Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Critical System Error message on taskbar + slow computer.

Started by chenli , Sep 09 2006 10:52 PM

  • Please log in to reply

#1
chenli
Posted 09 September 2006 - 10:52 PM

chenli

    Member

  • Member
  • PipPip
  • 23 posts
Ok, I've spent a couple days trying to get rid of this thing:

Posted Image

^^ it also turns to the no smoking symbol (without the cigarrette). Basically, it sometimes pops up a little yellow speech bubble with the words "critical system error" in bold, and saying how viruses were found and how it will cause critical system failure and the like and it tells me to download antimalware, and on double clicking the icon, it goes to an IE page telling me download one of the antivirus/spyware programmes - mainly virusbuster. Picture of the message to follow:

Posted Image

And the computer has been incredibly slow. Plus in the midst of this all, my bookmarks have dissappeared from my netscape browser. All this appeared on my computer on Friday at boot up. I hadn't been on it since the last Sunday in August, and it was fine then. I do know my dad used the computer on the Thursday, but he said he only used it to play online chess on his online chess programme or whatever it is he plays it on.

So far, I've attempted to run a scan with bitdefender, but the scan was so slow only doing 8% in about 10 hours or more - and I think it may have made the computer worse although it did tell me it had blocked several trojans. I've run adawareSE several times, but every time I scan, I get half way through and the programme just dies and goes into the "not responding" mode. I've also ran Spybot search and destroy, it scans alright, finds a few things, but when it comes to fixing, it freezes on the creating a restore point.

I've also ran ewido in safemode, and it quarantined all but one of the findings, the one it failed to quarantine was labeled as a trojan. I tried to delete the trojan by going to the file directly that the ewido log said it was, but the file wasn't there.

At the moment, the speed of the computer has increased, but only slightly. And the little icon on the taskbar is still there.

Anyways, the HijackThis log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 05:47:36, on 10/09/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\SOINTGR.EXE
C:\Program Files\Perfect Keyboard PRO\pk32.exe
C:\Program Files\Perfect Keyboard PRO\_loader.exe
C:\Program Files\Zoom\CnxDslTb.exe
C:\Program Files\Perfect Keyboard PRO\_prog.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\atwtusb.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\Program Files\Softwin\BitDefender9\bdnagent.exe
C:\Program Files\Softwin\BitDefender9\bdswitch.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Tesco internet phone\TescoIP.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\twain_32\S6U12BX\WATCH.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Documents and Settings\Alex\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.xobtynymo...1J/7ug_9tx.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btinternet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTinternet
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - C:\Program Files\X Password Manager\iesplugin.dll (file missing)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe
O4 - HKLM\..\Run: [Perfect Keyboard PRO] "C:\Program Files\Perfect Keyboard PRO\pk32.exe" /winstart
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Zoom\CnxDslTb.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE USB
O4 - HKLM\..\Run: [GsiFinal] rundll32 gspndll.dll,postInstall final
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\kazaalite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Program Files\Softwin\BitDefender9\bdswitch.exe"
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Tesco internet phone] "C:\Program Files\Tesco internet phone\TescoIP.exe" /autostart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [e6783ac1.exe] C:\Documents and Settings\Alex\Local Settings\Application Data\e6783ac1.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Startup: .protected
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\S6U12BX\WATCH.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: .protected
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: VC Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\VCPOKE~1\client.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_90.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com/
O16 - DPF: ChatSpace Full Java Client 2.1.0.84 - http://about.chatspa...va/cs4fs084.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.220 - http://wiredreality....va/cfs31220.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://irc.everywher...va/cfs31229.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.235 - http://205.177.13.10...va/cfs31235.cab
O16 - DPF: ChatSpace Java Client 2.1.0.79 - http://65.95.142.201/Java/cs4ms079.cab
O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://servers.secur...va/cs4ms090.cab
O16 - DPF: ChatSpace Java Client 2.1.0.95 - http://chat.chatspac...va/cs4ms095.cab
O16 - DPF: ChatSpace Java Client 3.1.0.212 - http://moonchatuk.dy...va/cms31212.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Chat 1.3 - http://cs5.chat.sc5....m/c174/chat.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! Go - http://download.game...nts/y/gt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} -
O16 - DPF: {4E6F9E15-C8E3-4E19-B987-04EF390E9824} - http://www.betfair.c...stall/setup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{239D01FA-E874-43E0-BFDB-BF0613D4F9FD}: NameServer = 194.72.0.98 194.72.9.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{239D01FA-E874-43E0-BFDB-BF0613D4F9FD}: NameServer = 194.72.0.98 194.72.9.38
O21 - SSODL: died - {7fa55359-7223-410f-bc82-efb3e3ded07f} - C:\WINDOWS\System32\gtpbx.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


Help to fix this problem would be greatly appreciated. :whistling:

Edited by chenli, 10 September 2006 - 08:26 AM.

