downloader.zlob [RESOLVED] - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

downloader.zlob [RESOLVED]

#1 dapnikola

  • Group: Member
  • Posts: 25
  • Joined: 12-July 04

Posted 23 September 2007 - 01:41 AM

I use AVG and I get a message about a trojan called downloader.zlob, which I can't remove.

PLEASE HELP ME.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:02 μμ, on 24/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\diafora\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [wininet.dll] dfrgsrv.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O22 - SharedTaskScheduler: gulch - {143404b0-ee92-40a7-8705-06fba9a7abf4} - (no file)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 3259 bytes

#2 sage5

  • Group: Retired Staff
  • Posts: 2,646
  • Joined: 08-June 06

Posted 27 September 2007 - 07:07 AM

Hi dapnikola,

Welcome to Geeks To Go,

I'm sorry that we haven't got to you until now, but the forum can get hectic at times.

I am sage5 and I will be helping you with this problem.


First off, I need you to download some tools & save them to your Desktop.

SmitfraudFix (by S!Ri)
Deckard's System Scanner
OTMoveIt by OldTimer

Start the Smitfraud scan:
  • Double-click SmitfraudFix.exe
  • Select option #1 - Search by typing 1 and press "Enter". A text file will appear, which lists infected files (if present). It is saved as C:\rapport.txt
  • Please copy/paste the content of that file into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


Run Deckard's System Scanner:
  • Close all other windows before proceeding.
  • Double click on the dss.exe file on your Desktop and follow the prompts.
  • Scans will run, and 2 text files will open in Notepad.
  • Close both of the text files.
These files are C:\Deckard\System Scanner\main.txt & extra.txt. I will need you to copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Also please include the text from C:\rapport.txt


Cheers,

sage5

#3 dapnikola

  • Group: Member
  • Posts: 25
  • Joined: 12-July 04

Posted 27 September 2007 - 09:48 AM

First of all in order to be completely honest with please note that while I was waiting for youe answer, I made some efforts for cleaning my PC by myself using general instructions from this site. So, I post you a latest HijackThis log file in order check how my PC was just before I started following your instructions.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:29 μμ, on 27/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Nikola\Desktop\διάφορα\dss.exe
C:\DOCUME~1\Nikola\Desktop\945B~1\Nikola.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O22 - SharedTaskScheduler: gulch - {143404b0-ee92-40a7-8705-06fba9a7abf4} - (no file)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 3272 bytes


Here are the other log files you asked:

SmitFraudFix v2.230

Scan done at 18:20:57,98, ϣ 27/09/2007
Run from C:\Documents and Settings\Nikola\Desktop\› α­¦¨˜\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Nikola


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Nikola\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Nikola\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{143404b0-ee92-40a7-8705-06fba9a7abf4}"="gulch"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


and

Deckard's System Scanner v20070905.67
Run by Nikola on 2007-09-27 18:22:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
70: 2007-09-27 15:03:07 UTC - RP311 - Deckard's System Scanner Restore Point
69: 2007-09-27 07:43:22 UTC - RP310 - System Checkpoint
68: 2007-09-23 10:04:06 UTC - RP309 - Installed AVG 7.5
67: 2007-09-23 09:57:21 UTC - RP308 - Removed AVG 7.5
66: 2007-09-23 07:26:40 UTC - RP307 - Installed Google Toolbar for Internet Explorer


-- First Restore Point --
1: 2007-06-26 09:08:16 UTC - RP242 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 128 MiB (512 MiB recommended).


-- HijackThis (run as Nikola.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:29 μμ, on 27/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Nikola\Desktop\διάφορα\dss.exe
C:\DOCUME~1\Nikola\Desktop\945B~1\Nikola.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O22 - SharedTaskScheduler: gulch - {143404b0-ee92-40a7-8705-06fba9a7abf4} - (no file)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 3272 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 e4usbaw (USB ADSL2 WAN Adapter) - c:\windows\system32\drivers\e4usbaw.sys <Not Verified; Analog Devices Inc.; ADSL USB WAN Driver>

