Bad System Viruses, Can't Remove! [RESOLVED]

Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis� Logs Go Here

2 Pages

1 2 >

Bad System Viruses, Can't Remove! [RESOLVED], Trojan horse BHO.AKY

Options

449 View Member Profile	Aug 27 2007, 10:28 AM Post #1
Member Posts: 13 OS: xp	Hi, I appreciate it that you guys are willing to help concerning there difference malware problems. I'm really hoping I get a respond to this because I've tried for weeks on different forums to get a response and still haven't gotten one. I've run tons of different antispyware/virus programs ,but they have not been able to remove the viruses. AVG is the only program that has recognized them ,but when I try to remove them I get an access denied box. I was able to write down them are which was the following: While opening file: C:\WINDOWS\system32\mwtdiita.exe Adware Generic.JFZ While opening file: C:\WINDOWS\system32\evrakstu.dll Trojan horse BHO.AKY While opening file: C:\WINDOWS\system32\sbcpfudl.exe Adware Generic2.JFZ Help on removing these would be great. And here's my HiJackThis log. Edit: fresh log is in bold Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:11:47 PM, on 8/29/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter\FLV to AVI MPEG WMV 3GP MP4 iPod Converter.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter\ave.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: 0 - {5D62148B-85DD-46A9-268D-3B15900AB2FF} - (no file) O2 - BHO: (no name) - {ADF76657-59AA-4C24-8071-6B841AA53F10} - (no file) O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137457062828 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137456947812 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe -- End of file - 4602 bytes Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:27:49 PM, on 8/27/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trillian\trillian.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: 0 - {5D62148B-85DD-46A9-268D-3B15900AB2FF} - (no file) O2 - BHO: (no name) - {ADF76657-59AA-4C24-8071-6B841AA53F10} - (no file) O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137457062828 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137456947812 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll O20 - Winlogon Notify: khfghii - khfghii.dll (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe -- End of file - 4668 bytes This post has been edited by 449: Aug 29 2007, 05:12 PM

MoNsTeReNeRgY22 View Member Profile	Aug 29 2007, 08:35 PM Post #2
Member Posts: 2,264 From: Classified, CA OS: Windows XP Media Center Editon SP2	Hello and Welcome to Geeks to Go. I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today. Sorry for the delay, things have been quite busy hear lately. Please re-open HijackThis and scan. Check the boxes next to all the entries listed below. O2 - BHO: 0 - {5D62148B-85DD-46A9-268D-3B15900AB2FF} - (no file) O2 - BHO: (no name) - {ADF76657-59AA-4C24-8071-6B841AA53F10} - (no file) Now close all windows other than Hijackthis, then click Fix Checked. Close HijackThis. Download and scan with SUPERAntiSpyware Free for Home Users Double-click SUPERAntiSpyware.exe and use the default settings for installation. An icon will be created on your desktop. Double-click that icon to launch the program. If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.) Under "*Configuration and Preferences", click the Preferences* button. Click the Scanning Control tab. Under Scanner Options make sure the following are checked (leave all others unchecked): Close browsers before scanning. Scan for tracking cookies. Terminate memory threats before quarantining. Click the "Close" button to leave the control center screen. Back on the main screen, under "*Scan for Harmful Software" click Scan your computer. On the left, make sure you check C:\Fixed Drive. On the right, under "Complete Scan", choose Perform Complete Scan. Click "Next" to start the scan. Please be patient while it scans your computer. After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK". Make sure everything has a checkmark next to it and click "Next". A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu. If asked if you want to reboot, click "Yes". To retrieve the removal information after reboot, launch SUPERAntispyware again. Click Preferences, then click the Statistics/Logs tab.* Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. If there are several logs, click the current dated log and press View log. A text file will open in your default text editor. Please copy and paste the Scan Log results in your next reply. Click Close to exit the program.

