Infected but can't get what is it [Solved]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

2 Pages

1 2 >

Infected but can't get what is it [Solved], I have some weird files and the pc is slow, yet most scan show nothing

Options

sage5 View Member Profile	Jun 5 2009, 12:54 AM Post #2
RIP 10/2009 Posts: 2,646 From: NE Victoria, Australia OS: WinXp SP3	Hi Noki, Welcome to Geeks To Go, I'm sorry that we haven't got to you until now, but the forum can get hectic at times. I am sage5, and I will be helping you with this problem. There are a some things that I need to make clear to you, before we continue, that will help us both: Please read all of my instructions, in each post, before you continue with the fix. (If there is anything that you need clarified/don't understand, please ask) Please don't perform any steps/fixes with tools that I have not asked you to do. Many of the fixes require specific steps to be taken in a set order. Make sure that all of the logs/reports, that I ask for, get posted completely. Check out the information Here, if you are unsure how to send replies etc OK, on with the fix: First I need you to download the following tools & save them to your Desktop. ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the text from C:\ComboFix.txt** in your next reply. Cheers, sage5

Noki View Member Profile	Jun 10 2009, 07:10 PM Post #3
Member Posts: 16 OS: xp	Hi, Sorry for the delay but I got the log, rt now the pc is very slow and so I decided to unplug it from the inet. Now the log. ComboFix 09-06-09.01 - Owner 10/06/2009 16:29.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.120 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning disabled (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall enabled {829BDA32-94B3-44F4-8446-F8FCFF809F8B} * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Owner\Favorites\Online Security Guide.lnk c:\windows\system32\ajtafxmt.ini c:\windows\system32\bgbuwmmg.ini c:\windows\system32\cpyfhfrn.ini c:\windows\system32\eeoyibbc.ini c:\windows\system32\eevxajyv.ini c:\windows\system32\endrhobk.ini c:\windows\system32\gfhkj.bak1 c:\windows\system32\gfhkj.bak2 c:\windows\system32\gfhkj.ini c:\windows\system32\giyofkro.ini c:\windows\system32\hbnqpyqu.ini c:\windows\system32\ilsxugas.ini c:\windows\system32\kkopwehf.ini c:\windows\system32\kscnhita.ini c:\windows\system32\nuplshji.ini c:\windows\system32\piyhfbeh.ini c:\windows\system32\pyblkord.ini c:\windows\system32\qldkxmvq.ini c:\windows\system32\rkhwkutu.ini c:\windows\system32\tkrocfxf.ini c:\windows\system32\uscjcqvl.ini c:\windows\system32\vkqslmnf.ini c:\windows\system32\vuourgxk.ini c:\windows\system32\wevakxdj.ini c:\windows\system32\wjmkijdd.ini c:\windows\system32\wyfltmcl.ini c:\windows\system32\ynlcqpxf.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_DOMAINSERVICE ((((((((((((((((((((((((( Files Created from 2009-05-10 to 2009-06-10 ))))))))))))))))))))))))))))))) . 2009-05-31 23:47 . 2009-05-31 23:47 -------- d-----w- c:\windows\system32\scripting 2009-05-31 23:47 . 2009-05-31 23:47 -------- d-----w- c:\windows\l2schemas 2009-05-31 23:47 . 2009-05-31 23:47 -------- d-----w- c:\windows\system32\en 2009-05-31 23:47 . 2009-05-31 23:47 -------- d-----w- c:\windows\system32\bits 2009-05-31 23:42 . 2009-05-31 23:48 -------- d-----w- c:\windows\ServicePackFiles 2009-05-31 23:26 . 2009-05-31 23:26 -------- d-----w- c:\windows\EHome 2009-05-31 22:49 . 2009-05-31 22:49 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache 2009-05-31 22:47 . 2009-05-31 22:47 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE 2009-05-31 22:42 . 2009-05-31 22:42 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-05-31 22:41 . 2009-05-31 22:41 -------- d-sh--w- c:\documents and settings\Owner\IETldCache 2009-05-31 22:36 . 2009-05-31 22:36 -------- d-----w- c:\windows\ie8updates 2009-05-31 22:35 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll 2009-05-31 22:31 . 2009-05-31 22:35 -------- dc-h--w- c:\windows\ie8 2009-05-31 15:43 . 2009-05-31 15:44 -------- d-----w- C:\a0339e955f04ee68d2 2009-05-31 15:41 . 2009-05-31 16:05 -------- d-----w- c:\windows\SxsCaPendDel 2009-05-31 05:50 . 2009-05-31 05:51 -------- d-----w- C:\Rooter$ 2009-05-31 05:28 . 2009-05-31 05:28 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-05-20 05:22 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll 2009-05-20 05:22 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll 2009-05-20 05:22 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe 2009-05-20 05:22 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll 2009-05-20 05:22 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe 2009-05-20 05:22 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll 2009-05-20 05:22 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll 2009-05-20 05:22 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll 2009-05-20 05:22 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll 2009-05-20 05:22 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe 2009-05-20 05:22 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe 2009-05-20 05:22 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe 2009-05-20 05:20 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll 2009-05-20 05:20 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe 2009-05-20 04:12 . 2009-05-20 04:12 -------- d-----w- c:\documents and settings\Owner\Tracing 2009-05-20 04:08 . 2006-11-29 17:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll 2009-05-20 04:08 . 2009-05-20 04:08 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition 2009-05-20 04:05 . 