S3 Mtlmnt5 - c:\windows\system32\drivers\mtlmnt5.sys <Not Verified; ; Modem>
S3 Mtlstrm - c:\windows\system32\drivers\mtlstrm.sys <Not Verified; ; Modem>
S3 NtMtlFax - c:\windows\system32\drivers\ntmtlfax.sys <Not Verified; ; Modem>
S3 RecAgent - c:\windows\system32\drivers\recagent.sys <Not Verified; ; Modem>
S3 Slnt7554 (USB Soft Modem Driver) - c:\windows\system32\drivers\slnt7554.sys <Not Verified; ; USB Software Modem>
S3 SlNtHal - c:\windows\system32\drivers\slnthal.sys <Not Verified; ; Modem for windows NT>
S3 SlWdmSup - c:\windows\system32\drivers\slwdmsup.sys <Not Verified; Vireo Software; Driver::Works>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Diskeeper - "c:\program files\diskeeper corporation\diskeeper\dkservice.exe" <Not Verified; Diskeeper Corporation; Diskeeper ™ Disk Defragmenter>
R2 SLService (SmartLinkService) - slserv.exe <Not Verified; ; Modem>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-09-26 16:04:05 366 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2007-09-22 19:55:04 522 --a------ C:\WINDOWS\Tasks\AntiSpywareBot Scheduled Scan.job
2007-09-15 12:18:52 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-08-27 and 2007-09-27 -----------------------------

2007-09-26 16:49:51 1452 --a------ C:\WINDOWS\System32\tmp.reg
2007-09-26 16:48:30 289144 --a------ C:\WINDOWS\System32\VCCLSID.exe <Not Verified; S!Ri; >
2007-09-26 16:48:30 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-09-26 16:48:30 53248 --a------ C:\WINDOWS\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-09-26 16:48:30 51200 --a------ C:\WINDOWS\System32\dumphive.exe
2007-09-26 16:39:41 0 d-------- C:\Documents and Settings\Nikola\Application Data\Grisoft
2007-09-23 13:04:58 0 d-------- C:\Documents and Settings\Nikola\Application Data\AVG7
2007-09-23 13:04:40 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-23 13:04:08 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-09-22 20:29:00 0 d--hs---- C:\WINDOWS\CSC
2007-09-22 20:25:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sony Ericsson
2007-09-22 19:54:28 0 d-------- C:\Documents and Settings\Nikola\Application Data\AntiSpywareBot
2007-09-16 12:01:36 0 --a------ C:\Documents and Settings\Nikola\NULL
2007-09-16 03:03:58 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-15 13:08:57 0 d-------- C:\Program Files\KVS2007
2007-09-15 12:23:52 0 d-------- C:\Documents and Settings\Nikola\Application Data\Apple Computer
2007-09-15 12:18:25 0 d-------- C:\Program Files\Apple Software Update
2007-09-15 12:18:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-04 22:58:59 0 --a------ C:\WINDOWS\nsreg.dat
2007-09-04 22:58:33 0 d-------- C:\Documents and Settings\Nikola\Application Data\Mozilla


-- Find3M Report ---------------------------------------------------------------

2007-09-23 10:27:12 0 d-------- C:\Program Files\Google
2007-09-22 21:16:43 0 d-------- C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryUpdate"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [23/09/2007 01:12 ££]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 12:25 ££]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/07/2007 01:23 ££]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)




-- End of Deckard's System Scanner: finished at 2007-09-27 18:25:51 ------------


Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 75%
Physical Memory (total/avail): 127.48 MiB / 31.34 MiB
Pagefile Memory (total/avail): 306.82 MiB / 81.18 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1980.94 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 18.62 GiB total, 4.97 GiB free.
D: is Fixed (FAT32) - 18.62 GiB total, 18.24 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400BB-75CAA0 - 37.25 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 18.62 GiB - C:
\PARTITION1 - Unknown - 18.63 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Nikola\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=NIKOLAOU
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA8
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Nikola
LOGONSERVER=\\NIKOLAOU
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\Diskeeper Corporation\Diskeeper\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0803
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Nikola\LOCALS~1\Temp
TMP=C:\DOCUME~1\Nikola\LOCALS~1\Temp
USERDOMAIN=NIKOLAOU
USERNAME=Nikola
USERPROFILE=C:\Documents and Settings\Nikola
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Nikola (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Συγκεντρωτικές καταστάσεις Πελατών-Προμηθευτών Έκδοση 2007 v1 --> "C:\Program Files\KVS2007\unins000.exe"
Συγκεντρωτικές καταστάσεις Πελατών-Προμηθευτών v1 --> "C:\Program Files\KVS\unins000.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 6.0 CE --> MsiExec.exe /I{AC76BA86-7AD7-1032-7646-CE0000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Adobe® Photoshop® Album Starter Edition 3.0.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C9618743-1A5C-461E-91C4-E013A3D70F3C}\Setup.exe" -l0x9
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BJ Printer --> C:\WINDOWS\System32\cnmUnInst.exe -@C:\WINDOWS\IsUninst.exe -fC:\CanonBJ\DeIsL1.isu -c"C:\CanonBJ\bjinst.dll
Disc2Phone --> MsiExec.exe /I{FFAB5ABB-8AAB-42E2-847F-1743E51E01E9}
Diskeeper Professional Edition --> MsiExec.exe /X{DE4847A9-E86B-4BBB-B991-58C5ACA4FA04}
Football Manager 2005 --> MsiExec.exe /I{EC0AB585-B279-4A77-8BB5-64C403E43EE7}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 2.0.2 --> "C:\Documents and Settings\Nikola\Desktop\διάφορα\diafora\HijackThis.exe" /uninstall
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
M I N I Calendar 3 --> C:\WINDOWS\M I N I Calendar 3.scr -U
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
MINI Screensaver 02 06 --> C:\WINDOWS\MINI Screensaver 02 06.scr /u
Mozilla Firefox (2.0) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
MSN Messenger 7.0 --> MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314600777}
MSN Toolbar --> C:\Program Files\MSN Apps\MSN Toolbar1.02.5000.1021\el-gr\mtbs.exe c
Neurosoft's Greek Speller 2.0 & Hyphenator 2.0 for MS Office XP --> "C:\Program Files\Uninstall Information\NLT4OfficeXP\unins000.exe"
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
OTEnet-SAGEM Fast 800 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F}\Setup.exe" -l0x8
PIXresizer 1.0.9 --> "C:\Program Files\PIXresizer\unins000.exe"
Play65 --> C:\Program Files\Play65\Play65.exe /uninstall
SmartUSB56 Voice Modem --> C:\WINDOWS\Modio\SLUSB2KV\Setup.exe /Remove
Sony Ericsson PC Suite --> MsiExec.exe /I{FC906D5C-91F9-4DA4-A765-6DCBB669F317}
SweetIM For Internet Explorer 3.0b --> MsiExec.exe /X{F6D63A65-BD23-46F3-B9A3-87F442423481}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Zuerich Screensaver --> C:\WINDOWS\System32\Zuerich Screensaver.scr /u


-- Application Event Log -------------------------------------------------------

Event Record #/Type14515 / Error
Event Submitted/Written: 09/27/2007 06:07:53 PM
Event ID/Source: 2002 / Perflib
Event Description:
The open procedure for service "WmiApRpl" in DLL "C:\WINDOWS\System32\wbem\wmiaprpl.dll" has taken longer than
the established wait time to complete. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Event Record #/Type14514 / Error
Event Submitted/Written: 09/27/2007 06:07:12 PM
Event ID/Source: 1015 / Perflib
Event Description:
The timeout waiting for the performance data collection function "Outlook"
in the "C:\PROGRA~1\COMMON~1\SYSTEM\MSMAPI\1033\MSMAPI32.DLL" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Event Record #/Type14494 / Error
Event Submitted/Written: 09/27/2007 05:54:41 PM
Event ID/Source: 2002 / Perflib
Event Description:
The open procedure for service "WmiApRpl" in DLL "C:\WINDOWS\System32\wbem\wmiaprpl.dll" has taken longer than
the established wait time to complete. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Event Record #/Type14474 / Error
Event Submitted/Written: 09/27/2007 11:43:13 AM
Event ID/Source: 2002 / Perflib
Event Description:
The open procedure for service "WmiApRpl" in DLL "C:\WINDOWS\System32\wbem\wmiaprpl.dll" has taken longer than
the established wait time to complete. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Event Record #/Type14438 / Error
Event Submitted/Written: 09/27/2007 09:32:22 AM
Event ID/Source: 2002 / Perflib
Event Description:
The open procedure for service "WmiApRpl" in DLL "C:\WINDOWS\System32\wbem\wmiaprpl.dll" has taken longer than
the established wait time to complete. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type30273 / Error
Event Submitted/Written: 09/27/2007 06:24:49 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The SmartLinkService service has reported an invalid current state 0.

Event Record #/Type30261 / Error
Event Submitted/Written: 09/27/2007 06:08:13 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The General Purpose USB Driver (e4ldr.sys) service failed to start due to the following error:
%%1058

Event Record #/Type30248 / Error
Event Submitted/Written: 09/27/2007 05:55:06 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The General Purpose USB Driver (e4ldr.sys) service failed to start due to the following error:
%%1058

Event Record #/Type30233 / Error
Event Submitted/Written: 09/27/2007 11:43:26 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The General Purpose USB Driver (e4ldr.sys) service failed to start due to the following error:
%%1058

Event Record #/Type30213 / Error
Event Submitted/Written: 09/27/2007 09:32:39 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The General Purpose USB Driver (e4ldr.sys) service failed to start due to the following error:
%%1058



-- End of Deckard's System Scanner: finished at 2007-09-27 18:25:51 ------------


I wait for you answer, I understand that OTMoveIt is for later use because you didn;t ask me to run it, am I right??

THANK YOU FOR THE HELP

#4 sage5

  • Group: Retired Staff
  • Posts: 2,646
  • Joined: 08-June 06

Posted 28 September 2007 - 07:46 AM

Hi dapnikola,


According to your log, you have an outdated version of Windows XP. This must be fixed before we can continue.
The first step in this process is to apply Service Pack 1a for Windows XP.
Without this update, the risk of re-infection is far too high, for any PC accesssing the internet.
Download the Service Pack Here
Apply the update, reboot, and continue below

You don't appear to be running a 3rd party firewall. These are essential to protect from trojans, viruses, spyware etc.

You should check out:- Comodo Firewall Pro or Sunbelt Personal Firewall

User manuals are available for both:
Comodo Manual Here

Sunbelt Manual Here

Both are simple to install & free to use.
Please install only 1

Run HijackThis.
  • Click the Do a system scan only button.
  • Check the boxes for the all the entries listed below:
O22 - SharedTaskScheduler: gulch - {143404b0-ee92-40a7-8705-06fba9a7abf4} - (no file)
  • Now close all windows other than HijackThis and click Fix Checked.
  • Close HijackThis.

Clean up Registry with a Reg file:
  • Please open a new Notepad file by clicking Start\All Programs\Accessories\Notepad
  • Copy the text from the following Code box, by highlighting all the text and right click, Select Copy. (or use the Ctrl+C keyboard shortcut)
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryUpdate"=-
  • Paste it into Notepad. Right click in the window and select Paste. (or use Ctrl+V)
  • Save the file to the Desktop, make sure Type is All Files, and name it Fixreg.reg
  • Double click on the file created and click Yes when asked to merge the information into the Registry


Shut down & Reboot normally:

Run HijackThis again:
  • Select the Run a system scan and save a logfile button. The logfile will open in Notepad.
  • Start your Web Browser and navigate back to this thread.
  • Click the Add Reply button
  • Copy and Paste the text into the Reply window.
Please include a note to tell me how your PC is running now.

Cheers,

sage5

#5 dapnikola

  • Group: Member
  • Posts: 25
  • Joined: 12-July 04

Posted 29 September 2007 - 02:35 AM

First of all, THANK YOU
My PC is running pretty well now, or I think so...

About windows update, I'll try it during the weekend.

What about OTMoveIt??? Do I have to run it??

If you think that everything is normal according to the following log, close this topic:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:57 πμ, on 29/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Nikola\Desktop\διάφορα\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 3147 bytes

#6 sage5

  • Group: Retired Staff
  • Posts: 2,646
  • Joined: 08-June 06

Posted 29 September 2007 - 05:21 AM

Hi dapnikola

Congratulations, your new log looks clear, so we can now deal with some final clean up jobs.


Cleanup with OTMoveIt:
  • Please double-click OTMoveIt.exe to run it.
  • Click the Clean up button
  • Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
  • Click Yes to the reboot.

To Clear Restore points, please do the following:
  • Go to Start > Settings > Control Panel.
  • Double-click the System icon.
      NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.

  • Click the Performance tab, and then click File System.
  • Click the Troubleshooting tab, and then put a check by Disable System Restore.
  • Click Apply, OK, OK. Click Yes when you are prompted to restart Windows.
After reboot, you must turn System Restore back on:
  • Go back to the Troubleshooting tab.
  • UNcheck Disable System Restore.
  • Click Apply, OK, OK. Click Yes when you are prompted to restart Windows.

Lastly, some extra or better security for your PC:

The programs recommended below will reduce the potential for spyware infection in the future:-

Spyware Prevention:
Spyware Blaster by JavaCool Software, prevents spyware installing and consumes no system resources.
IE/SpyAd, stops suspect sites loading ActiveX, popups etc onto your PC. An excellent tutorial is Here

Spyware Detection:
AVG Anti-Spyware is my favourite here.

Anti-Virus:
You are currently coverd by Grisoft's AVG Free Edition

Firewall:
A Firewall is an essential tool in the security of any PC connected to the Internet. They are an important tool to prevent reinfection
Kerio and Comodo are both excellent freeware.

Alternate Browsers:
Thankfully, there are now some excellent alternatives to MS Internet Explorer. They offer better security, more stability, and better speed.
A couple of good examples are: Firefox and Opera

Other Updates:
Vital security patches and updates are available for Microsoft Windows and Internet Explorer at the Windows Update Site
Your version of Windows is significantly out of date, and a major security risk. Make sure you update it as soon as possible.

