Not sure what to do.

connersdad19

connersdad19

New Member
when i start my computer up i get C:/windows/system32/cmd.exe window....it only last for a couple minutes the goes away...but i was wondering what could be causing this...i did a hijack this....not sure if thats what i need to do maybe you guys can help me...
in the box it says access denied.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:01 PM, on 6/6/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5626
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5626
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5626
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5626
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [auditadmin] C:\windows\options\auditadmin.cmd
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [{3563297A-4200-F6B8-2DEB-98EC86651020}] C:\Users\Dustin Patton\AppData\Roaming:explorer.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll
O9 - Extra 'Tools' menuitem: iMacros Web Automation - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall Service (AVGFw2kv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfw2kv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: lxcz_device - - C:\Windows\system32\lxczcoms.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7512 bytes
 
Last edited:
This is most likely the cause of the cmd window coming up:
O4 - HKLM\..\Run: [auditadmin] C:\windows\options\auditadmin.cmd


I would like to know more about this file. Please navigate to C:\windows\options\auditadmin.cmd. Right click on the file and choose Edit. Post the contents of the file here. If it is too large to fit in a post, please go to http://savefile.com and upload the file there. There is no need to register, just click the UPLOAD MY FILE button. After you upload the file, please post the link to the file.

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entries:

  • [*]O4 - HKCU\..\Run: [{3563297A-4200-F6B8-2DEB-98EC86651020}] C:\Users\Dustin Patton\AppData\Roaming:explorer.exe
Please close all open windows except for HijackThis and choose Fix checked

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log and the contents of auditadmin.cmd
 
Last edited:
ok here is the auditadmin file

@ echo off
IF EXIST C:\Windows\OPTIONS\ENDUSER\sysprep.bat GOTO LOOP
:CLEAN
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v auditadmin /F
REG ADD HKLM\SYSTEM\SETUP\STATUS\UnattendPasses /v oobeSystem /t REG_DWORD /d 2 /f
net user administrator /active:no
Goto exit
:LOOP
net user administrator /active:yes
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v auditadmin /t REG_SZ /d C:\windows\options\auditadmin.cmd /f
goto EXIT
:EXIT


COMBOFIX

ComboFix 08-06-06.6 - Dustin Patton 2008-06-06 22:11:55.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.458 [GMT -4:00]
Running from: C:\Users\Dustin Patton\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Dustin Patton\AppData\Roaming\inst.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

