”
“System registry cplfile\shell\cplopen\command”,””,”Scanned”
“System registry Word.Document.8\shell\open\command”,””,”Scanned”
“System registry WordPad.Document.1\shell\open\command”,””,”Scanned”
“C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe”,”ok”,”Quick checked”
“C:\PROGRA~1\ACCESS~1\WORDPAD.EXE”,”ok”,”Quick checked”
“C:\PROGRA~1\BMCENT~1\BMLauncher.exe”,”ok”,”Quick checked”
“C:\PROGRA~1\ESOFT\EBOARD\eBoard.exe”,”ok”,”Quick checked”
“C:\PROGRA~1\GRISOFT\AVGFRE~1\avgamsvr.exe”,”ok”,”Quick checked”
“C:\PROGRA~1\GRISOFT\AVGFRE~1\avgcc.exe”,”ok”,”Quick checked”
“C:\PROGRA~1\GRISOFT\AVGFRE~1\avgemc.exe”,”ok”,”Quick checked”
“C:\PROGRA~1\GRISOFT\AVGFRE~1\avgw.exe”,”ok”,”Quick checked”
“C:\PROGRA~1\INTERN~1\IEXPLORE.EXE”,”ok”,”Quick checked”
“C:\PROGRA~1\MESSEN~1\msmsgs.exe”,”ok”,”Quick checked”
“C:\PROGRA~1\ezula\mmod.exe”,”ok”,”Quick checked”
“C:\Program Files\Common Files\slmss\slmss.exe”,”Trojan horse SecThought.B”,”Infected”
“C:\Program Files\Common files\updater\wupdater.exe”,”Trojan horse Downloader.Keenval.J”,”Infected”
“C:\Program Files\Internet Optimizer\optimize.exe”,”Trojan horse Downloader.Dyfica.2.AC”,”Infected”
“C:\Program Files\Microsoft Money\System\Money Express.exe”,”ok”,”Quick checked”
“C:\Program Files\Microsoft Office\Office\WINWORD.EXE”,”ok”,”Quick checked”
“C:\Program Files\Real\RealPlayer\realplay.exe”,”ok”,”Quick checked”
“C:\Progra~1\ClearSearch\Loader.exe”,”Trojan horse BackDoor.Ruledor.D”,”Infected”
“C:\WINDOWS\LOADQM.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\NOTEPAD.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\PCHealth\Support\PCHSCHD.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\REGEDIT.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\RUNDLL32.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\SCANREGW.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\LEXSTART.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\MSHTA.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\MSTASK.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\PRINTRAY.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\SHELL32.DLL”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\SHIMGVW.DLL”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\SSDPSRV.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\SYSTRAY.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\pecxlc.exe”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\stcloader.exe”,”ok”,”Quick checked”
“C:\WINDOWS\System\Restore\STATEMGR.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\TASKMON.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\goidr.exe”,”ok”,”Quick checked”
“C:\WINDOWS\mwsvm.exe”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\kernel32.dll”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\wsock32.dll”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\user32.dll”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\shell32.dll”,”ok”,”Quick checked”
“C:\WINDOWS\Temporary Internet Files\Content.IE5\94LN9FJF\HyperLinker[1].cab:\HyperLinker.exe”,”Trojan horse BackDoor.Small.14.AM”,”Infected, Embedded object”
“C:\WINDOWS\Temporary Internet Files\Content.IE5\94LN9FJF\HyperLinker[1].cab”,”Trojan horse BackDoor.Small.14.AM”,”Infected, Archive”
“System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load”,””,”Scanned”
“System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\Run”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\RunOnce”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\RunServices”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\Run”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\RunOnce”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\RunServices”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce”,””,”Scanned”
“System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit”,””,”Scanned”
“System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell”,””,”Scanned”
“System registry exefile\shell\open\command”,””,”Scanned”
“System registry scrfile\shell\open\command”,””,”Scanned”
“System registry scrfile\shell\config\command”,””,”Scanned”
“System registry batfile\shell\open\command”,””,”Scanned”
“System registry cmdfile\shell\open\command”,””,”Scanned”
“System registry comfile\shell\open\command”,””,”Scanned”
“System registry piffile\shell\open\command”,””,”Scanned”
“System registry giffile\shell\open\command”,””,”Scanned”
“System registry htmlfile\shell\open\command”,””,”Scanned”