It is equally important to update the other security software you use, on a regular basis.

Further reading about these issues is available in a very good article: How did I get infected in the first place ? (by Tony Klein and dvk01)

All the best,

sage5

#7 dapnikola

  • Group: Member
  • Posts: 25
  • Joined: 12-July 04

Posted 01 October 2007 - 09:52 AM

View Postsage5, on Sep 29 2007, 06:21 AM, said:

Hi dapnikola

Congratulations, your new log looks clear, so we can now deal with some final clean up jobs.


Cleanup with OTMoveIt:
  • Please double-click OTMoveIt.exe to run it.
  • Click the Clean up button
  • Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
  • Click Yes to the reboot.
To Clear Restore points, please do the following:
  • Go to Start > Settings > Control Panel.
  • Double-click the System icon.
      NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.

  • Click the Performance tab, and then click File System.
  • Click the Troubleshooting tab, and then put a check by Disable System Restore.
  • Click Apply, OK, OK. Click Yes when you are prompted to restart Windows.
After reboot, you must turn System Restore back on:
  • Go back to the Troubleshooting tab.
  • UNcheck Disable System Restore.
  • Click Apply, OK, OK. Click Yes when you are prompted to restart Windows.


I run OTMoveIt and after I restarted my PC, OTMoveIt has disappeared? Is this norma?
My PC is runing great but a bit slower in start.
I can't follow your instructions in order to clear the previous restore points, because I can't find the performance tab you're talking about!

Could you please help me?

#8 sage5

  • Group: Retired Staff
  • Posts: 2,646
  • Joined: 08-June 06

Posted 02 October 2007 - 06:32 AM

Hi dapnikola,

My apologies, I provided the instructions for the wrong Operating System.
Try this:

Clear Out Old Restore points:
(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

The OT_MoveIt cleanup routine is to get rid of all the tools and clutter from the fix, so it also removes itself.

If you are still having issues with startup times, consider removing the following:

Clean up Registry with a Reg file:
  • Please open a new Notepad file by clicking Start\All Programs\Accessories\Notepad
  • Copy the text from the following Code box, by highlighting all the text and right click, Select Copy. (or use the Ctrl+C keyboard shortcut)
Windows Registry Editor Version 5.00

 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryUpdate"=-

[-HKEY_CLASSES_ROOT\CLSID\{143404b0-ee92-40a7-8705-06fba9a7abf4}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{143404b0-ee92-40a7-8705-06fba9a7abf4}]
  • Paste it into Notepad. Right click in the window and select Paste. (or use Ctrl+V)
  • Save the file to the Desktop, make sure Type is All Files, and name it Fixreg.reg
  • Double click on the file created and click Yes when asked to merge the information into the Registry

Remove folders & files:
  • Please go to Start > Control Panel > Add/Remove Programs and remove the following, (if present):
    KVS2007 or KVS
    LiveUpdate 2.6
    SweetIM For Internet Explorer 3.0b
    Please take note of any other programs that you don't recognise in that list, and include them in your next response
  • Using Windows Explorer, (to get there right-click your Start button and go to "Explore"), delete these folders, (if present):
    C:\Program Files\KVS2007
    C:\Documents and Settings\Nikola\Application Data\AntiSpywareBot
    C:\Documents and Settings\Nikola\NULL
  • Delete these files, (if present):
    C:\WINDOWS\Tasks\AntiSpywareBot Scheduled Scan.job
Please tell me if those removals made any difference to startup times

Cheers,

sage5

#9 dapnikola

  • Group: Member
  • Posts: 25
  • Joined: 12-July 04

Posted 02 October 2007 - 03:01 PM

THANKS a lot for your help.

On add/remove programs list I have a lot of different entries of something called windows XP hotfix KB..., what shall I do with these??

KVS is a program for on-line taxes so I won't delete it from the program files.
Can I delete Symantec NetDetect from the windows>tasks folder?

That's all for now.

Sorry for the delayed answers but I have a bad week at work...

#10 sage5

  • Group: Retired Staff
  • Posts: 2,646
  • Joined: 08-June 06

Posted 02 October 2007 - 05:38 PM

Hi dapnikola,

Thanks for the update on the KV/KV2007 program.

Yes you can also remove the C:\WINDOWS\Tasks\Symantec NetDetect.job

The listings for windows XP hotfix KB... are the individual fixes applied by Windows Update and need to be kept.

Cheers,

sage5

#11 sage5

  • Group: Retired Staff
  • Posts: 2,646
  • Joined: 08-June 06

Posted 11 October 2007 - 07:59 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Share this topic:


Page 1 of 1