  • 0

Advertisements

#2
Noviciate
Posted 10 September 2006 - 02:27 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
In future, just copy and paste all information rather than use one of the "buttons". It just makes it more difficult to read, as you'll see if you compare your first and second posts.

Rename your copy of hijackthis.exe to search.exe and post a fresh log. Ocassionally nasties can interfere with the normal workings of HJT and this is one way round it.

Also, run HJT:
  • Click Open the Misc Tools section.
  • Click Open Uninstall Manager...
  • Click Save list... and save it to your Desktop.
  • Copy and paste the file uninstall_list.txt into your next reply.

  • 0

#3
chenli
Posted 10 September 2006 - 05:58 PM

chenli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Well, I don't understand what you mean in the first paragraph. And after changing the name of HijackThis.exe to Search.exe, I am now unable to use Hijackthis to create a log file, as it scans and doesn't finish, it just stays on 023 and goes into not responding mode, when i try to save list in the uninstall manager part it goes into not responding mode. I tried to re-download HijackThis from the site, but when I click "I agree", netscape goes into not responding mode.

And now, after having to reboot my comp, I now have the error come up "Explorer.exe - corrupt file" "The file or directory /WINDOWS/System32/wyaddini2 is corrupt and unreadable. Please run the chkdsk utility"

I don't even know what the chkdsk utility is, and I am my wits end here.
  • 0

#4
Noviciate
Posted 10 September 2006 - 11:52 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
Renaming a file makes no difference to the file or your PC as long as the file extension, in this case .exe, remains the same. I would guess that the nasty your PC has is causing the problem.
Work through the instructions below and then give HJT another go. If you find that it still won't run, try changing the name to something else as long as it ends in .exe and see what happens.
You can always go back to hijackthis.exe if that is the only one that seems to work.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Double click My Computer.
Right click the disc drive you wish to check.
Click Properties.
In the Properties dialog box, click the Tools Tab.
Under Error-checking, click the Check Now button.
In the "Check Disc Local Disk (C:)" dialog box, check both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, and then click Start.

This will look for and attempt to repair any errors that your hard drive has.

2) Go to Start > Run, enter sfc /scannow ( note the space between the "c" and "/" ) and click on OK.

This will look for and attempt to replace any corrupt system files that can be found. There are backups of some of these files on your PC and Windows will check for a copy here first. If you are prompted to insert your Windows XP disc, do so. If you don't have this disc and are asked for it, you will have to cancel at this point.

For details on the System File Checker, click here.
  • 0

#5
chenli
Posted 11 September 2006 - 07:45 AM

chenli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Ok, this is unbelievable, I can't even do that.

I follow the instructions then got told I need to restart my comp:

Posted Image

So I do that, nothing happens on startup, I try do the scan again, and the same error comes up. I even tried the thing in 'Run' and it says there's no such file...

:S
  • 0

#6
Noviciate
Posted 11 September 2006 - 02:15 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
To use Chkdsk, you must log on as an administrator or as a member of the Administrators group.
Boot into Safe Mode and log in using the Administrator's account.

1) Go to Start > Run, enter cmd and click OK.

2) Copy and paste the following into the window that opens and press <ENTER>: chkdsk c: /f

3) If the PC asks you to reboot, do so.