2009-05-20 04:05 -------- d-----w- c:\program files\Microsoft 2009-05-20 04:04 . 2009-05-20 04:04 -------- d-----w- c:\program files\Windows Live SkyDrive 2009-05-20 04:04 . 2009-05-20 04:10 -------- d-----w- c:\program files\Windows Live 2009-05-20 03:43 . 2009-05-20 03:43 -------- d-----w- c:\program files\Common Files\Windows Live 2009-05-19 19:01 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys 2009-05-19 14:18 . 2009-05-19 14:17 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-05-19 14:15 . 2009-05-19 14:15 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll 2009-05-19 11:55 . 2009-05-19 11:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-05-19 11:55 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-05-19 11:55 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-05-19 11:55 . 2009-05-31 05:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-05-19 11:55 . 2009-05-19 11:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-05-19 03:30 . 2009-06-01 20:33 -------- d--h--w- C:\$AVG8.VAULT$ 2009-05-19 02:33 . 2009-05-19 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP 2009-05-19 02:23 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vuedfkts.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll 2009-05-19 02:07 . 2009-05-19 02:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-05-19 02:07 . 2009-05-19 02:07 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-05-19 02:07 . 2009-05-19 02:07 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-05-19 02:07 . 2009-06-02 16:50 -------- d-----w- c:\windows\system32\drivers\Avg 2009-05-19 02:07 . 2009-05-19 02:07 -------- d-----w- c:\program files\AVG 2009-05-19 02:07 . 2009-05-19 02:07 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-05-19 01:24 . 2009-02-16 04:10 69000 ----a-w- c:\windows\system32\zlcomm.dll 2009-05-19 01:24 . 2009-02-16 04:10 103816 ----a-w- c:\windows\system32\zlcommdb.dll 2009-05-19 01:24 . 2009-02-16 04:10 1221512 ----a-w- c:\windows\system32\zpeng25.dll 2009-05-19 00:50 . 2009-05-19 00:50 -------- d-----w- c:\program files\CCleaner 2009-05-15 03:33 . 2009-05-15 03:33 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\RcIncidents . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-10 20:22 . 2006-10-04 20:56 42308 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat 2009-06-01 00:32 . 2008-03-01 00:49 -------- d-----w- c:\program files\GetRight 2009-05-31 23:52 . 2006-10-04 20:10 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-05-29 21:10 . 2008-09-06 22:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Canon 2009-05-27 15:25 . 2007-04-18 23:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype 2009-05-20 06:38 . 2009-01-17 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-05-20 06:35 . 2006-10-04 20:47 -------- d-----w- c:\program files\Microsoft Works 2009-05-20 05:45 . 2008-02-29 22:04 -------- d-----w- c:\program files\Microsoft Silverlight 2009-05-19 17:49 . 2008-02-29 07:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-05-19 14:17 . 2007-04-28 00:03 -------- d-----w- c:\program files\Java 2009-05-19 14:05 . 2008-02-29 07:25 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-05-19 02:37 . 2008-02-29 07:32 -------- d-----w- c:\program files\SpywareBlaster 2009-05-19 02:23 . 2008-03-01 00:48 167376 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vuedfkts.default\FlashGot.exe 2009-05-19 02:07 . 2008-02-29 07:40 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-05-19 01:24 . 2007-04-28 00:51 4212 ---ha-w- c:\windows\system32\zllictbl.dat 2009-05-19 00:58 . 2007-04-18 23:54 -------- d-----w- c:\program files\Google 2009-05-19 00:33 . 2008-02-29 07:36 -------- d-----w- c:\program files\SpywareGuard 2009-05-19 00:33 . 2006-11-29 22:08 -------- d-----w- c:\program files\Windows Live Toolbar 2009-05-19 00:32 . 2007-04-12 15:54 -------- d-----w- c:\program files\Yahoo! 2009-05-17 17:26 . 2009-05-17 17:27 38912 ----a-w- c:\windows\Internet Logs\xDB115.tmp 2009-05-16 14:51 . 2009-05-16 17:59 88064 ----a-w- c:\windows\Internet Logs\xDB114.tmp 2009-05-13 23:38 . 2009-05-13 23:41 77312 ----a-w- c:\windows\Internet Logs\xDB113.tmp 2009-05-11 19:13 . 2009-05-11 19:16 28672 ----a-w- c:\windows\Internet Logs\xDB112.tmp 2009-05-11 12:37 . 2009-05-11 16:30 23040 ----a-w- c:\windows\Internet Logs\xDB111.tmp 2009-05-11 00:59 . 2009-05-11 01:00 28672 ----a-w- c:\windows\Internet Logs\xDB110.tmp 2009-05-10 18:26 . 2009-05-10 23:20 43520 ----a-w- c:\windows\Internet Logs\xDB10F.tmp 2009-05-09 03:42 . 2009-05-09 12:21 33280 ----a-w- c:\windows\Internet Logs\xDB10E.tmp 2009-05-08 04:51 . 2009-05-08 22:18 42496 ----a-w- c:\windows\Internet Logs\xDB10D.tmp 2009-05-07 21:37 . 2009-05-08 02:10 39424 ----a-w- c:\windows\Internet Logs\xDB10C.tmp 2009-05-07 01:28 . 2009-05-07 13:55 68096 ----a-w- c:\windows\Internet Logs\xDB10B.tmp 2009-05-05 01:28 . 2009-05-05 11:26 32256 ----a-w- c:\windows\Internet Logs\xDB10A.tmp 2009-05-04 12:31 . 2009-05-04 23:58 53248 ----a-w- c:\windows\Internet Logs\xDB109.tmp 2009-05-02 23:49 . 2009-05-03 13:04 27648 ----a-w- c:\windows\Internet Logs\xDB108.tmp 2009-05-02 14:00 . 2009-05-02 22:41 27648 ----a-w- c:\windows\Internet Logs\xDB107.tmp 2009-05-02 01:46 . 2009-05-02 12:27 138240 ----a-w- c:\windows\Internet Logs\xDB106.tmp 2009-05-01 11:33 . 2008-04-08 20:03 26936763 ----a-w- c:\windows\Internet Logs\tvDebug.zip 2009-04-28 00:31 . 2009-04-28 12:06 54272 ----a-w- c:\windows\Internet Logs\xDB105.tmp 2009-04-25 20:52 . 2009-04-26 11:19 53248 ----a-w- c:\windows\Internet Logs\xDB104.tmp 2009-04-25 14:20 . 