449 View Member Profile	Aug 30 2007, 08:23 AM Post #3
Member Posts: 13 OS: xp	SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 08/30/2007 at 02:16 AM Application Version : 3.9.1008 Core Rules Database Version : 3296 Trace Rules Database Version: 1305 Scan type : Complete Scan Total Scan Time : 03:28:45 Memory items scanned : 350 Memory threats detected : 0 Registry items scanned : 5827 Registry threats detected : 0 File items scanned : 167540 File threats detected : 2 Adware.k8l C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\PROFSYXYV.HTML Adware.Unknown Origin C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP680\A0265731.CFG

MoNsTeReNeRgY22 View Member Profile	Aug 30 2007, 09:02 AM Post #4
Member Posts: 2,264 From: Classified, CA OS: Windows XP Media Center Editon SP2	Hey 449, Please open up SUPERAntiSpyware and do the following Click Manage Quarantine Select ALL Quarantine Items Then press Remove... on the right Exit out of SUPERAntiSpyware Other than that, your log looks clean! Nice job! How is it running ? Please use the following suggestion to help prevent reinfection. Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)Now we need to make a new System Restore Point for your PC, please do the following Click Start, Settings, Control Panel Double-click the System icon Click the Performance tab, File System, Troubleshooting tab Check "Turn off System Restore" and click "Apply". Please give a moment as it will delete the old System Restore points Then uncheck "Turn off System Restore" which will create a new System Restore point Click OK I highly recommend downloading the following programs, to keep malware of your computer to begin with. The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again. Spybot Search & Destroy - Very powerful tool which can search and annhilate malware that make it onto your system. Now with an Immunize section that will help prevent future infections. Tutorial on installing & using this product can be found HERE Ad-Aware 2007 Free - Another very powerful tool which searches and kills malware that infect your system. AdAware and Spybot Search & Destroy compliment each other very well. Tutorial on installing & using this product can be found HERE SpywareBlaster - Great prevention tool to keep malware from installing on your system. Tutorial on installing & using this product can be found HERE SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place. Tutorial on installing & using this product can be found HERE IE-SpyAd - Puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Tutorial on installing & using this product can be found HERE ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out malware that like to reside in the temp folders. AntiVirus Program An AntiVirus program is a must in today's digital world! I recommend avast! 4 Home Edition, AVG, or Anti-Vir. DO NOT install more than one antivirus program. They will conflict, and provide less protection, not more. Firewall A firewall is definitely a must have to protect your computer from hackers. I recommend Comodo, Zone Alarm, or Outpost. Tutorial on Firewalls can be found HERE Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there. You must stay on top of your updates at all times, for the above mentioned applications. It is vitally important to stay on top of your critical updates provided by microsoft. And finally a little How did I get infected in the first place?(by Tony Klein) Good luck and safe surfing

449 View Member Profile	Aug 30 2007, 09:29 AM Post #5
Member Posts: 13 OS: xp	Thanks for your help! I really appreciate it! I'm pretty sure I still have problems. I figured out that when I run Spybot Search&Destroy I get the infected file errors from AVG: While opening file: C:\WINDOWS\system32\mwtdiita.exe Adware Generic.JFZ While opening file: C:\WINDOWS\system32\evrakstu.dll Trojan horse BHO.AKY While opening file: C:\WINDOWS\system32\sbcpfudl.exe Adware Generic2.JFZ I think there are actually duplicate one but in different locations because sometimes I have to press the "Ignore" button for AVG 6+ times. Is there anything else I can do? Also while Spybot was scanning I got thing warning message "There were prooblems in the include file C:\Program Files\Spybot - Search _Destroy\Includes\Trojans.sbi See 'Include errors.log' for details." This post has been edited by 449: Aug 30 2007, 09:40 AM

MoNsTeReNeRgY22 View Member Profile	Aug 30 2007, 10:38 AM Post #6
Member Posts: 2,264 From: Classified, CA OS: Windows XP Media Center Editon SP2	Hello again, Lets look a little deeper then. Step 1 Jotti File Submission: Please go to Jotti's malware scan Copy and paste the following file path into the "File to upload & scan"box on the top of the page: C:\WINDOWS\system32\mwtdiita.exe Click on the submit button Please also do the same with the following two files: C:\WINDOWS\system32\evrakstu.dll C:\WINDOWS\system32\sbcpfudl.exe Please post the results of the scan in your next reply. If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/ Step 2 Please completly uninstall SpyBot by doing the instructions on the following site. http://ict.cas.psu.edu/training/howto/util/removespybot.htm Don't re install it yet, we will later. Step 3 Please download RUNSCANNER to your desktop and run it. When the first page comes up select Beginner Mode On the next page select Save a binary .Run file (optional) then click Start full computer scan at the bottom. At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes. On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log Call the file *"Select a file name here"* and save it to your desktop. You will see the .run file on your desktop. Please zip that file by right clicking and selecting send to Zip file Then upload that as an attachment along with the log file produced in your next post. Step 4 Please post the following in your next reply Three Jotti Results .Run file Fresh HJT Log