2008-06-06 18:34 . 2008-06-06 18:34 69 --a------ C:\Windows\NeroDigital.ini
2008-06-06 18:09 . 2008-06-06 18:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-06 17:06 . 2008-06-06 17:06 <DIR> d-------- C:\Program Files\EA Sports
2008-06-06 16:55 . 2008-06-06 16:57 <DIR> d-------- C:\Users\Dustin Patton\AppData\Roaming\DAEMON Tools Pro
2008-06-06 16:54 . 2008-06-06 16:54 <DIR> d-------- C:\Users\All Users\DAEMON Tools Pro
2008-06-06 16:54 . 2008-06-06 16:54 <DIR> d-------- C:\ProgramData\DAEMON Tools Pro
2008-06-06 16:54 . 2008-06-06 16:54 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-06-06 13:05 . 2008-06-06 13:05 <DIR> d-------- C:\Users\All Users\FLEXnet
2008-06-06 13:05 . 2008-06-06 13:05 <DIR> d-------- C:\ProgramData\FLEXnet
2008-06-06 11:52 . 2008-06-06 11:52 <DIR> dr------- C:\Users\Dustin Patton\Saved Games
2008-06-06 11:52 . 2008-06-06 11:52 <DIR> dr------- C:\Users\Dustin Patton\Links
2008-06-06 11:41 . 2008-06-06 11:41 2,923,520 --a------ C:\Windows\explorer.exe
2008-06-06 11:40 . 2008-06-06 11:40 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-06-06 11:39 . 2008-06-06 11:39 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-06-06 11:39 . 2008-06-06 11:39 41,984 --a------ C:\Windows\System32\drivers\monitor.sys
2008-06-06 11:38 . 2008-06-06 11:38 8,147,968 --a------ C:\Windows\System32\wmploc.DLL
2008-06-06 11:38 . 2008-06-06 11:38 356,864 --a------ C:\Windows\System32\MediaMetadataHandler.dll
2008-06-06 11:38 . 2008-06-06 11:38 7,680 --a------ C:\Windows\System32\spwmp.dll
2008-06-06 11:38 . 2008-06-06 11:38 4,096 --a------ C:\Windows\System32\msdxm.ocx
2008-06-06 11:38 . 2008-06-06 11:38 4,096 --a------ C:\Windows\System32\dxmasf.dll
2008-06-06 11:37 . 2008-06-06 11:37 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-06-06 11:37 . 2008-06-06 11:37 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
2008-06-06 11:37 . 2008-06-06 11:37 1,191,936 --a------ C:\Windows\System32\msxml3.dll
2008-06-06 11:37 . 2008-06-06 11:37 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-06-06 11:37 . 2008-06-06 11:37 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-06-06 11:37 . 2008-06-06 11:37 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-06-06 11:37 . 2008-06-06 11:37 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-06-06 11:37 . 2008-06-06 11:37 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-06-06 11:37 . 2008-06-06 11:37 15,928 --a------ C:\Windows\System32\drivers\pciide.sys
2008-06-06 11:37 . 2008-06-06 11:37 2,048 --a------ C:\Windows\System32\msxml3r.dll
2008-06-06 11:36 . 2008-06-06 11:36 1,327,104 --a------ C:\Windows\System32\quartz.dll
2008-06-06 11:36 . 2008-06-06 11:36 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-06-06 11:36 . 2008-06-06 11:36 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-06-06 11:36 . 2008-06-06 11:36 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-06-06 11:36 . 2008-06-06 11:36 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-06-06 11:36 . 2008-06-06 11:36 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-06-06 11:33 . 2008-06-06 11:33 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-06-06 11:33 . 2008-06-06 11:33 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-06-06 11:33 . 2008-06-06 11:33 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-06-06 11:33 . 2008-06-06 11:33 2,048 --a------ C:\Windows\System32\asferror.dll
2008-06-06 11:32 . 2008-06-06 11:32 1,335,296 --a------ C:\Windows\System32\msxml6.dll
2008-06-06 11:32 . 2008-06-06 11:32 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-06-06 11:32 . 2008-06-06 11:32 2,048 --a------ C:\Windows\System32\msxml6r.dll
2008-06-06 11:30 . 2008-06-06 11:30 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-06-06 11:30 . 2008-06-06 11:30 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-06-06 11:30 . 2008-06-06 11:30 737,792 --a------ C:\Windows\System32\inetcomm.dll
2008-06-06 11:30 . 2008-06-06 11:30 84,480 --a------ C:\Windows\System32\INETRES.dll
2008-06-06 11:30 . 2008-06-06 11:30 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-06-06 11:29 . 2008-06-06 11:29 788,992 --a------ C:\Windows\System32\rpcrt4.dll
2008-06-06 11:29 . 2008-06-06 11:29 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
2008-06-06 11:29 . 2008-06-06 11:29 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
2008-06-06 11:29 . 2008-06-06 11:29 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
2008-06-06 11:29 . 2008-06-06 11:29 83,968 --a------ C:\Windows\System32\dnsrslvr.dll
2008-06-06 11:29 . 2008-06-06 11:29 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