2009-04-25 16:52 27136 ----a-w- c:\windows\Internet Logs\xDB103.tmp 2009-04-24 17:55 . 2009-04-25 12:13 29184 ----a-w- c:\windows\Internet Logs\xDB102.tmp 2009-04-24 01:14 . 2009-04-24 14:54 26112 ----a-w- c:\windows\Internet Logs\xDB101.tmp 2009-04-23 20:51 . 2009-04-23 23:42 96768 ----a-w- c:\windows\Internet Logs\xDB100.tmp 2009-04-21 01:23 . 2009-04-22 00:31 61440 ----a-w- c:\windows\Internet Logs\xDBFF.tmp 2009-04-19 03:11 . 2009-04-19 12:27 66048 ----a-w- c:\windows\Internet Logs\xDBFE.tmp 2009-04-16 17:56 . 2009-04-16 21:52 37888 ----a-w- c:\windows\Internet Logs\xDBFD.tmp 2009-04-15 01:18 . 2009-04-15 19:53 57344 ----a-w- c:\windows\Internet Logs\xDBFC.tmp 2009-04-13 20:41 . 2009-04-14 00:23 36864 ----a-w- c:\windows\Internet Logs\xDBFB.tmp 2009-04-13 03:30 . 2009-04-13 12:16 35840 ----a-w- c:\windows\Internet Logs\xDBFA.tmp 2009-04-12 13:08 . 2009-04-12 17:23 62976 ----a-w- c:\windows\Internet Logs\xDBF9.tmp 2009-04-09 22:19 . 2009-04-09 22:20 31744 ----a-w- c:\windows\Internet Logs\xDBF8.tmp 2009-04-09 20:09 . 2009-04-09 20:30 40960 ----a-w- c:\windows\Internet Logs\xDBF7.tmp 2009-04-08 14:33 . 2009-04-08 19:54 38400 ----a-w- c:\windows\Internet Logs\xDBF6.tmp 2009-04-07 05:08 . 2009-04-07 11:45 61952 ----a-w- c:\windows\Internet Logs\xDBF5.tmp 2009-04-05 00:10 . 2009-04-05 00:11 36864 ----a-w- c:\windows\Internet Logs\xDBF4.tmp 2009-04-04 13:04 . 2009-04-04 15:29 144384 ----a-w- c:\windows\Internet Logs\xDBF3.tmp 2009-03-28 20:52 . 2009-03-29 13:13 34304 ----a-w- c:\windows\Internet Logs\xDBF2.tmp 2009-03-28 13:46 . 2009-03-28 17:21 125440 ----a-w- c:\windows\Internet Logs\xDBF1.tmp 2009-03-27 13:04 . 2009-03-27 23:57 24576 ----a-w- c:\windows\Internet Logs\xDBF0.tmp 2009-03-27 04:46 . 2009-03-27 11:56 146944 ----a-w- c:\windows\Internet Logs\xDBEF.tmp 2009-03-25 10:29 . 2006-10-04 20:27 130432 ----a-w- c:\windows\system32\drivers\Rtnicxp.sys 2009-03-22 15:37 . 2009-03-22 16:06 87040 ----a-w- c:\windows\Internet Logs\xDBEE.tmp 2009-03-21 03:58 . 2009-03-21 11:31 81408 ----a-w- c:\windows\Internet Logs\xDBED.tmp 2009-03-19 23:06 . 2009-03-19 23:07 36352 ----a-w- c:\windows\Internet Logs\xDBEC.tmp 2009-03-19 12:04 . 2009-03-19 13:18 25088 ----a-w- c:\windows\Internet Logs\xDBEB.tmp 2009-03-19 02:07 . 2009-03-19 11:19 50176 ----a-w- c:\windows\Internet Logs\xDBEA.tmp 2009-03-17 19:30 . 2009-03-18 01:03 28672 ----a-w- c:\windows\Internet Logs\xDBE9.tmp 2009-03-17 18:22 . 2009-03-17 18:27 149504 ----a-w- c:\windows\Internet Logs\xDBE8.tmp 2006-10-04 21:57 . 2006-10-04 21:57 56 -c--a-w- c:\program files\Common Files\appop.log . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VX1000"="c:\windows\vVX1000.exe" [2006-10-13 707376] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-19 1947928] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-10-15 14864384] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-05-19 02:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\FrostWire\\FrostWire.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [04/10/2006 5:56 PM 38784] R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [19/05/2009 3:01 PM 28544] R1 Ai2sXP;Ai2sXP;c:\windows\system32\drivers\Ai2sXP.sys [12/10/2006 10:17 AM 7296] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [18/05/2009 10:07 PM 325896] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18/05/2009 10:07 PM 108552] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [18/05/2009 10:07 PM 908568] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [18/05/2009 10:07 PM 298776] R2 HPMobileDisk;HPMobileDisk;c:\windows\system32\drivers\hpmobiledisk.sys [05/10/2006 8:49 AM 199040] S2 ieik9uaaan;Print Spooler Service;c:\windows\system32\kgngdne.exe /service --> c:\windows\system32\kgngdne.exe [?] S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [04/10/2006 5:56 PM 116224] S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [29/02/2008 2:05 AM 44928] --- Other Services/Drivers In Memory --- Deregistered - udffsrec [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . - - - - ORPHANS REMOVED - - - - BHO-{AA53ED35-9CED-402F-AAE5-32482DDB343D} - c:\windows\system32\jkhfg.dll HKLM-Run-NWEReboot - (no file) HKU-Default-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe HKU-Default-RunOnce-IETI - c:\program files\Skype\Phone\IEPlugin\unins000.exe Notify-opnmnmm - opnmnmm.dll SafeBoot-procexp90.Sys . ------- Supplementary Scan ------- . uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR IE: &Search - ?p=ZJxdm088YYCA IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vuedfkts.default\ FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPGetRt.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-10 16:37 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(676) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(2632) c:\windows\system32\ieframe.dll c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\system32\msls31.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ZoneLabs\vsmon.exe c:\windows\system32\ati2evxx.exe c:\windows\system32\Crypserv.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Microsoft LifeCam\MSCamS32.exe c:\windows\system32\searchindexer.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\Canon\CAL\CALMAIN.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\wscntfy.exe . ************************************************************************ . Completion time: 2009-06-10 16:46 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-10 20:46 Pre-Run: 139,502,366,720 bytes free Post-Run: 139,395,616,768 bytes free 308 --- E O F --- 2009-03-14 02:02