This should start the checkdisc utility - let me know how you get on.
  • 0

#7
chenli
Posted 11 September 2006 - 04:23 PM

chenli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Well, I've done that, the error on the task bar about system detecting virus activities is gone, but my computer is still incredibly slow and hijackthis still won't work. And it's still telling me to restart for the diskcheck in the error checking area of properties of :c.
  • 0

#8
Noviciate
Posted 11 September 2006 - 04:51 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
Restart the PC and see what happens then.
  • 0

#9
chenli
Posted 11 September 2006 - 08:36 PM

chenli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Unfortunately, it's the same as i mentioned in my last post :\

Although I did manage to get the uninstall log from HijackThis:

ABBYY FineReader 4.0 Sprint
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Illustrator CS
Adobe Photoshop 7.0
Adobe SVG Viewer 3.0
AOL Instant Messenger
avast! Antivirus
Azureus
Betfair Bar
Betfair Poker
BitDefender 9 Internet Security
Brain Buster Quiz
BSPlayer
BT Broadband Help
BT Voyager ADSL Modem
BTinternet help
BTopenworld Dialler Manager 3.0
Chessmaster 7000
Crossword Compiler 6
Direct Show Ogg Vorbis Filter (remove only)
DivX
DivX Player
DivX Subtitle Displayer 4.54
EmpirePoker
ewido anti-spyware 4.0
EyeStar Mail
Eyewitness Encyclopedia of Science 2.0
Google Earth
GSpot Codec Information Appliance
HijackThis 1.99.1
InstallShield for Microsoft Visual C++ 6
InterActual Player
Internet Explorer Q903235
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.2_05
Java Web Start
Kazaa Media Desktop 2.1.1
Lexmark Supplies Monitor
Lexmark Z23-Z33
Macromedia Flash Player 8
Matroska Pack - Lazy Man's MKV 0.9.7
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
Microsoft Visual Studio 6.0 Professional Edition
Microsoft Web Publishing Wizard 1.53
Microsoft Windows Journal Viewer
mIRC
MN100
Mozilla Firefox (1.5)
MSN Messenger 7.0
Mustek 1200 UB PLUS v1.1
My DSC
Netscape (7.2)
NISIS USB Tablet Driver
OutLaster
Oxford Revision Guides
Oz - TMA
Pacific Poker
Panda ActiveScan
PCFriendly
PCODEC 6.0
Perfect Keyboard PRO
Pirates of the Caribbean Screen Saver
PlayChess
Popup Blocker version 2.3
PowerDVD
Print Machine
QuickTime
Ragnarok Online
Ragnarok Sakray
RealPlayer
RPG Maker XP - Postality Knights Edition ENHANCED
RTC Client API v1.2
Safety Alerter 2006
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896426)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Selteco Flash Designer 4
Serif DrawPlus 4.0
Serif DrawPlus 4.0 Wizard Pack
Shockwave
Skype 2.5
Spybot - Search & Destroy 1.3
SpywareBlaster v3.5.1
StarOffice 5.2
Tesco internet phone
the World Chess Network software
Tibia 7.55
ToolBar888
Ulead Photo Express 3.0 SE
Update for Windows XP (KB898461)
VC Poker
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839643
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB883939
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889293
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix - KB896727
Windows XP Hotfix - KB897715
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q328310
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q331953
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q811493
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q817287
Windows XP Hotfix (SP2) Q817606
Windows XP Hotfix (SP2) Q819696
WinRAR archiver
XviD MPEG-4 Video Codec
Yahoo! extras
Yahoo! Install Manager
Yahoo! Messenger
ZoneAlarm
Zoom USB ADSL WAN Adapter


Other than that, it's all the same.
  • 0

#10
Noviciate
Posted 11 September 2006 - 11:53 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
1) Create a folder in the root of your C: drive and name it Blacklight.
A brief explanation of how to do this can be found here.

2) Download F-Secure's BlackLight from here and save it into this folder.

3) Log off from the internet and disconnect your modem cable.

4) Go to Start > Run, copy and paste the following into the text box and hit OK:
"C:\Blacklight\blbeta.exe" /expert

The F-Secure Blacklight Beta window should open.
  • Accept the agreement and click OK.
  • Click the Scan button to begin.
  • Leave the PC idle while the scan takes place.
  • When it has completed, click the Close button.
  • A text file, fsbl-date/time, will be saved in the Blacklight folder, copy and paste this into your next post.