2008-06-06 11:29 . 2008-06-06 11:29 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-06-06 11:27 . 2008-06-06 11:27 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-06-06 11:27 . 2008-06-06 11:27 99,840 --a------ C:\Windows\System32\poqexec.exe
2008-06-06 11:27 . 2008-06-06 11:27 56,320 --a------ C:\Windows\System32\iesetup.dll
2008-06-06 11:26 . 2008-06-06 11:26 2,048 --a------ C:\Windows\System32\tzres.dll
2008-06-06 11:25 . 2008-06-06 11:25 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-06-06 11:25 . 2008-06-06 11:25 750,080 --a------ C:\Windows\System32\qmgr.dll
2008-06-06 10:43 . 2004-08-04 11:00 506,368 --a------ C:\Windows\System32\msxml.dll
2008-06-06 04:22 . 2008-06-06 11:34 <DIR> d-------- C:\Program Files\Game Elements
2008-06-06 04:22 . 2006-02-16 09:54 487,424 --a------ C:\Windows\System32\FDRpage.dll
2008-06-06 04:22 . 2005-12-09 12:24 192,512 --a------ C:\Windows\System32\CreateDir.exe
2008-06-06 04:22 . 2006-01-04 16:39 77,824 --a------ C:\Windows\System32\FDRdriver.dll
2008-06-06 01:58 . 2008-06-06 07:41 <DIR> d-------- C:\Program Files\Call of Duty 4 Modern Warfare Full-Rip Skullptura
2008-06-06 01:15 . 2008-06-06 01:15 <DIR> dr------- C:\Windows\System32\config\systemprofile\Music
2008-06-06 00:51 . 2008-06-06 00:51 <DIR> d-------- C:\Program Files\Bonjour
2008-06-06 00:36 . 2008-06-06 00:36 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-06 00:29 . 2008-06-06 00:29 <DIR> d-------- C:\Program Files\AskPBar
2008-06-06 00:28 . 2008-06-06 00:46 <DIR> d-------- C:\Program Files\Trillian
2008-06-05 21:51 . 2008-06-05 21:51 <DIR> d-------- C:\Users\Dustin Patton\AppData\Roaming\Nero
2008-06-05 21:45 . 2008-06-05 21:45 <DIR> d-------- C:\Users\All Users\Nero
2008-06-05 21:45 . 2008-06-05 21:45 <DIR> d-------- C:\ProgramData\Nero
2008-06-05 21:45 . 2008-06-05 21:45 <DIR> d-------- C:\Program Files\Nero
2008-06-05 21:45 . 2008-06-05 21:48 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-06-05 21:31 . 2007-04-09 16:23 28,040 --a------ C:\Windows\System32\mdimon.dll
2008-06-05 21:31 . 2008-06-05 21:31 376 --a------ C:\Windows\ODBC.INI
2008-06-05 21:24 . 2008-06-05 21:24 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-06-05 21:24 . 2008-06-05 21:27 <DIR> d-------- C:\Program Files\iMacros
2008-06-05 21:24 . 2004-03-09 03:00 224,016 --a------ C:\Windows\System32\tabctl32.ocx
2008-06-05 21:24 . 2007-08-14 19:14 143,360 --a------ C:\Windows\System32\iimds.dll
2008-06-05 21:24 . 2007-08-17 13:57 56,696 --a------ C:\Windows\System32\imsys.dll
2008-06-05 21:20 . 2008-06-05 21:20 <DIR> d-------- C:\Windows\PCHEALTH
2008-06-05 21:20 . 2008-06-05 21:20 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-06-05 21:08 . 2008-06-05 21:08 717,296 --a------ C:\Windows\System32\drivers\sptd.sys
2008-06-05 21:07 . 2008-06-05 21:07 <DIR> d-------- C:\Users\Dustin Patton\AppData\Roaming\DAEMON Tools
2008-06-05 21:04 . 2008-06-05 21:04 1,712,984 --a------ C:\Windows\System32\wuaueng.dll
2008-06-05 21:04 . 2008-06-05 21:04 1,524,224 --a------ C:\Windows\System32\wucltux.dll
2008-06-05 21:04 . 2008-06-05 21:04 53,080 --a------ C:\Windows\System32\wuauclt.exe
2008-06-05 21:04 . 2008-06-05 21:04 43,352 --a------ C:\Windows\System32\wups2.dll
2008-06-05 21:02 . 2008-06-05 21:02 549,720 --a------ C:\Windows\System32\wuapi.dll
2008-06-05 21:02 . 2008-06-05 21:02 163,000 --a------ C:\Windows\System32\wuwebv.dll
2008-06-05 21:02 . 2008-06-05 21:02 80,896 --a------ C:\Windows\System32\wudriver.dll
2008-06-05 21:02 . 2008-06-05 21:02 33,624 --a------ C:\Windows\System32\wups.dll
2008-06-05 21:02 . 2008-06-05 21:02 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-06-05 19:26 . 2008-06-05 19:28 <DIR> d-------- C:\cabs
2008-06-05 19:21 . 2008-06-06 09:03 <DIR> d-------- C:\Users\Dustin Patton\AppData\Roaming\Azureus
2008-06-05 19:21 . 2008-06-05 19:21 <DIR> d-------- C:\Users\All Users\Azureus
2008-06-05 19:21 . 2008-06-05 19:21 <DIR> d-------- C:\ProgramData\Azureus
2008-06-05 19:20 . 2008-06-05 19:21 <DIR> d-------- C:\Program Files\Azureus
2008-06-05 19:17 . 2008-06-05 19:17 <DIR> d-------- C:\Program Files\CCleaner
2008-06-05 19:15 . 2008-06-05 19:15 <DIR> d-------- C:\Windows\WinRAR
2008-06-05 19:11 . 2008-06-05 19:11 <DIR> d-------- C:\Program Files\PowerISO
2008-06-05 19:07 . 2008-06-05 19:08 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-06-05 19:07 . 2008-06-05 19:08 <DIR> d-------- C:\ProgramData\Lavasoft
2008-06-05 19:07 . 2008-06-05 19:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-05 19:07 . 2008-06-05 19:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-05 19:05 . 2008-06-05 19:14 <DIR> d-------- C:\Program Files\DVDFab Platinum 4
2008-06-05 18:58 . 2008-06-05 19:14 <DIR> d-------- C:\Users\Dustin Patton\AppData\Roaming\Vso
2008-06-05 18:58 . 2008-06-05 18:58 <DIR> d-------- C:\Program Files\VSO
2008-06-05 18:58 . 2004-05-04 14:53 1,645,320 --a------ C:\Windows\gdiplus.dll
2008-06-05 18:58 . 2006-05-20 19:16 1,184,984 --a------ C:\Windows\System32\wvc1dmod.dll
2008-06-05 18:58 . 2006-05-11 22:21 626,688 --a------ C:\Windows\System32\vp7vfw.dll
2008-06-05 18:58 . 2006-09-29 15:24 217,127 --a------ C:\Windows\System32\drv43260.dll
2008-06-05 18:58 . 2006-09-29 15:25 208,935 --a------ C:\Windows\System32\drv33260.dll
2008-06-05 18:58 . 2006-09-29 15:26 176,165 --a------ C:\Windows\System32\drv23260.dll
2008-06-05 18:58 . 2007-03-18 23:37 65,602 --a------ C:\Windows\System32\cook3260.dll
2008-06-05 18:58 . 2008-06-05 18:58 47,360 --a------ C:\Windows\System32\drivers\pcouffin.sys
2008-06-05 18:58 . 2008-06-05 18:58 47,360 --a------ C:\Users\Dustin Patton\AppData\Roaming\pcouffin.sys
2008-06-05 18:55 . 2008-06-06 11:21 <DIR> d-------- C:\Users\Dustin Patton\AppData\Roaming\AVG7
2008-06-05 18:54 . 2008-06-05 18:55 <DIR> d-------- C:\Users\All Users\Grisoft
2008-06-05 18:54 . 2008-06-06 11:22 <DIR> d-------- C:\Users\All Users\avg7
2008-06-05 18:54 . 2008-06-05 18:55 <DIR> d-------- C:\ProgramData\Grisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 15:48 174 --sha-w C:\Program Files\desktop.ini
2008-06-06 15:44 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-06 15:44 --------- d-----w C:\Program Files\Windows Mail
2008-06-06 15:44 --------- d-----w C:\Program Files\Windows Calendar
2008-06-06 15:41 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-06-06 15:41 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-06-06 15:41 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-06-06 15:41 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-06-06 15:41 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-06-06 15:41 297,984 ----a-w C:\Windows\System32\wlansec.dll
2008-06-06 15:41 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2008-06-06 15:41 28,344 ----a-w C:\Windows\system32\drivers\battc.sys
2008-06-06 15:41 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-06-06 15:41 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-06-06 15:41 20,920 ----a-w C:\Windows\system32\drivers\compbatt.sys
2008-06-06 15:41 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-06-06 15:31 88,576 ----a-w C:\Windows\System32\avifil32.dll
2008-06-06 15:30 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-06 15:30 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-06-06 15:30 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-06-06 15:30 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-06-06 15:30 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-06-06 15:28 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-06-06 15:28 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-06-06 15:28 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-06-06 04:51 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-05 23:31 --------- d-----w C:\ProgramData\McAfee
2008-06-05 23:30 --------- d-----w C:\Program Files\Google
2008-06-05 23:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-05 23:05 --------- d-----w C:\ProgramData\Napster
2008-06-05 23:04 --------- d-----w C:\Program Files\Gateway Games
2008-06-05 22:59 --------- d-----w C:\ProgramData\Microsoft Help
2008-06-05 22:51 --------- d-----w C:\ProgramData\WildTangent
2008-06-05 22:34 --------- d-sh--w C:\ProgramData\Templates
2008-06-05 22:34 --------- d-sh--w C:\ProgramData\Start Menu
2008-06-05 22:34 --------- d-sh--w C:\ProgramData\Favorites
2008-06-05 22:34 --------- d-sh--w C:\ProgramData\Documents
2008-06-05 22:34 --------- d-sh--w C:\ProgramData\Desktop
2008-06-05 22:34 --------- d-sh--w C:\ProgramData\Application Data
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 08:35 125440]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 21:07 1828136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"auditadmin"="C:\windows\options\auditadmin.cmd" [2007-04-05 20:58 476]
"SigmatelSysTrayApp"="sttray.exe" [2006-11-02 16:38 303104 C:\Windows\sttray.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-06-29 03:43 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-06-29 03:43 8466432]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-06-29 03:43 81920]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-11-15 19:58 151552]
"BigFix"="c:\program files\Bigfix\bigfix.exe" [2006-11-16 19:04 2348584]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-06 11:54 579584]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-14 19:50 233472]
"NWEReboot"="" []
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 20:29 2221352]
"RegistryMechanic"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-06-05 18:54 219136]

C:\Users\Dustin Patton\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 22:16:50 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-06-05 18:54 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4856DD37-07BF-4A58-88C1-A3B9D15FDCFC}"= UDP:C:\Windows\System32\lxczcoms.exe:1200 Series Server
"{CB76939D-D17F-4839-B097-F4743505A26B}"= TCP:C:\Windows\System32\lxczcoms.exe:1200 Series Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 AVGFw2kv;AVG Firewall Service;C:\PROGRA~1\Grisoft\AVG7\avgfw2kv.exe [2008-06-05 18:54]
R2 lxcz_device;lxcz_device;C:\Windows\system32\lxczcoms.exe [2007-02-08 18:50]
R3 AVer88xHD;AVerMedia 23888 AvStream Video Capture;C:\Windows\system32\drivers\AVer88xHD.sys [2007-04-08 23:47]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-06-06 11:54]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 03:30]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 22:15:41
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-06 22:16:40
ComboFix-quarantined-files.txt 2008-06-07 02:16:21

Pre-Run: 281,453,092,864 bytes free
Post-Run: 283,187,941,376 bytes free

246 --- E O F --- 2008-06-06 15:42:31

HIJACK THIS


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:21 PM, on 6/6/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5626
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5626
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O4 - HKLM\..\Run: [auditadmin] C:\windows\options\auditadmin.cmd
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll
O9 - Extra 'Tools' menuitem: iMacros Web Automation - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall Service (AVGFw2kv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfw2kv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: lxcz_device - - C:\Windows\system32\lxczcoms.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 6592 bytes


HERE IS THE NEW AUDITADMIN FILE

@ echo off
IF EXIST C:\Windows\OPTIONS\ENDUSER\sysprep.bat GOTO LOOP
:CLEAN
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v auditadmin /F
REG ADD HKLM\SYSTEM\SETUP\STATUS\UnattendPasses /v oobeSystem /t REG_DWORD /d 2 /f
net user administrator /active:no
Goto exit
:LOOP
net user administrator /active:yes
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v auditadmin /t REG_SZ /d C:\windows\options\auditadmin.cmd /f
goto EXIT
:EXIT


HOPE THIS HELPS
 
That file does not appear malicious, but it need not be running at every startup. Let's remove it.

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entry:

  • [*]O4 - HKLM\..\Run: [auditadmin] C:\windows\options\auditadmin.cmd
Please close all open windows except for HijackThis and choose Fix checked

I also want to follow up that entry we removed earlier:
  • Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    ADS::
C:\Users\Dustin Patton\AppData\Roaming
  • Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.


    CFScript.gif



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log. Has that stopped the windows coming up?
CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.
 
You must log in or register to reply here.
Back
Top