“System registry htafile\shell\open\command”,””,”Scanned”
“System registry jpegfile\shell\open\command”,””,”Scanned”
“System registry txtfile\shell\open\command”,””,”Scanned”
“System registry regfile\shell\open\command”,””,”Scanned”
“System registry cplfile\shell\cplopen\command”,””,”Scanned”
“System registry Word.Document.8\shell\open\command”,””,”Scanned”
“System registry WordPad.Document.1\shell\open\command”,””,”Scanned”
“C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe”,”ok”,”Quick checked”
“C:\PROGRA~1\ACCESS~1\WORDPAD.EXE”,”ok”,”Quick checked”
“C:\PROGRA~1\BMCENT~1\BMLauncher.exe”,”ok”,”Quick checked”
“C:\PROGRA~1\ESOFT\EBOARD\eBoard.exe”,”ok”,”Quick checked”
“C:\PROGRA~1\GRISOFT\AVGFRE~1\avgamsvr.exe”,”ok”,”Quick checked”
“C:\PROGRA~1\GRISOFT\AVGFRE~1\avgcc.exe”,”ok”,”Quick checked”
“C:\PROGRA~1\GRISOFT\AVGFRE~1\avgemc.exe”,”ok”,”Quick checked”
“C:\PROGRA~1\GRISOFT\AVGFRE~1\avgw.exe”,”ok”,”Quick checked”
“C:\PROGRA~1\INTERN~1\IEXPLORE.EXE”,”ok”,”Quick checked”
“C:\PROGRA~1\MESSEN~1\msmsgs.exe”,”ok”,”Quick checked”
“C:\PROGRA~1\ezula\mmod.exe”,”ok”,”Quick checked”
“C:\Program Files\Microsoft Money\System\Money Express.exe”,”ok”,”Quick checked”
“C:\Program Files\Microsoft Office\Office\WINWORD.EXE”,”ok”,”Quick checked”
“C:\Program Files\Real\RealPlayer\realplay.exe”,”ok”,”Quick checked”
“C:\WINDOWS\LOADQM.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\NOTEPAD.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\PCHealth\Support\PCHSCHD.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\REGEDIT.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\RUNDLL32.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\SCANREGW.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\LEXSTART.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\MSHTA.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\MSTASK.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\PRINTRAY.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\SHELL32.DLL”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\SHIMGVW.DLL”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\SSDPSRV.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\SYSTRAY.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\pecxlc.exe”,”ok”,”Quick checked”
“C:\WINDOWS\SYSTEM\stcloader.exe”,”ok”,”Quick checked”
“C:\WINDOWS\System\Restore\STATEMGR.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\TASKMON.EXE”,”ok”,”Quick checked”
“C:\WINDOWS\goidr.exe”,”ok”,”Quick checked”
“C:\WINDOWS\mwsvm.exe”,”ok”,”Quick checked”
“C:\updaterInstall_112.exe”,””,”Deleted”
“C:\WINDOWS\wsem300.dll”,””,”Deleted”
“C:\WINDOWS\aqadcup.exe”,””,”Deleted”
“C:\WINDOWS\Guqvqmm.exe”,””,”Deleted”
“C:\WINDOWS\Xecrtyr.exe”,””,”Deleted”
“C:\WINDOWS\HyperLinker.exe”,””,”Deleted”
“C:\WINDOWS\Helper100.dll”,””,”Deleted”
“C:\WINDOWS\SYSTEM\2ndsrch.dll”,””,”Deleted”
“C:\WINDOWS\SYSTEM\ATPartners.dll”,””,”Deleted”
“C:\WINDOWS\SYSTEM\istinstall_adlogix.exe”,””,”Deleted”
“C:\WINDOWS\SYSTEM\in10b6s.dll”,””,”Deleted”
“C:\WINDOWS\SYSTEM\cdsm32.dll”,””,”Deleted”
“C:\WINDOWS\TEMP\fEGhYef.exe”,””,”Deleted”
“C:\WINDOWS\TEMP\optimize.exe”,””,”Deleted”
“C:\WINDOWS\TEMP\bdl14173.exe”,””,”Deleted”
“C:\WINDOWS\bundles\Tvm_b5_269.exe”,””,”Deleted”
“C:\WINDOWS\bundles\32wu54rd.exe”,””,”Deleted”
“C:\WINDOWS\bundles\SSK_B5.EXE”,””,”Deleted”
“C:\WINDOWS\bundles\shopinst.exe”,””,”Deleted”
“C:\WINDOWS\bundles\saie1101.exe”,””,”Deleted”
“C:\WINDOWS\bundles\HelperInstaller.exe”,””,”Deleted”
“C:\Program Files\Common Files\Slmss\slmss.exe”,””,”Deleted”
“C:\Program Files\Common Files\updater\delupdat.exe”,””,”Deleted”
“C:\Program Files\Common Files\updater\wupdater.exe”,””,”Deleted”
“C:\Program Files\Common Files\updater\sui.exe”,””,”Deleted”
“C:\Program Files\Windows Media Player\WMPLAYER.EXE”,””,”Deleted”
“C:\Program Files\DiallerProgram\011145.exe”,””,”Deleted”
“C:\Program Files\STC\slmss.exe”,””,”Deleted”
“C:\Program Files\STC\CSV5P070.exe”,””,”Deleted”
“C:\Program Files\STC\s_win32.exe”,””,”Deleted”
“C:\Program Files\ClearSearch\Loader.exe”,””,”Deleted”
“C:\Program Files\Internet Optimizer\optimize.exe”,””,”Deleted”
“C:\Program Files\Internet Optimizer\install.exe”,””,”Deleted”
“C:\Program Files\Internet Optimizer\update\install.exe”,””,”Deleted”
“C:\Program Files\IncrediFind\BHO\IncFindBHO.dll”,””,”Deleted”
35 items deleted, 5 others identified as virus, quarantined, the archive is not movable at this time. (Manually delete later.) Details on the bugs in the next entry.