sage5 View Member Profile	Jun 10 2009, 09:52 PM Post #4
RIP 10/2009 Posts: 2,646 From: NE Victoria, Australia OS: WinXp SP3	Hi Noki, That is looking much better. This is worrying, from the last log: QUOTE ComboFix 09-06-09.01 - Owner 10/06/2009 16:29.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.120 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning disabled (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall enabled {829BDA32-94B3-44F4-8446-F8FCFF809F8B} * Created a new restore point Do you have a subscription to AVG, or use the free version? If using the freebie, update to the new version, Here If you want to try something else/better: I have listed a couple of free versions below. Please download and install 1 of them Anti-virus: Please install one only: Avast! Free Edition or Avira AntiVir Personal Anti-Virus Tutorials/Manuals: Avast Tutorial Avast Home Edition Manual Antivir Manual Please allow the new Anti-virus to run a full System scan, and at the end of the process you should be able to save a scan log. If the scan report window does not have a "Save as Report" button (or similar), please highlight the text in the window & copy & paste it to a new Notepad file. Save it as C:\avscan.txt if you can. Cheers, sage5

Noki View Member Profile	Jun 12 2009, 04:34 PM Post #5
Member Posts: 16 OS: xp	Hi, that maybe because the inet on that pc was unplugged the day before or so, since is not updating....besides I never let the AV to run outdated, believe it or not I have cleaned this pc before and thats why I know it should stay updated on every thing. Btw I did unplugged the inet because the pc is acting weird even after the cleaning, still slow and you can hear the machine working really hard. I'll run the scan and I'll come back with the log.

sage5 View Member Profile	Jun 22 2009, 04:18 PM Post #6
RIP 10/2009 Posts: 2,646 From: NE Victoria, Australia OS: WinXp SP3	Due to lack of feedback, this topic has been closed. If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

sage5 View Member Profile	Jun 25 2009, 01:00 AM Post #7
RIP 10/2009 Posts: 2,646 From: NE Victoria, Australia OS: WinXp SP3	Due to the length of time between posts please delete your version of OTL.exe from the Desktop & download a fresh version from: OTListIt Run OTL: Close all open windows and double click the OTL.exe icon on your Desktop Tick the Scan all Users box, & the Use Whitelist box. Leave the File Age: box to 30 days Tick the LOP Check & Purity Check boxes. Click the Run Scan button and let the program run uninterrupted. It will produce two logs for you. OTL.txt will open automatically. The other one will be saved on your desktop as Extras.txt I need you to post the text from both of those logs here. NOTE: These can be large files, and there is a limit to the number of characters that can be posted at once on this forum. It may require you to make 2 posts, to get all the information to me

Noki View Member Profile	Jun 25 2009, 10:28 PM Post #8
Member Posts: 16 OS: xp	Thx again for re-opening the topic, I'll bring this to you in the next couple days and I'll add a new AV scan log.

sage5 View Member Profile	Jun 28 2009, 08:40 PM Post #10
RIP 10/2009 Posts: 2,646 From: NE Victoria, Australia OS: WinXp SP3	[Hi Noki, color=purple]I see you have FrostWire installed on your system.[/color] While the program itself is legal, most of the files downloaded with it, are not. These programs are also one of the major infection routes for an otherwise secure PC. A very high proportion if files on Peer to Peer networks are infected with Trojans & other malware. I highly recommend uninstalling FrostWire as outlined below. Remove folders & files: Please go to Start > Control Panel > Add/Remove Programs and remove the following, (if present): FrostWire 4.13.1.7 BETA Java� SE Runtime Environment 6 Update 1 Java� 6 Update 3 Please take note of any other programs that you don't recognise in that list, and if you are not using them, uninstall them. Run OTL.exe Under the Custom Scans/Fixes box at the bottom, paste in the following CODE :OTL PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) SRV - (ieik9uaaan [Auto \| Stopped]) -- File not found O15 - HKLM\..Trusted Domains: 50 domain(s) and sub-domain(s) not assigned to a zone. O15 - HKCU\..Trusted Domains: //@surf.mar@/ ([]money in Local intranet) O15 - HKCU\..Trusted Domains: 198 domain(s) and sub-domain(s) not assigned to a zone. :Services :Reg :Files :Commands [purity] [emptytemp] [resethosts] [start explorer] [Reboot] Then click the Run Fix button at the top Let the program run unhindered & reboot if necessary. Now you will EITHER: be asked to "Click OK to open the fix log". Click OK. ---> OR need to retrieve the fix log for me. It will be in the C:\_OTL\Moved Files folder named something like 06082009_112536.log (first 6 digits = date format MMDDYYY, last 6 digits = Time format HHMMSS (24hr)) Copy & paste the text from the most recent log.

Noki View Member Profile	Jun 30 2009, 05:32 PM Post #11
Member Posts: 16 OS: xp	Hi, so I deleted the copy of Frostwire and ran the fix, here is the log: ****************************************** All processes killed ========== OTL ========== No active process named explorer.exe was found! Service\Driver ieik9uaaan deleted successfully. File File not found not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msn.com\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//@surf.mar@/\ deleted successfully. ========== SERVICES/DRIVERS ========== ========== REGISTRY ========== ========== FILES ========== ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: LocalService ->Temp folder emptied: 0 bytes File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 33170 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 32902 bytes User: Owner File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_f1c.dat scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF3D9.tmp scheduled to be deleted on reboot. ->Temp folder emptied: 17723432 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 29791293 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 19569 bytes %systemroot%\System32 .tmp files removed: 0 bytes File delete failed. C:\WINDOWS\temp\ZLT03d66.TMP scheduled to be deleted on reboot. Windows Temp folder emptied: 3992 bytes RecycleBin emptied: 189440 bytes Total Files Cleaned = 45.61 mb C:\WINDOWS\System32\drivers\etc\Hosts moved successfully. HOSTS file reset successfully Error: Unable to interpret <[start explorer]> in the current context! OTL by OldTimer - Version 3.0.5.3 log created on 06302009_192240 Files\Folders moved on Reboot... File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_f1c.dat not found! C:\Documents and Settings\Owner\Local Settings\Temp\~DF3D9.tmp moved successfully. File\Folder C:\WINDOWS\temp\ZLT03d66.TMP not found! Registry entries deleted on Reboot... *********************************************** Let me know whats next!!

sage5 View Member Profile	Jun 30 2009, 06:34 PM Post #12
RIP 10/2009 Posts: 2,646 From: NE Victoria, Australia OS: WinXp SP3	Hi Noki, Now, let's tidy up a few other bits. Re-run OTL.exe Under the Custom Scans/Fixes box at the bottom, paste in the following CODE :OTL PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - Reg Error: Key error. File not found O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - Reg Error: Key error. File not found O3 - HKU\S-1-5-21-673811579-4275867939-2855663147-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found O3 - HKU\S-1-5-21-673811579-4275867939-2855663147-1003\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key error. File not found O3 - HKU\S-1-5-21-673811579-4275867939-2855663147-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found O8 - Extra context menu item: &Search - ?p=ZJxdm088YYCA File not found :Services :Reg :Files c:\windows\system32\kgngdne.exe :Commands [start explorer] [Reboot] Then click the Run Fix button at the top Let the program run unhindered & reboot if necessary. Now you will EITHER: be asked to "Click OK to open the fix log". Click OK. ---> OR need to retrieve the fix log for me. It will be in the C:\_OTL\Moved Files folder named something like 06082009_112536.log (first 6 digits = date format MMDDYYY, last 6 digits = Time format HHMMSS (24hr)) Copy & paste the text from the most recent log. Please do an online scan with Kaspersky WebScanner Kaspersky online scanner uses JAVA technology to perform the scan. If you do not have the latest JAVA version, follow the instructions below, to download and install the latest version. Upgrading Java: Download the latest version of Java Runtime Environment (JRE) 6 Update 14. Scroll down to where it says JRE 6 Update 14. Click the "Download" button to the right. Select your Operating System Platform, & Language and check the box that says: Java SE Runtime Environment 6u14 with JavaFX 1 License Agreement. Click on Continue. Click on the link to download jre-6u14-windows-i586.exe & save to your Desktop. Close all programs you may have running - especially your web browser, then double click on the jre-6u14-windows-i586.exe Note: this version should uninstall all the previous versions from your PC (Vista users, right click on the jre-6u14-windows-i586.exe and select "Run as an Administrator.") Proceed with the Scan: Read through the requirements and privacy statement and click on Accept button. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure the following are checked. Spyware, Adware, Dialers, and other potentially dangerous programs Archives Mail databases Click on My Computer under Scan. Once the scan is complete, it will display the results. Click on View Scan Report. You will see a list of infected items there. Click on Save Report As.... Save this report to a convenient place, like C:\kasper.txt Please post this log in your next reply.

Noki View Member Profile	Jul 3 2009, 09:21 PM Post #13
Member Posts: 16 OS: xp	Hi, I was able to run the scan using OTL, since the pc has no inet connection I can't use Kas, is there any other scanner that u may suggest that I can run offline? OTL log: *********************************** ========== OTL ========== Process explorer.exe killed successfully! Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}\ not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found. Registry value HKEY_USERS\S-1-5-21-673811579-4275867939-2855663147-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found. Registry value HKEY_USERS\S-1-5-21-673811579-4275867939-2855663147-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found. Registry value HKEY_USERS\S-1-5-21-673811579-4275867939-2855663147-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found. Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search\ deleted successfully. ========== SERVICES/DRIVERS ========== ========== REGISTRY ========== ========== FILES ========== File\Folder c:\windows\system32\kgngdne.exe not found. ========== COMMANDS ========== OTL by OldTimer - Version 3.0.5.3 log created on 07032009_220237

sage5 View Member Profile	Jul 3 2009, 10:16 PM Post #14
RIP 10/2009 Posts: 2,646 From: NE Victoria, Australia OS: WinXp SP3	I think you are ready to now get that machine back online & update ZoneAlarm & AVG. Then use the instructions above to run the Kaspersky scan. Let me know how you get on & post the scan results as your next reply. Cheers, sage5

Noki View Member Profile	Jul 4 2009, 02:08 PM Post #15
Member Posts: 16 OS: xp	Hi Sage, I would love to connect the pc, is just they are about to move to a new place out of the city, and the inet was the first service cut, so for the mean time there is no inet, that's why I wondered if there is another option while the pc is offline. Thanks so much for your attention and effort.

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal problem with spyware, i know what itis but can't get rid of it&nbs	8 / 414	3rd June 2006 - 08:29 AM Korel started - last by Jag11
Virus, Spyware and Trojan Removal Urgent: Computer Infected, but can't detect it?	0 / 102	9th January 2009 - 08:22 PM SometimesFound@ started - last by SometimesFound@
Virus, Spyware and Trojan Removal Malware, can't get rid of it [Solved] 12	15 / 466	12th May 2009 - 12:10 AM Pyetr started - last by Jimmy2012
Virus, Spyware and Trojan Removal Trojans Galore! I got some, but can't get them all... [Solved	3 / 457	29th June 2009 - 02:54 PM grandma2b started - last by Rorschach112