449 View Member Profile	Aug 30 2007, 10:47 AM Post #7
Member Posts: 13 OS: xp	Ok, when I tried to upload all the files on both of the sites I got 0 bytes uploaded every time. I'll finish the rest of the steps now. Also, when I tried to upload I would get the "infected file detected" from AVG This post has been edited by 449: Aug 30 2007, 10:48 AM

MoNsTeReNeRgY22 View Member Profile	Aug 30 2007, 10:50 AM Post #8
Member Posts: 2,264 From: Classified, CA OS: Windows XP Media Center Editon SP2	Since the RunScanner logs won't upload, lets try a different tool. Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop. Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program. Now click the Run Scan button on the toolbar. When the scan is complete Notepad will open with the report file loaded in it. Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it. Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

449 View Member Profile	Aug 30 2007, 11:07 AM Post #9
Member Posts: 13 OS: xp	Wow, ok so I open the WinPFind3U.exe file and click run scan. It starts off but then gets hit by five or six of AVG infected file notifications. I ignore then but the program stops responding so I end it. I tried this twice. --------------------- I uploaded the run file. Runscanner logfile http://www.runscanner.net * = authenticode signed file - = file not found 000 General info ---------------- Computer name : YOUR-W04GTXLD67 Creation time : 8/30/2007 1:10:03 PM Hosts <> 127.0.0.1 : 0 Hosts file location : %SystemRoot%\System32\drivers\etc IE version : 6.0.2900.2180 OS : Microsoft Windows XP OS Build : 2600 OS SP : Service Pack 2 RunScanner Version : 1.0.3.0 Type of scan : Full scan User Language : English (United States) User rights : Administrator Windows folder : C:\WINDOWS 001 Running processes --------------------- c:\progra~1\grisoft\avg7\avgamsvr.exe (GRISOFT, s.r.o.) * c:\program files\grisoft\avg anti-spyware 7.5\guard.exe (GRISOFT s.r.o.) c:\progra~1\grisoft\avg7\avgcc.exe (GRISOFT, s.r.o.) c:\progra~1\grisoft\avg7\avgfwsrv.exe (GRISOFT, s.r.o.) c:\progra~1\grisoft\avg7\avgrssvc.exe (GRISOFT, s.r.o.) c:\progra~1\grisoft\avg7\avgrssvc.exe (GRISOFT, s.r.o.) c:\progra~1\grisoft\avg7\avgupsvc.exe (GRISOFT, s.r.o.) c:\program files\diskeeper corporation\diskeeper\dkservice.exe (Diskeeper Corporation) * c:\program files\mozilla firefox\firefox.exe (Mozilla Corporation) c:\program files\yourware solutions\freeram xp pro\freeram xp pro.exe (YourWare Solutions ™) * c:\windows\system32\nvsvc32.exe (NVIDIA Corporation) * c:\documents and settings\l33t\desktop\runscanner\runscanner.exe (Runscanner.net) 002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys) ----------------------------------------------------------------- c:\progra~1\grisoft\avg7\avgcc.exe (GRISOFT, s.r.o.) * c:\windows\system32\nvcpl.dll (NVIDIA Corporation) 003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys) ----------------------------------------------------------------- c:\program files\yourware solutions\freeram xp pro\freeram xp pro.exe (YourWare Solutions ™) * c:\program files\utorrent\utorrent.exe 008 Default user \Software\Microsoft\Windows\CurrentVersion\Run (+subkeys) -------------------------------------------------------------------------- c:\progra~1\grisoft\avg7\avgw.exe (GRISOFT, s.r.o.) 009 System user\Software\Microsoft\Windows\CurrentVersion\Run (+subkeys) ------------------------------------------------------------------------ c:\progra~1\grisoft\avg7\avgw.exe (GRISOFT, s.r.o.) 010 HKLM\SYSTEM\CurrentControlSet\Services (Services) ----------------------------------------------------- C:\WINDOWS\microsoft.net\framework\v1.1.4322\aspnet_state.exe (ASP.NET State Service) * c:\program files\grisoft\avg anti-spyware 7.5\guard.exe (AVG Anti-Spyware Guard) c:\progra~1\grisoft\avg7\avgfwsrv.exe (AVG Firewall) c:\progra~1\grisoft\avg7\avgamsvr.exe (AVG7 Alert Manager Server) c:\progra~1\grisoft\avg7\avgrssvc.exe (AVG7 Resident Shield Service) c:\progra~1\grisoft\avg7\avgupsvc.exe (AVG7 Update Service) c:\program files\diskeeper corporation\diskeeper\dkservice.exe (Diskeeper) c:\program files\common files\installshield\driver\11\intel 32\idrivert.exe (InstallDriver Table Manager) * C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Display Driver Service) * c:\windows\system32\hpzipm12.exe (Pml Driver HPZ12) 011 HKLM\SYSTEM\CurrentControlSet\Services (drivers) ---------------------------------------------------- - f:\cds300\cds300.dll (6a115eed-b0e0-4a9b-a697-ef58bbd52473) * C:\WINDOWS\system32\drivers\ltmdmnt.sys (Agere Modem Driver) * C:\WINDOWS\system32\drivers\avgascln.sys (AVG Anti-Spyware Clean Driver) * c:\program files\grisoft\avg anti-spyware 7.5\guard.sys (AVG Anti-Spyware Driver) c:\windows\system32\drivers\avgclean.sys (AVG7 Clean Driver) - c:\windows\system32\drivers\awrtpd.sys (AW Realtime Driver) C:\WINDOWS\system32\drivers\sptd.sys (Boot Bus Extender) * C:\WINDOWS\system32\drivers\emaudio.sys (Dazzle DVC Audio Device) * C:\WINDOWS\system32\drivers\emdevice.sys (Dazzle DVC Video Device) * C:\WINDOWS\system32\drivers\ptilink.sys (Direct Parallel Link Driver) * C:\WINDOWS\system32\drivers\pxhelp20.sys (Filter) * C:\WINDOWS\system32\drivers\gearaspiwdm.sys (GEAR CDRom Filter) * C:\WINDOWS\system32\drivers\hpzid412.sys (IEEE-1284.4 Driver HPZid412) * C:\WINDOWS\system32\drivers\ialmkchw.sys (Intel� Graphics Chipset (KCH) Driver) * C:\WINDOWS\system32\drivers\ialmsbw.sys (Intel� Graphics Platform (SoftBIOS) Driver) - c:\windows\system32\drivers\lmouke.sys (Logitech SetPoint Mouse Filter Driver) - c:\windows\system32\drivers\lhidusbk.sys (Logitech SetPoint USB Receiver device driver) * C:\WINDOWS\system32\drivers\nv_agp.sys (NVIDIA nForce AGP Bus Filter) * C:\WINDOWS\system32\drivers\nvenet.sys (NVIDIA nForce MCP Networking Controller Driver) * C:\WINDOWS\system32\drivers\nvxbar.sys (nVidia WDM A/V Crossbar) * C:\WINDOWS\system32\drivers\nvcap.sys (nVidia WDM Video Capture (universal)) c:\windows\system32\drivers\pclepci.sys (PCLEPCI) C:\WINDOWS\system32\drivers\marvinbus.sys (Pinnacle Marvin Bus) * C:\WINDOWS\system32\drivers\hpzipr12.sys (Print Class Driver for IEEE-1284.4 HPZipr12) * C:\WINDOWS\system32\drivers\ps2.sys (PS2) - c:\windows\system32\drivers\pssdk23.drv (PSSdk23) * C:\WINDOWS\system32\drivers\r8139n51.sys (Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver) c:\program files\superantispyware\sasdifsv.sys (SASDIFSV) c:\program files\superantispyware\sasenum.sys (SASENUM) c:\program files\superantispyware\saskutil.sys (SASKUTIL) * C:\WINDOWS\system32\drivers\fasttx2k.sys (SCSI Miniport) C:\WINDOWS\system32\drivers\sdcplh.sys (sdcplh) C:\WINDOWS\system32\drivers\secdrv.sys (Secdrv) * C:\WINDOWS\system32\drivers\alcxwdm.sys (Service for Realtek AC97 Audio (WDM)) * C:\WINDOWS\system32\drivers\sisagpx.sys (SiS AGP Filter) * C:\WINDOWS\system32\drivers\srvkp.sys (SiS VGA Driver Manager) * C:\WINDOWS\system32\drivers\emfilter.sys (USB Device Lower Filter) * C:\WINDOWS\system32\drivers\emscan.sys (USB Still Image Capture Device) * C:\WINDOWS\system32\drivers\hpzius12.sys (USB to IEEE-1284.4 Translation Driver HPZius12) * C:\WINDOWS\system32\drivers\viaagp1.sys (VIA AGP Filter) * C:\WINDOWS\system32\drivers\vtmini.sys (viagfx) * C:\WINDOWS\system32\drivers\s3gnbm.sys (Video) * C:\WINDOWS\system32\drivers\ialmnt5.sys (Video) * C:\WINDOWS\system32\drivers\nv4_mini.sys (Video) * C:\WINDOWS\system32\drivers\sisgrp.sys (Video) C:\WINDOWS\system32\drivers\pcouffin.sys (VSO Software pcouffin) 030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter ------------------------------------------ c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D} c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D} c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D} 035 HKLM-HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components ------------------------------------------------------------------ c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820} 050 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ----------------------------------------------------------------------------- * c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll (GRISOFT s.r.o.) {57B86673-276A-48B2-BAE7-C6DBB3020EB8} c:\program files\superantispyware\sasseh.dll (SuperAdBlocker.com) {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} 052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects ---------------------------------------------------------------------------------- * c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll (Adobe Systems Incorporated) {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} 061 HKLM-HCKU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved --------------------------------------------------------------------------------- c:\program files\grisoft\avg7\avgse.dll (GRISOFT, s.r.o.) {9F97547E-460A-42C5-AE0C-81C61FFAEBC3} c:\program files\grisoft\avg7\avgse.dll (GRISOFT, s.r.o.) {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} c:\windows\system32\nvshell.dll (NVIDIA Corporation) {1CDB2949-8F65-4355-8456-263E7C208A5D} c:\windows\system32\nvshell.dll (NVIDIA Corporation) {1E9B04FB-F9E5-4718-997B-B8DA88302A47} - deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3} c:\windows\system32\mscoree.dll (Microsoft Corporation) {1D2680C9-0E2A-469d-B787-065558BC7D43} * c:\windows\system32\hticons.dll (Hilgraeve, Inc.) {88895560-9AA2-1069-930E-00AA0030EBC8} * c:\program files\itunes\itunesminiplayer.dll (Apple Inc.) {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} c:\program files\common files\ahead\lib\nerodigitalext.dll (Nero AG) {B327765E-D724-4347-8B16-78AE18552FC3} c:\program files\common files\ahead\lib\nerodigitalext.dll (Nero AG) {7F1CF152-04F8-453A-B34C-E609530A9DC8} * c:\windows\system32\nvcpl.dll (NVIDIA Corporation) {A70C977A-BF00-412C-90B7-034C51DA2439} c:\windows\system32\nvshell.dll (NVIDIA Corporation) {1E9B04FB-F9E5-4718-997B-B8DA88302A48} * c:\windows\system32\nvcpl.dll (NVIDIA Corporation) {FFB699E0-306A-11d3-8BD1-00104B6F7516} c:\program files\poweriso\pwrisosh.dll (PowerISO Computing, Inc.) {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} c:\windows\system32\shellvrtf.dll (XSS) {7F67036B-66F1-411A-AD85-759FB9C5B0DB} 062 HKLM-HKCU\Software\Classes\Folder\Shellex\ColumnHandlers ------------------------------------------------------------ c:\program files\common files\ahead\lib\nerodigitalext.dll (Nero AG) {7D4D6379-F301-4311-BEBA-E26EB0561882} c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627} 067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify --------------------------------------------------------------------- c:\program files\superantispyware\saswinlo.dll (SUPERAntiSpyware.com) C:\WINDOWS\system32\avgwlntf.dll (GRISOFT, s.r.o.) * C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation) 068 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 -------------------------------------------------------------------------------- c:\windows\system32\avgfwafu.dll (GRISOFT, s.r.o.) c:\windows\system32\avgfwafu.dll (GRISOFT, s.r.o.) c:\windows\system32\avgfwafu.dll (GRISOFT, s.r.o.) c:\windows\system32\avgfwafu.dll (GRISOFT, s.r.o.) c:\windows\system32\avgfwafu.dll (GRISOFT, s.r.o.) 069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors -------------------------------------------------------- * C:\WINDOWS\system32\hpzlnt09.dll (HP) 073 %windir%\Tasks ------------------ Ad-Aware SE Personal.job : c:\progra~1\lavasoft\ad-awa~2\ad-aware.exe AppleSoftwareUpdate.job : c:\program files\apple software update\softwareupdate.exe (Apple Inc.) 100 Internet Explorer settings ------------------------------ CustomizeSearch HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm Default_Page_URL HKLM : http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome Default_Search_URL HKLM : http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch ProxyOverride HKCU : .local Search Page HKCU : http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch Search Page HKLM : http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch SearchAssistant HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm Start Page HKCU : http://go.microsoft.com/fwlink/?LinkId=566...&ar=msnhome Start Page HKLM : http://qus10.hpwis.com/ 102 HKLM - HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars ------------------------------------------------------------------ GUID / CLSID not found {32683183-48a0-441b-a342-7c2a440a9478} 104 HKLM\Software\Microsoft\Code Store Database\Distribution Units ------------------------------------------------------------------ c:\program files\java\j2re1.4.2\bin\npjpi142.dll (JavaSoft / Sun Microsystems, Inc.) {8AD9C840-044E-11D1-B3E9-00805F499D93} c:\program files\java\j2re1.4.2\bin\npjpi142.dll (JavaSoft / Sun Microsystems, Inc.) {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} c:\windows\system32\macromed\flash\flash.ocx (Macromedia, Inc.) {D27CDB6E-AE6D-11CF-96B8-444553540000} 105 HKCU\Software\Microsoft\Internet Explorer\MenuExt ----------------------------------------------------- E&xport to Microsoft Excel : res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 160 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System ------------------------------------------------------------------ DisableRegistryTools : 0 161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System ------------------------------------------------------------------ dontdisplaylastusername : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 170 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ------------------------------------------------------------------------ I : I:\RunGame.exe 173 HKCR\\shellex\ContextMenuHandlers -------------------------------------- c:\program files\grisoft\avg anti-spyware 7.5\context.dll (GRISOFT s.r.o.) {8934FCEF-F5B8-468f-951F-78A921CD3920} c:\program files\poweriso\pwrisosh.dll (PowerISO Computing, Inc.) {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} c:\program files\grisoft\avg7\avgse.dll (GRISOFT, s.r.o.) {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} c:\program files\superantispyware\sasctxmn.dll (SUPERAntiSpyware.com) SUPERAntiSpyware Context Menu Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:15:46 PM, on 8/30/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\taskmgr.exe C:\Documents and Settings\L33T\Desktop\runscanner\RunScanner.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137457062828 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137456947812 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe -- End of file - 4284 bytes This post has been edited by 449: Aug 30 2007, 11:17 AM Attached File(s)* run.zip ( 66.82K ) Number of downloads: 7

MoNsTeReNeRgY22 View Member Profile	Aug 30 2007, 11:16 AM Post #10
Member Posts: 2,264 From: Classified, CA OS: Windows XP Media Center Editon SP2	Thanks. Give me some time to look over the RunScanner log.

MoNsTeReNeRgY22