  • 0

Advertisements

#11
chenli
Posted 12 September 2006 - 08:14 AM

chenli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts

09/12/06 14:30:16 [Info]: BlackLight Engine 1.0.46 initialized
09/12/06 14:30:16 [Info]: OS: 5.1 build 2600 (Service Pack 1)
09/12/06 14:30:27 [Note]: 7019 4
09/12/06 14:30:27 [Note]: 7005 0
09/12/06 14:31:59 [Note]: 7006 0
09/12/06 14:31:59 [Note]: 7022 0
09/12/06 14:32:50 [Note]: 7011 1708
09/12/06 14:32:50 [Note]: 7026 0
09/12/06 14:32:50 [Note]: 7026 0
09/12/06 14:35:10 [Note]: FSRAW library version 1.7.1019
09/12/06 14:49:09 [Note]: 7007 0


Is what was in the fsbl document.
  • 0

#12
Noviciate
Posted 12 September 2006 - 01:13 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
OK, we'll fix what we can see and worry about the rest of the PC's problems after that.

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) Download the trial version of Ewido anti-spyware from here and save it to your Desktop.
If you already have this program installed, skip to Updating Ewido: below.

* Please note that these instructions are for the new version - Ewido anti-spyware. If you have the old version - Ewido anti-malware and it is the:
  • paid-for version - you will need to go here and obtain an updated license code before you upgrade.
  • free version - you will need to uninstall it and reboot before installing the new version.
Double click the ewido-setup file to begin installation and follow the prompts.
When the program has been installed, and you click the Finish button, Ewido anti-spyware will open.
  • Updating Ewido:

    By default Ewido is configured to update automatically so, if you have an active internet connection, it should do so following installation. If you are unsure whether or not it has done so, do the following:
  • Click the Update icon at the top and under "Manual Update" - click the Start update button.
  • Either Ewido will update or inform you that no update was available.
  • If you cannot access the internet with the infected PC, or you are having problems updating, you can download the signatures file from here.
    Once you have installed Ewido, double click ewido-signatures-full-current.exe to update it.
    Disabling the Resident Shield:
  • By default the Resident Shield is active but as it may interfere with the process of cleaning your PC, it will need to be disabled.
    (When the PC has been cleaned you can activate the shield again, if you wish.)
  • Click the Shield icon at the top and under "Resident shield is..." - click active.
  • This should now change to inactive.

    Changing Recommended Actions
  • Click the Scanner icon at the top and then click the Settings Tab.
  • Under "How to act?" click Recommended actions and select "Quarantine" from the menu.
You can now close Ewido anti-spyware.

Ewido anti-spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that Ewido will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.
Should you wish to benefit from the real-time protection, you will need to upgrade the program. To do this, simply open it and click on the Buy now button.

2) Download SmitfraudFix.zip by S!Ri from here and save it to your Desktop.
If you already have a copy of this, delete it and download a fresh one - the fix is often updated daily.
You will then need to extract the files.
To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish

Close the folder, you will need it later.

3) You will need to know how to boot into Safe Mode.
Instructions can be found here.

4) You will need to set Windows to show All Hidden Files and Folders.
Instructions can be found here.
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

5) Log off from the internet and disconnect your modem cable for the duration of the fix.

Removal

1) Boot into Safe Mode.

2) Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Press "2" and then <ENTER> to start the cleaning process.
  • Wait for the tool to complete and disk cleanup to finish.
  • You will be prompted "Registry cleaning - Do you want to clean the registry ? Press "Y" and then <ENTER>.
  • The tool will also check if wininet.dll is infected. You may be prompted to "Replace infected file ?" - press "Y" and then <ENTER>.
Your PC now needs to be rebooted. If this does not happen automatically, you will need to do so manually. Either way, your PC will need to be booted back INTO SAFE MODE.

3) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.
Do this for all Usernames.

4) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.
Do this for all Usernames.

5) Go to Start > Control Panel > Internet Options and under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

6) Go to Start > Control Panel > Display.
Select the Desktop Tab, click on Customise Desktop... and then select the Web Tab.
Under Web pages: you may see a checked entry called Security info - or similar. Highlight this entry and then click the Delete button.
Finally click OK > Apply > OK.

7) Empty the Recycle Bin.

8) Ensure that ALL open Windows / Programs / Folders are closed and then run Ewido anti-spyware.
  • If it is not already selected, click the Scanner icon at the top and then select the Scan Tab.
  • Click "Complete System Scan"
  • While the scan is in progress the PC should be left otherwise idle - so if you fancy a cuppa, now's the time to put the kettle on!
  • When the scan has completed, any threats that Ewido has detected will be displayed.
  • Click the Apply all actions button at the bottom.
  • When Ewido has finished, it will display the message "All actions have been applied".

    Saving a report:
  • Click the Save Report button at the bottom left and the "Reports" window will open.
  • The content of the scan report will be displayed in the right hand pane and a copy will be automatically saved as Report-Scan-date-time.txt into the C:\Program Files\ewido anti-spyware 4.0\Reports folder.
  • You will need to post a copy of this report into your next reply, so if it is more convenient, you can save another copy of this report elsewhere:
    Click the Save report as button and select a destination by clicking the down arrow to the right of the Save in: text box and then click Save.
Close Ewido Anti-Spyware.

9) Reboot into Normal Mode.

10) Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Press "3" and then <ENTER> to "Delete Trusted Zone".
When prompted "Restore Trusted Zone ?", press "Y" and then <ENTER>.

* Please Note: If you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection *

Will you then post the following:
  • A new HJT log,
  • The Ewido log,
  • The text file rapport.txt that will be found in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.
    For most, this file can be found by double-clicking My Computer and then Local Disk (C:)
  • A description of how your PC is behaving.
This fix is based on a canned speech supplied by Kimberly.
  • 0

#13
chenli
Posted 12 September 2006 - 05:33 PM

chenli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Well, my pc is even slower now - takes about 20 minutes to open netscape :s

And my desktop background image isn't there anymore.

Managed to get HijackThis log though:

HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 00:05:20, on 13/09/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\SOINTGR.EXE
C:\Program Files\Perfect Keyboard PRO\pk32.exe
C:\Program Files\Perfect Keyboard PRO\_loader.exe
C:\Program Files\Zoom\CnxDslTb.exe
C:\Program Files\Perfect Keyboard PRO\_prog.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\atwtusb.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\program files\softwin\bitdefender9\bdswitch.exe
C:\Program Files\Softwin\BitDefender9\bdoesrv.exe
C:\program files\softwin\bitdefender9\bdnagent.exe
C:\Program Files\Softwin\BitDefender9\bdmcon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\twain_32\S6U12BX\WATCH.exe
C:\Documents and Settings\Alex\My Documents\HijackThis.exe
C:\Program Files\Netscape\Netscape\Netscp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTinternet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 219.240.37.28:80
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe
O4 - HKLM\..\Run: [Perfect Keyboard PRO] "C:\Program Files\Perfect Keyboard PRO\pk32.exe" /winstart
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Zoom\CnxDslTb.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE USB
O4 - HKLM\..\Run: [GsiFinal] rundll32 gspndll.dll,postInstall final
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\kazaalite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Program Files\Softwin\BitDefender9\bdswitch.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender9\bdmcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [e6783ac1.exe] C:\Documents and Settings\Alex\Local Settings\Application Data\e6783ac1.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Tesco internet phone] "C:\Program Files\Tesco internet phone\TescoIP.exe" /autostart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\S6U12BX\WATCH.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: VC Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\VCPOKE~1\client.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_90.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com/
O16 - DPF: ChatSpace Full Java Client 2.1.0.84 - http://about.chatspa...va/cs4fs084.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.220 - http://wiredreality....va/cfs31220.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://irc.everywher...va/cfs31229.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.235 - http://205.177.13.10...va/cfs31235.cab
O16 - DPF: ChatSpace Java Client 2.1.0.79 - http://65.95.142.201/Java/cs4ms079.cab
O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://servers.secur...va/cs4ms090.cab
O16 - DPF: ChatSpace Java Client 2.1.0.95 - http://chat.chatspac...va/cs4ms095.cab
O16 - DPF: ChatSpace Java Client 3.1.0.212 - http://moonchatuk.dy...va/cms31212.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Chat 1.3 - http://cs5.chat.sc5....m/c174/chat.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! Go - http://download.game...nts/y/gt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} -
O16 - DPF: {4E6F9E15-C8E3-4E19-B987-04EF390E9824} - http://www.betfair.c...stall/setup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


Ewido Scan Report

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 23:23:43 12/09/2006

+ Scan result:



C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0246081.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\Documents and Settings\Chris\Start Menu\Virus-Burst 6.1.lnk -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0246079.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mljjkli.dll -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0246057.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0246058.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0246059.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0246060.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP448\A0231944.dll -> Downloader.Zlob.ajd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0232009.dll -> Downloader.Zlob.ajd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0232995.dll -> Downloader.Zlob.ajd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0233999.dll -> Downloader.Zlob.ajd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0235997.dll -> Downloader.Zlob.ajd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0236997.dll -> Downloader.Zlob.ajd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0238995.dll -> Downloader.Zlob.ajd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0240008.dll -> Downloader.Zlob.ajd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0241995.dll -> Downloader.Zlob.ajd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0242997.dll -> Downloader.Zlob.ajd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0244003.dll -> Downloader.Zlob.ajd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0244997.dll -> Downloader.Zlob.ajd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0245995.dll -> Downloader.Zlob.ajd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0246065.dll -> Downloader.Zlob.ajd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0246066.exe -> Downloader.Zlob.ajd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0246067.exe -> Downloader.Zlob.ajd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP452\A0250821.exe -> Downloader.Zlob.ajd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP452\A0250823.dll -> Downloader.Zlob.ajd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0246061.tlb -> Downloader.Zlob.gg : Cleaned with backup (quarantined).
C:\Program Files\Softwin\BitDefender9\Quarantine\tmpa9 -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP448\A0231947.exe -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0237000.exe -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0246070.exe -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0246071.exe -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP452\A0250824.exe -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp117 -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp11d -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp1dd -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp1de -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp1df -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp1e2 -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp1e3 -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp1e4 -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp1e5 -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp1e6 -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp1e7 -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp1ea -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp1ec -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp1ed -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp1ee -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp1ef -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp1f1 -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp1f2 -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp1f3 -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp1f7 -> Downloader.Zlob.yt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0246053.dll -> Logger.Small.dg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0246054.dll -> Logger.Small.dg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0246055.exe -> Logger.Small.dg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0246056.dll -> Logger.Small.dg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0246082.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP452\A0249285.dll -> Not-A-Virus.Hoax.Win32.Renos.er : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\Default User\qy8mr5hh.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\Default User\qy8mr5hh.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.118:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.119:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.132:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.133:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.139:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.140:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.141:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.142:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.143:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\Default User\qy8mr5hh.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.6:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\Default User\qy8mr5hh.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.7:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\Default User\qy8mr5hh.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.167:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.168:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.169:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.124:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\Default User\qy8mr5hh.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.9:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\Default User\qy8mr5hh.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Alex\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.131:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
:mozilla.184:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.185:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.186:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.187:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.188:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.189:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.173:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.114:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.115:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.116:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.117:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.134:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.135:C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{966388F5-C20D-49C1-9ABF-CDD545BCCDB7}\RP449\A0246062.exe -> Trojan.Starter.65 : Cleaned with backup (quarantined).


::Report end


SmitFraud Report

SmitFraudFix v2.87

Scan done at 21:25:57.18, 12/09/2006
Run from C:\Documents and Settings\Alex\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}"="Replay for WindowsXP"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7fa55359-7223-410f-bc82-efb3e3ded07f}"="died"

[HKEY_CLASSES_ROOT\CLSID\{7fa55359-7223-410f-bc82-efb3e3ded07f}\InProcServer32]
@="C:\WINDOWS\System32\gtpbx.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7fa55359-7223-410f-bc82-efb3e3ded07f}\InProcServer32]
@="C:\WINDOWS\System32\gtpbx.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\.protected Deleted
C:\WINDOWS\system32\ncompat.tlb Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\DOCUME~1\ALLUSE~1\DESKTOP\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\DESKTOP\Security Troubleshooting.url Deleted
C:\DOCUME~1\ALEX\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALEX\STARTM~1\PROGRAMS\STARTUP\.protected Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\.protected Deleted
C:\Program Files\PCODEC\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


Edited by chenli, 12 September 2006 - 05:37 PM.

  • 0

#14
Noviciate
Posted 12 September 2006 - 11:59 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts

In future, just copy and paste all information rather than use one of the "buttons". It just makes it more difficult to read, as you'll see if you compare your first and second posts.

You are making it harder for me to work with the information that you are posting - just copy and paste the information that I ask for.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'

It looks like you have two anti-virus programs installed - BitDefender and Avast. Using two, or more, AVs can result in less, not more, protection due to possible conflictions.
If you do have two AVs installed, remove one.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

For your wallpaper, try the following:

Right click an empty area of your Desktop and select Properties > Desktop Tab.
Select the wallpaper from the options there and click OK.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download VundoFix.exe by Atribune from here and save it to your desktop.to your desktop.
  • Close all open programs and windows as this may require a reboot.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Post the contents of C:\vundofix.txt, a new HiJackThis log and a description of how the PC is behaving.

  • 0

#15
chenli
Posted 13 September 2006 - 09:17 AM

chenli

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
For your first paragraph please may you elaborate because I'm still unsure as to what you mean - especially by "buttons" - if you mean quote button - I didn't use it, I inserted the tags myself, but it is indeed the fact that I use quote tags, I'll leave them out this time.

Now my computer is running at the speed it used to before the viruses and stuff. So thanks for advising me to use that vundo thing. :whistling:

Here are the logs:

Vundo


VundoFix V6.1.5

Checking Java version...

Java version is 1.4.2.5

Scan started at 14:41:51 13/09/2006

Listing files found while scanning....

C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\wyadd.ini
C:\WINDOWS\system32\wyadd.bak1
C:\WINDOWS\system32\wyadd.bak2
C:\WINDOWS\system32\wyadd.ini2
C:\WINDOWS\system32\wyadd.tmp
C:\Program Files\Common Files\{A8E5E897-0577-2057-1004-01030501002c}\services.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\ddayw.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\wyadd.ini
C:\WINDOWS\system32\wyadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wyadd.bak1
C:\WINDOWS\system32\wyadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wyadd.bak2
C:\WINDOWS\system32\wyadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wyadd.ini2
C:\WINDOWS\system32\wyadd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\wyadd.tmp
C:\WINDOWS\system32\wyadd.tmp Has been deleted!

Attempting to delete C:\Program Files\Common Files\{A8E5E897-0577-2057-1004-01030501002c}\services.dll
C:\Program Files\Common Files\{A8E5E897-0577-2057-1004-01030501002c}\services.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.5

Checking Java version...

Java version is 1.4.2.5

Scan started at 15:28:47 13/09/2006

Listing files found while scanning....

C:\WINDOWS\system32\ddayw.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\ddayw.dll Has been deleted!

Performing Repairs to the registry.
Done!



HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 16:11:56, on 13/09/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\SOINTGR.EXE
C:\Program Files\Perfect Keyboard PRO\pk32.exe
C:\Program Files\Zoom\CnxDslTb.exe
C:\Program Files\Perfect Keyboard PRO\_loader.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\atwtusb.exe
C:\Program Files\Perfect Keyboard PRO\_prog.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Alex\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTinternet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 219.240.37.28:80
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Alex\Application Data\Mozilla\Profiles\default\wssokl0w.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe
O4 - HKLM\..\Run: [Perfect Keyboard PRO] "C:\Program Files\Perfect Keyboard PRO\pk32.exe" /winstart
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Zoom\CnxDslTb.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE USB
O4 - HKLM\..\Run: [GsiFinal] rundll32 gspndll.dll,postInstall final
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\kazaalite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [e6783ac1.exe] C:\Documents and Settings\Alex\Local Settings\Application Data\e6783ac1.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Tesco internet phone] "C:\Program Files\Tesco internet phone\TescoIP.exe" /autostart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\S6U12BX\WATCH.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: VC Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\VCPOKE~1\client.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_90.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com/
O16 - DPF: ChatSpace Full Java Client 2.1.0.84 - http://about.chatspa...va/cs4fs084.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.220 - http://wiredreality....va/cfs31220.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://irc.everywher...va/cfs31229.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.235 - http://205.177.13.10...va/cfs31235.cab
O16 - DPF: ChatSpace Java Client 2.1.0.79 - http://65.95.142.201/Java/cs4ms079.cab
O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://servers.secur...va/cs4ms090.cab
O16 - DPF: ChatSpace Java Client 2.1.0.95 - http://chat.chatspac...va/cs4ms095.cab
O16 - DPF: ChatSpace Java Client 3.1.0.212 - http://moonchatuk.dy...va/cms31212.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Chat 1.3 - http://cs5.chat.sc5....m/c174/chat.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! Go - http://download.game...nts/y/gt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} -
O16 - DPF: {4E6F9E15-C8E3-4E19-B987-04EF390E9824} - http://www.betfair.c...stall/setup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP