Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Is my PC infected?

Started by vygo , Feb 28 2007 06:22 AM

  • Please log in to reply

#1
vygo
Posted 28 February 2007 - 06:22 AM

vygo

    Member

  • Member
  • PipPip
  • 33 posts
Hi everyone! Would u help me please, I've got caught again with trojans and various viruses! Thank you very much 4 ur help!

Logfile of HijackThis v1.99.1
Scan saved at 12:19:16, on 28/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\TOSHIBA\IVP\ISM\ivpsvmgr.exe
C:\WINDOWS\system32\kernels88.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\xpupdate.exe
C:\Program Files\D-Link\Bluetooth Software\BTTray.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\D-Link\Bluetooth Software\bin\btwdins.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\RegSrvc.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\vxg4am1et2.exe
C:\WINDOWS\system32\sm.exe
C:\WINDOWS\system32\dd.exe
C:\WINDOWS\system32\m2.exe
C:\Program Files\Mozilla\Firefox\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toshibadirect.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [ZoomingHook] c:\WINDOWS\System32\ZoomingHook.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [IVPServiceMgr] C:\TOSHIBA\IVP\ISM\ivpsvmgr.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels88.exe
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\D-Link\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\D-Link\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\D-Link\Bluetooth Software\btsendto_ie.htm
O10 - Broken Internet access because of LSP provider 'rsvp32_2.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\D-Link\Bluetooth Software\bin\btwdins.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

Edited by vygo, 28 February 2007 - 10:10 AM.

  • 0

Advertisements

#2
ourwilly
Posted 28 February 2007 - 11:07 AM

ourwilly

    Trusted Helper

  • Retired Staff
  • 768 posts
Hi, I would like to take a look at this log for you
and will get back you you as soon as I can.

Thank You.
  • 0

#3
ourwilly
Posted 28 February 2007 - 02:34 PM

ourwilly

    Trusted Helper

  • Retired Staff
  • 768 posts
Hello vygo :whistling:

Copy and Paste this post into a new text document

Step 1

You must place HiJack this into it's own folder,
If we ever need to restore any Item then this folder will safely store all entries
and enable us to then use the Back-up feature that Hijack This offers

If you want to keep the HijackThis program on the Desktop, right click an empty area, select New > Folder, name the folder HijackThis (or whatever you wish), and place the HijackThis.exe file in it.
Do this BEFORE you proceed!


Step 2

Please download LSPfix.

Unzip it to the desktop and run it. Check "I know what I'm doing",
and then select each instance of rsvp32_2.dll in the left-hand panel
and click >> to move it to the right-hand panel.

Then click Finish to allow LSPfix to rebuild the LSP chain.


Step 3

Download AVG Anti-Spyware 7.5

The program should launch automatically after installation. If not, double-click the desktop icon.

Deactivate the "Resident Shield" as this may prevent changes to the registry.
To do this, click "Change State" to the right of the Resident Shield option in the main window.
You will clearly see the status change to Inactive if you have done this correctly.

Now Update AVG Anti-Spyware 7.5
click the "Update" icon from the main menu.
Then click the "Start Update" button.
When you receive the "Update successful" prompt, close AVG AS.
Note: If you have any problems with the updater, you can Update AVG Anti-Spyware 7.5 Manually.
Do not Scan with this yet!

Please Reboot your System into Safe Mode Shut down your system, then Restart your computer
as soon as it starts booting up again continuously tap F8 from the menu select the option to enter Safe Mode

Reopen AVG Anti-Spyware 7.5 and click the "Scanner" icon from the main menu.
Click "Complete System Scan" to start scanning.
When the scan completes, click "Recommended action" beneath the results window and select "Quarantine".
Then click the "Apply all actions" button to quarantine everything detected.
Then click Save report > Save report as and save the AVG Report-Scan.txt to your desktop.
Then Reboot back into Normal Mode


Step 4

Please Re-Scan with Hijack This and post

1/ The new HijackThis log
2/ The AVG Anti-Spyware 7.5 Report-Scan.txt

Thank you.
  • 0

#4
vygo
Posted 05 March 2007 - 06:16 PM

vygo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
hi ourwilly, :help:

Sorry for a delay. I lost my internet connection so i had to find the other ways to get around. I did as u've requested in the previous post. Just couldn't start any application in safe mode, so ur recommended AVG Anti-Spyware, Complete System Scan did in a normal mode.

The results are as follows:[i][u]

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:34:04 05/03/2007

+ Scan result:


C:\Program Files\BraveSentry -> Adware.Bravesentry : No action taken.
C:\Program Files\BraveSentry\BraveSentry.exe -> Adware.Bravesentry : No action taken.
C:\Program Files\BraveSentry\BraveSentry.lic -> Adware.Bravesentry : No action taken.
C:\Program Files\BraveSentry\BraveSentry0.bs -> Adware.Bravesentry : No action taken.
C:\Program Files\BraveSentry\BraveSentry1.bs -> Adware.Bravesentry : No action taken.
C:\Program Files\BraveSentry\BraveSentry2.dll -> Adware.Bravesentry : No action taken.
C:\Program Files\BraveSentry\Uninstall.exe -> Adware.Bravesentry : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP77\A0013174.exe -> Downloader.Small : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP77\A0014174.exe -> Downloader.Small : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP77\A0014175.exe -> Downloader.Small : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP78\A0014237.exe -> Downloader.Small : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP78\A0014240.exe -> Downloader.Small : No action taken.
C:\WINDOWS\system32\dlh9jkd1q1.exe -> Downloader.Small : No action taken.
C:\WINDOWS\system32\vxga8me6.exe -> Downloader.Small : No action taken.
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\Vodafone 3G Broadband Modem.exe -> Heuristic.Win32.Dialer : No action taken.
C:\WINDOWS\desktop.html -> Not-A-Virus.Hoax.Win32.Renos.cy : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP78\A0014231.dll -> Proxy.Agent.df : No action taken.
C:\WINDOWS\system32\ckvbfr.dll -> Proxy.Agent.df : No action taken.
[1780] C:\WINDOWS\system32\ckvbfr.dll -> Proxy.Agent.df : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP77\A0013182.exe -> Trojan.Small : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP77\A0013183.exe -> Trojan.Small : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP78\A0014268.exe -> Trojan.Small : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP78\A0014280.exe -> Trojan.Small : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP78\A0014281.exe -> Trojan.Small : No action taken.
C:\WINDOWS\system32\qvx5gamet2.exe -> Trojan.Small : No action taken.
C:\WINDOWS\system32\qvxga6met3.exe -> Trojan.Small : No action taken.
C:\WINDOWS\system32\qvxga7met4.exe -> Trojan.Small : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP77\A0014172.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP78\A0014243.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP78\A0014298.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP78\A0014311.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP78\A0017487.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP78\A0022503.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP78\A0022510.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP78\A0022520.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP78\A0023518.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP78\A0024518.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP78\A0025518.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP78\A0026518.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP78\A0029518.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP78\A0030518.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP80\A0030845.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP80\A0030851.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP80\A0030860.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP80\A0030868.dll -> Worm.Banwarum.f : No action taken.
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP80\A0032879.dll -> Worm.Banwarum.f : No action taken.
C:\WINDOWS\system32\adir.dll -> Worm.Banwarum.f : No action taken.


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 10:51:00, on 05/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\RegSrvc.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\Administrator\Desktop\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toshibadirect.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - C:\WINDOWS\system32\ltwqrjm.dll
O21 - SSODL: dzDRDaLTCZ - {744047AE-DEEA-ED04-7B3E-28BC83B626A9} - C:\WINDOWS\system32\ckvbfr.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe


I still don't have internet connection... :blink: please help... :whistling:

Thanks 4 ur time!
  • 0

#5
vygo
Posted 07 March 2007 - 07:34 PM

vygo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Is anything else possible to do? :whistling:
  • 0

#6
ourwilly
Posted 08 March 2007 - 01:51 PM

ourwilly

    Trusted Helper

  • Retired Staff
  • 768 posts
Hello vygo

Sorry to keep you waiting, Can you please Copy and Paste this 'Fix' into either Notepad or Wordpad for future reference
as you will be required to closed down you browser and access Safe mode when following these steps.

Step 1

Scan with HijackThis again and place a checkmark in the boxes before the following entries:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - C:\WINDOWS\system32\ltwqrjm.dll
O21 - SSODL: dzDRDaLTCZ - {744047AE-DEEA-ED04-7B3E-28BC83B626A9} - C:\WINDOWS\system32\ckvbfr.dll (file missing)

Close any Explorer windows which may be open and click the "Fix Checked" button.


Step 2

Please Reboot your System into Safe Mode
Shut down your system, then Restart your computer as soon as it starts booting up again continuously tap F8. from the menu select the option to enter Safe Mode

Double-click on My Computer, Double-click on Local Disk
and navigate to then Right Click on and Delete these Bold entries

C:\WINDOWS\system32\a3dxq.dll
C:\WINDOWS\system32\rpcc.dll
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
C:\WINDOWS\system32\ltwqrjm.dll
C:\WINDOWS\system32\ckvbfr.dll


Clean your Cache and Cookies in IE:
Go to Control Panel > Internet Options > General tab.
Click the "Delete Cookies" button and then the "Delete Files" button next to it.
When prompted, place a check in: "Delete all offline content",
(You will have to re-enter passwords at websites that require them.)
Click OK

Clean other Temporary files + Recycle bin:
Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.


Stay in Safe Mode and can you re-scan with AVG anti-spyware

Please note This entry showing in the AVG scan is legitimate please select "No action taken":
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\Vodafone 3G Broadband Modem.exe

of all the other entries found please "Quarantine" them

Then Reboot back into Normal Mode


Step 3

Please Re-scan with HijackThis and post

1/ The new HijackThis log
2/ The new The AVG-AS Report-Scan.txt

Thank you.
  • 0

#7
vygo
Posted 08 March 2007 - 06:05 PM

vygo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
What should i do when I swich the system in a safe mode and cann't start anything running? :whistling:
  • 0

#8
ourwilly
Posted 09 March 2007 - 08:31 AM

ourwilly

    Trusted Helper

  • Retired Staff
  • 768 posts
Hello vygo

Would like to ask if you have been able to navigate and deleting those files in Safe Mode that I've asked you to, if not then please try removing these in normal mode for now.

Of what I understand this to be just a problem with running software like the "AVG anti-spyware" scan, then I suggest running this in normal mode and please "Quarantine" everything that is found with the exception of this entry:
C:\Program Files\Huawei technologies\Vodafone 3G Broadband Modem\Vodafone 3G Broadband Modem.exe

Please continue to work your through with the rest of the Fix as best as you can and post :
The new HijackThis log the new the AVG-AS Report-Scan.txt in your next reply.

Thank you.
  • 0

#9
vygo
Posted 12 March 2007 - 04:55 AM

vygo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi ourwilly,

I was trying to scan the system in a safe mode, but unfortunately I couldn't. Finally I did it in a normal mode. The results you can see below. Every time I start Windows, AVG anti-spyware shows the message that one particular Trojan file was found (I don't have the name), I quarantine it all the time but each time after I start the system it comes up again.
I tried to Delete bold entries as u have asked.
C:\WINDOWS\system32\a3dxq.dll -couldn't delete (it didn't allowed me to perform the action)
C:\WINDOWS\system32\rpcc.dll -couldn't delete (it didn't allowed me to perform the action)

C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll - the file doesn't exist
C:\WINDOWS\system32\ltwqrjm.dll - Deleted
C:\WINDOWS\system32\ckvbfr.dll - the file doesn't exist

After I did these actions and rebooted the system in the blue screen I got a message:
STOP:C000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000029 (0x00000000 0x00000000).
The system has been shut down.

The results after the computer was scanned:

Logfile of HijackThis v1.99.1
Scan saved at 12:12:59, on 09/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180[/b])

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\RegSrvc.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Documents and Settings\Administrator\Desktop\Hijack\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toshibadirect.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - C:\WINDOWS\system32\ltwqrjm.dll
O21 - SSODL: dzDRDaLTCZ - {744047AE-DEEA-ED04-7B3E-28BC83B626A9} - C:\WINDOWS\system32\ckvbfr.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 14:42:44 09/03/2007

+ Scan result:


C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP80\A0032882.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP80\A0032883.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP80\A0032891.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP80\A0032893.dll -> Proxy.Agent.df : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP80\A0032884.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP80\A0032885.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP80\A0032886.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP80\A0033899.dll -> Worm.Banwarum.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP80\A0033908.dll -> Worm.Banwarum.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14E0FEE4-99AE-4125-8300-BE00D103532E}\RP80\A0033919.dll -> Worm.Banwarum.f : Cleaned with backup (quarantined).
C:\WINDOWS\system32\adir.dll -> Worm.Banwarum.f : Cleaned with backup (quarantined).


::Report end

Thanks a mil! :whistling:

Edited by vygo, 12 March 2007 - 07:25 AM.

  • 0

#10
ourwilly
Posted 12 March 2007 - 12:04 PM

ourwilly

    Trusted Helper

  • Retired Staff
  • 768 posts
Hello vygo

Please Copy and Paste this 'Fix' into either Notepad or Wordpad for future reference as you will be required to closed down you browser when following these steps.

Step 1

Please download the Killbox by Option^Explicit.

Note - In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.


Now Re-Scan with HijackThis and place a checkmark in the boxes before the following entries:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - C:\WINDOWS\system32\ltwqrjm.dll
O21 - SSODL: dzDRDaLTCZ - {744047AE-DEEA-ED04-7B3E-28BC83B626A9} - C:\WINDOWS\system32\ckvbfr.dll (file missing)

Close any Explorer windows which may be open and click the "Fix Checked" button.


Step 2

Then Double-click Killbox.exe to run it.
Select: Delete on Reboot then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\a3dxq.dll
C:\WINDOWS\system32\rpcc.dll
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
C:\WINDOWS\system32\ltwqrjm.dll
C:\WINDOWS\system32\ckvbfr.dll

Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Re-scan with HijackThis and post the new log.

Thank you
  • 0

Advertisements

#11
vygo
Posted 14 March 2007 - 03:41 AM

vygo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
hi ourwilly,
I've managed to do as u asked me. The log is below. The System works much faster!!! :whistling: But the problem is I'm still unable to connect the internet. I'm afraid that i need to reinstall my Windows. Would u recommend to me to do smthelse?

Thanks mate!
:blink:
Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 23:10:21, on 13/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\RegSrvc.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sonic\RecordNow!\RecordNow.exe
C:\Documents and Settings\Administrator\Desktop\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toshibadirect.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O21 - SSODL: CDRecorder031 - {A3BC5E20-0235-1ABF-9CE1-00AA00512031} - C:\WINDOWS\system32\vlxh32.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
  • 0

#12
ourwilly
Posted 14 March 2007 - 03:21 PM

ourwilly

    Trusted Helper

  • Retired Staff
  • 768 posts
Hello vygo

But the problem is I'm still unable to connect the internet. I'm afraid that i need to reinstall my Windows

Because you are infected and are still having problems with your system then Re-installing may be your best and quickest option.

You will need the Original Disk's that came with this system to do this and please make sure that you know what to do before beginning the operation.

Here are a few links that propably help.

Reformatting Windows XP
When should I re-format? How should I reinstall?
Windows XP Clean install

If however you wish to continue to try and fix this system then please let me know.
  • 0

#13
vygo
Posted 16 March 2007 - 03:11 AM

vygo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
I wish to continue to fix my system, rather to reinstall it. If it's possible to do so... :whistling:
  • 0

#14
ourwilly
Posted 16 March 2007 - 02:14 PM

ourwilly

    Trusted Helper

  • Retired Staff
  • 768 posts
Hello vygo

Thank you for letting me know

Please Copy and Paste this 'Fix' into either Notepad or Wordpad for future reference as you will be required to closed down you browser when following these steps.

Step 1

Re-Scan with HijackThis and place a checkmark in the boxes before the following entries:

O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O21 - SSODL: CDRecorder031 - {A3BC5E20-0235-1ABF-9CE1-00AA00512031} - C:\WINDOWS\system32\vlxh32.dll

Close any Explorer windows which may be open and click the "Fix Checked" button.

Now Re-open killbox.exe
on the main Killbox menu, select the option "Delete on reboot"
Now highlight and 'copy' (Ctrl + C) this full path:

C:\WINDOWS\system32\vlxh32.dll

Click 'File' on the killbox menu at the top and choose 'Paste from clipboard'.
Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot and ask if you wish to reboot now, click Yes.

If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.


Step 2

Like to ask for information about your Internet connection please, Atheros Configuration Service is showing so can you please check to see if this is install "ok", to do this please Go to Start > Control Panel > System, select the Hardware tab, and then click Device Manager.
You are looking for one of the following symbols:

A black exclamation point (!) on a yellow field indicates the device is in a problem state. Note that a device that is in a problem state can be functioning.
A problem code explaining the problem is displayed for the device.
A red "X" indicates a disabled device. A disabled device is a device that is physically present in the computer and is consuming resources, but does not have a protected-mode driver loaded.
A blue "i" on a white field on a device resource in Computer properties indicates that the Use automatic settings feature is not selected for the device and that the resource was manually selected. Note that this does not indicate a problem or disabled state.

Re-scan and post a new HijackThis log and any Information if any error's were found in Device Manager,

Thank you.
  • 0

#15
vygo
Posted 11 April 2007 - 02:41 PM

vygo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi ourwilly,
I'm just back from my holiday. I'll have a look with the advices you've given to me and I'll come back to you. Thanx and sorry for a delay. :whistling:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP