Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I am in Trouble trojanclicker.delf.naz [RESOLVED]

Started by chaztrip , Feb 12 2008 08:14 PM

  • This topic is locked This topic is locked

#1
chaztrip
Posted 12 February 2008 - 08:14 PM

chaztrip

    New Member

  • Member
  • Pip
  • 8 posts
Hello, I dont know where I picked this up but I cant get rid of it at all!!!!!!! I have NOD 32 3.0 and it will not get rid of the 2 infected .dll files.

I have ran in safe mode and it wont go away.
I have tried NOD's unDLL in safe mode and it says that it deletes them but they come back
I have ran SUper ANti spyware in safe mode and it finds threats and says it deletes them... when I boot back into nomal Windows the tcpip is hosed and I have to copy tcpip.sys from another machine via cd to fix.
I have ran AVG in safe mode same thing.
I have tried to run Panda but it was going on 3 hours...... now I boot machine up and I have Explorer maxing out 97% cpu.

here is the Hihjack LOG..... I did call NOD 32 support and they told me to reimage my machine...... That is not an option at this point... can anyone help me get rid of this????? PLEASE




LOG FILE

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:56 PM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\NoteBurner\VTBurnerGUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\CMS Products\BounceBack Professional\BBLauncher.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {63973C06-BF5E-4D72-A952-44C48B831B7B} - c:\windows\system32\d3dx9_30l.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {A55DF2AB-FBE2-44FA-BA6D-9E8A4C058909} - C:\WINDOWS\SYSTEM32\CIODMN.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [DUMPREP ] C:\WINDOWS%\SYSTEM32\DUMPREP 0 -U
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1200413034894
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1200413007816
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/...tall/AxCtp2.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqxbddg - C:\WINDOWS\SYSTEM32\d3dx9_30l.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: M-Audio USB Installer (MAudioUSBService) - M-Audio - C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 9719 bytes
  • 0

Advertisements

#2
kahdah
Posted 12 February 2008 - 09:13 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello chaztrip

Welcome to G2Go. :)
======================
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
chaztrip
Posted 13 February 2008 - 09:34 AM

chaztrip

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here are the log files. It is very hard to do much in this machine since the explorer.exe is getting maxed out at 99% It appears that the Combo got rid of the .dll files but why is my machine getting bogged down ever since I ran the AVG spyware???

Thanks for your help and I will donate nicely to you if you can assist with this. I am going to work now and will check in later today around 4 CST time.


Combo Log:
ComboFix 08-02-13.2 - Ner0z 2008-02-13 8:17:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.540 [GMT -6:00]
Running from: C:\Documents and Settings\Ner0z\Desktop\Mark\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ciodmn.dll
C:\WINDOWS\system32\d3dx9_30l.dll
C:\WINDOWS\system32\ciodmn.dll
C:\WINDOWS\system32\d3dx9_30l.dll
C:\WINDOWS\system32\drivers\hcykbgvk.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_UHSYFTPM
-------\LEGACY_UOIOKHWB
-------\uhsyftpm
-------\uoiokhwb


((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-12 20:00 . 2008-02-12 20:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-12 18:15 . 2008-02-12 18:15 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-12 18:15 . 2008-02-12 18:15 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-12 18:14 . 2008-02-12 19:40 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-12 18:14 . 2008-02-12 18:15 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-12 11:29 . 2008-02-12 11:29 <DIR> d-------- C:\Documents and Settings\Ner0z\Application Data\Grisoft
2008-02-12 11:29 . 2008-02-12 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-12 11:29 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-12 11:03 . 2008-02-12 11:03 <DIR> d-------- C:\VundoFix Backups
2008-02-11 21:58 . 2008-02-11 21:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-02-11 20:30 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-11 20:30 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-11 20:30 . 2008-02-08 23:55 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-11 20:30 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-11 20:30 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-11 20:30 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-11 20:30 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-11 20:00 . 2008-02-11 20:30 2,948 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-11 11:43 . 2008-02-11 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-11 11:42 . 2008-02-12 07:07 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-11 11:42 . 2008-02-11 11:42 <DIR> d-------- C:\Documents and Settings\Ner0z\Application Data\SUPERAntiSpyware.com
2008-02-09 08:55 . 2008-02-09 08:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-09 08:54 . 2008-02-09 08:54 <DIR> d-------- C:\Program Files\iTunes
2008-02-09 08:54 . 2008-02-09 08:54 <DIR> d-------- C:\Program Files\iPod
2008-02-09 08:35 . 2008-02-09 08:35 <DIR> d-------- C:\Program Files\Cloudbrain
2008-02-09 08:29 . 2008-02-09 08:29 <DIR> d-------- C:\Program Files\Reasonable NoClone 2007 Home
2008-02-09 08:29 . 2008-02-09 08:29 <DIR> d-------- C:\Documents and Settings\Ner0z\Application Data\Reasonable Software House Ltd
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-22 18:19 . 2008-02-12 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-18 15:46 . 2008-01-18 15:46 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2008-01-18 15:46 . 2008-01-18 15:46 741,632 --a------ C:\WINDOWS\system32\cvgieesi.dat
2008-01-18 15:46 . 2008-01-18 15:46 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2008-01-18 15:46 . 2008-02-04 23:36 42,752 --a------ C:\WINDOWS\system32\hapgnkpg.dat
2008-01-18 15:46 . 2008-02-13 03:39 36,608 --a------ C:\WINDOWS\system32\mmoblqbc.dat
2008-01-18 15:46 . 2008-01-18 15:46 35,072 --a------ C:\WINDOWS\system32\nlskxwcw.dat
2008-01-17 22:09 . 2008-01-17 22:09 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-17 22:09 . 2008-01-17 22:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-17 22:08 . 2008-02-11 11:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-17 19:33 . 2008-01-17 19:33 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-17 19:30 . 2008-01-17 19:30 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-17 19:22 . 2007-01-08 19:07 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-17 15:43 . 2008-02-07 00:14 120,576 --a------ C:\WINDOWS\system32\lygluksa.dat
2008-01-17 15:37 . 2008-02-12 17:27 <DIR> d-------- C:\WINDOWS\system32\AppCert
2008-01-15 10:04 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-15 10:04 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-15 10:04 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-15 10:04 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 15:16 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-12 04:00 --------- d-----w C:\Program Files\ESET
2008-02-09 14:49 --------- d-----w C:\Program Files\QuickTime
2008-01-23 00:20 --------- d-----w C:\Program Files\Google
2008-01-15 08:39 30,464 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-01-14 17:39 --------- d-----w C:\Program Files\eMule
2008-01-07 01:10 --------- d-----w C:\Documents and Settings\Ner0z\Application Data\AceBIT
2008-01-07 01:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\AceBIT
2008-01-07 01:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-07 01:09 --------- d-----w C:\Program Files\AceBIT
2007-12-25 03:16 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-25 03:16 --------- d--h--r C:\Documents and Settings\Ner0z\Application Data\SecuROM
2007-12-25 02:54 --------- d-----w C:\Program Files\EA SPORTS
2007-12-21 14:21 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-12-21 14:20 30,216 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-12-21 14:19 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-27 15:36 1,366,528 ----a-w C:\WINDOWS\system32\we5.dll
2004-07-30 13:56 90,112 ----a-w C:\Program Files\Common Files\PCSBclean.exe
2004-07-26 19:30 291,840 ----a-w C:\Program Files\Common Files\PCSBoff.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-10 20:57 68856]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-02-25 09:00 160832]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-09-16 06:39 69632 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 20:07 7110656]
"nwiz"="nwiz.exe" [2005-07-20 20:07 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-07-20 20:07 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07 49263]
"EEventManager"="C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 09:30 102400]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-04-19 11:33 271936]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [2005-12-13 09:39 91136]
"NoteBurner"="C:\Program Files\NoteBurner\VTBurnerGUI.exe" [2007-10-15 10:41 3469312]
"DUMPREP "="C:\WINDOWS%\SYSTEM32\DUMPREP 0 -U" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 14:18 267048]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
appsecdll REG_EXPAND_SZ C:\WINDOWS\system32\AppCert\wsil32.dll

R0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys [2007-05-16 10:42]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
R2 MAudioUSBService;M-Audio USB Installer;C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe [2005-12-02 08:20]
R2 portD;CMS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys [2007-06-26 23:20]
R3 motubus;MOTU Audio MIDI Extension;C:\WINDOWS\system32\drivers\MotuBus.sys [2007-01-04 17:17]
S3 MAUSB;Service for M-Audio Fast Track Pro Driver (WDM);C:\WINDOWS\system32\DRIVERS\mausb.sys [2005-12-13 09:39]
S3 MotuMidi;MOTU MIDI Device;C:\WINDOWS\system32\drivers\MotuMidi.sys [2007-01-04 17:17]
S3 MotuUsb;MotuUsb;C:\WINDOWS\system32\Drivers\MotuUsb.sys [2007-01-04 17:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{792dffd6-b2cf-11db-ba82-00142ae01fa0}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 21:29:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 09:15:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\vsmidi.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\vsmidi.dll

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\system32\vsmidi.dll
-> C:\Program Files\ArcSoft\PhotoImpression 5\share\pihook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CMS Products\BounceBack Professional\BBLauncher.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-02-13 9:22:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-13 15:22:21










Hijack LOg:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:32 AM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\NoteBurner\VTBurnerGUI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CMS Products\BounceBack Professional\BBLauncher.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [DUMPREP ] C:\WINDOWS%\SYSTEM32\DUMPREP 0 -U
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1200413034894
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1200413007816
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/...tall/AxCtp2.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: M-Audio USB Installer (MAudioUSBService) - M-Audio - C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 9177 bytes
  • 0

#4
kahdah
Posted 13 February 2008 - 07:34 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
The reason might be because of the antispyware guard.
I do not see avg antispyware installed any more.
If it is still installed then please uninstall it.

If it is uninstalled already then do the following: (This will delete the guard service)

Please go to Start>Run type in Notepad.
Copy what is in the code box below into the open Notepad window.
Change the "Save As Type" to "All Files". Save it as fixthis.bat on your Desktop.
@Echo off
sc stop "AVG Anti-Spyware Guard"
sc delete "AVG Anti-Spyware Guard"
quit
Then please double click on fixthis.bat a window will open and close quickly.This is normal.
===============================================================
After that do the following:


1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\cvgieesi.dat
C:\WINDOWS\system32\hapgnkpg.dat
C:\WINDOWS\system32\mmoblqbc.dat
C:\WINDOWS\system32\nlskxwcw.dat
C:\WINDOWS\system32\lygluksa.dat
C:\WINDOWS\system32\AppCert\wsil32.dll
C:\WINDOWS\system32\vsmidi.dll
Folder::
C:\VundoFix Backups
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
"AppSecDll"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
chaztrip
Posted 13 February 2008 - 08:01 PM

chaztrip

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Problem.... When I drag the .txt file into Combofix it asks me to run it then it opens up a little display like it is running that it just quits. I rebooted and tried both again and still the same.... Combo wont run and explorer is still pegging out.
  • 0

#6
kahdah
Posted 13 February 2008 - 08:10 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Okay try this then:

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\cvgieesi.dat
C:\WINDOWS\system32\hapgnkpg.dat
C:\WINDOWS\system32\mmoblqbc.dat
C:\WINDOWS\system32\nlskxwcw.dat
C:\WINDOWS\system32\lygluksa.dat
C:\WINDOWS\system32\AppCert\wsil32.dll
C:\WINDOWS\system32\vsmidi.dll
C:\VundoFix Backups
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls\\AppSecDll
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===================
After that Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#7
chaztrip
Posted 13 February 2008 - 08:56 PM

chaztrip

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Ok the files got moves and here are all the logs... Explorer being pegged makes this slow :)

[Custom Input]
< :\WINDOWS\system32\cvgieesi.dat >
File/Folder :\WINDOWS\system32\cvgieesi.dat not found.
< C:\WINDOWS\system32\hapgnkpg.dat >
C:\WINDOWS\system32\hapgnkpg.dat moved successfully.
< C:\WINDOWS\system32\mmoblqbc.dat >
C:\WINDOWS\system32\mmoblqbc.dat moved successfully.
< C:\WINDOWS\system32\nlskxwcw.dat >
C:\WINDOWS\system32\nlskxwcw.dat moved successfully.
< C:\WINDOWS\system32\lygluksa.dat >
C:\WINDOWS\system32\lygluksa.dat moved successfully.
< C:\WINDOWS\system32\AppCert\wsil32.dll >
DllUnregisterServer procedure not found in C:\WINDOWS\system32\AppCert\wsil32.dll
C:\WINDOWS\system32\AppCert\wsil32.dll NOT unregistered.
C:\WINDOWS\system32\AppCert\wsil32.dll moved successfully.
< C:\WINDOWS\system32\vsmidi.dll >
DllUnregisterServer procedure not found in C:\WINDOWS\system32\vsmidi.dll
C:\WINDOWS\system32\vsmidi.dll NOT unregistered.
C:\WINDOWS\system32\vsmidi.dll moved successfully.
< C:\VundoFix Backups >
C:\VundoFix Backups moved successfully.
< HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls\\AppSecDll >
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls\\AppSecDll deleted successfully.

OTMoveIt2 v1.0.20 log created on 02132008_201543





Deckard's System Scanner v20071014.68
Run by Ner0z on 2008-02-13 20:20:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-02-14 02:24:02 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-02-13 14:30:15 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Ner0z.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:32 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\NoteBurner\VTBurnerGUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CMS Products\BounceBack Professional\BBLauncher.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Ner0z\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ner0z.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [DUMPREP ] C:\WINDOWS%\SYSTEM32\DUMPREP 0 -U
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1200413034894
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1200413007816
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/...tall/AxCtp2.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: M-Audio USB Installer (MAudioUSBService) - M-Audio - C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 6656 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 ntcdrdrv - c:\windows\system32\drivers\ntcdrdrv.sys <Not Verified; NoteBurn Software; NoteBurn>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft® ASPI Shell>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 catchme - c:\docume~1\ner0z\locals~1\temp\catchme.sys (file missing)
S3 MAUSB (Service for M-Audio Fast Track Pro Driver (WDM)) - c:\windows\system32\drivers\mausb.sys <Not Verified; Midiman/M-Audio; M-Audio Delta FW WDM Driver>
S3 ossrv (Creative OS Services Driver) - c:\windows\system32\drivers\ctoss2k.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 MAudioUSBService (M-Audio USB Installer) - c:\program files\m-audio\fast track pro\mausbinst.exe <Not Verified; M-Audio; M-Audio USB Installer service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-09 15:29:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-01-13 and 2008-02-13 -----------------------------

2008-02-13 19:46:37 3635 --a------ C:\Start_.cmd
2008-02-13 19:46:34 0 d-------- C:\327882R2FWJFW
2008-02-13 08:13:02 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-13 08:13:02 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-13 08:13:02 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-13 08:13:02 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-12 20:00:20 0 d-------- C:\Program Files\Trend Micro
2008-02-12 11:29:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-11 21:58:51 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-02-11 20:30:01 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-11 20:30:01 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-02-11 20:30:01 85504 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-02-11 20:30:01 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-02-11 20:30:01 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-02-11 20:30:01 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-11 20:30:00 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-02-11 20:00:54 2948 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-11 11:43:04 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-11 11:42:58 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-11 11:42:58 0 d-------- C:\Documents and Settings\Ner0z\Application Data\SUPERAntiSpyware.com
2008-02-09 08:54:22 0 d-------- C:\Program Files\iPod
2008-02-09 08:54:16 0 d-------- C:\Program Files\iTunes
2008-02-09 08:35:58 0 d-------- C:\Program Files\Cloudbrain
2008-02-09 08:29:59 0 d-------- C:\Documents and Settings\Ner0z\Application Data\Reasonable Software House Ltd
2008-02-09 08:29:35 0 d-------- C:\Program Files\Reasonable NoClone 2007 Home
2008-02-06 16:34:41 0 d-------- C:\Bran
2008-01-22 18:19:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-18 15:46:14 246545 --a------ C:\WINDOWS\system32\libssl32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2008-01-18 15:46:14 1188375 --a------ C:\WINDOWS\system32\libeay32.dll <Not Verified; OpenSSL <www.openssl.org>; OpenSSL>
2008-01-18 15:46:14 741632 --a------ C:\WINDOWS\system32\cvgieesi.dat
2008-01-17 22:09:17 0 d-------- C:\Program Files\Lavasoft
2008-01-17 22:09:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-17 22:08:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-17 19:33:17 0 d-------- C:\Program Files\MSXML 6.0
2008-01-17 19:30:15 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-17 15:37:30 0 d-------- C:\WINDOWS\system32\AppCert


-- Find3M Report ---------------------------------------------------------------

2008-02-09 08:49:28 0 d-------- C:\Program Files\QuickTime
2008-01-22 18:20:12 0 d-------- C:\Program Files\Google
2008-01-17 22:08:44 0 d-------- C:\Program Files\Common Files
2008-01-14 11:39:08 0 d-------- C:\Program Files\eMule
2008-01-06 19:10:10 0 d-------- C:\Documents and Settings\Ner0z\Application Data\AceBIT
2008-01-06 19:09:30 0 d-------- C:\Program Files\AceBIT
2008-01-06 19:09:29 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-24 21:16:56 0 dr-h----- C:\Documents and Settings\Ner0z\Application Data\SecuROM
2007-12-24 20:54:01 0 d-------- C:\Program Files\EA SPORTS
2007-11-27 09:36:58 1366528 --a------ C:\WINDOWS\system32\we5.dll <Not Verified; AceBIT GmbH; >


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [09/16/2004 06:39 AM C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [07/20/2005 08:07 PM]
"nwiz"="nwiz.exe" [07/20/2005 08:07 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [07/20/2005 08:07 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [11/09/2006 03:07 PM]
"EEventManager"="C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [03/17/2006 09:30 AM]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [04/19/2007 11:33 AM]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [12/13/2005 09:39 AM]
"NoteBurner"="C:\Program Files\NoteBurner\VTBurnerGUI.exe" [10/15/2007 10:41 AM]
"DUMPREP "="C:\WINDOWS%\SYSTEM32\DUMPREP 0 -U" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/31/2008 11:13 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/04/2008 02:18 PM]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [12/21/2007 08:21 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/10/2007 08:57 PM]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [02/25/2007 09:00 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{792dffd6-b2cf-11db-ba82-00142ae01fa0}]
AutoRun\command- H:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-02-13 20:48:50 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™ Processor 3000+
Percentage of Memory in Use: 34%
Physical Memory (total/avail): 1023.48 MiB / 672.7 MiB
Pagefile Memory (total/avail): 2364.59 MiB / 2105.21 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1946.4 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 22 GiB free.
D: is CDROM (CDFS)
E: is Fixed (NTFS) - 37.27 GiB total, 17.66 GiB free.
F: is Fixed (FAT32) - 149.01 GiB total, 30.89 GiB free.
G: is Fixed (NTFS) - 37.27 GiB total, 4.96 GiB free.
H: is Fixed (NTFS) - 279.46 GiB total, 191.13 GiB free.
I: is CDROM (Unformatted)
X: is Network (NTFS)

\\.\PHYSICALDRIVE1 - MAXTOR 6L040J2 - 37.28 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.27 GiB - E:

\\.\PHYSICALDRIVE0 - WDC WD800BB-00JHC0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:

\\.\PHYSICALDRIVE2 - ST330062 0A USB Device - 279.46 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 279.46 GiB - H:

\\.\PHYSICALDRIVE3 - WD 1600BB External USB Device - 149.05 GiB - 1 partition
\PARTITION0 - Unknown - 149.05 GiB - F:

\\.\PHYSICALDRIVE4 - WDC WD400EB-00CPF0 USB Device - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.27 GiB - G:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: ESET NOD32 Antivirus 3.0 v3.0 (ESET, spol. s r. o.) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ner0z\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ICHTHUS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ner0z
LOGONSERVER=\\ICHTHUS
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 44 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2c02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Ner0z\LOCALS~1\Temp
TMP=C:\DOCUME~1\Ner0z\LOCALS~1\Temp
USERDOMAIN=ICHTHUS
USERNAME=Ner0z
USERPROFILE=C:\Documents and Settings\Ner0z
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Ner0z (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 6.0 Sprint --> MsiExec.exe /I{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Able2Extract Professional v4.0 --> C:\Program Files\Investintech.com Inc\Able2Extract Professional 4.0\Uninstal.exe
Able2Extract v4.0 --> C:\Program Files\Investintech.com Inc\Able2Extract 4.0\Uninstal.exe
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
AI RoboForm (All Users) --> "C:\Program Files\Siber Systems\AI RoboForm\rfwipeout.exe"
AP Tuner 3.08 --> "C:\Program Files\AP Tuner\AP Tuner 3.08\uninstall.exe"
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ArcSoft PhotoImpression 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7}\SETUP.EXE" -l0x9
ASIO4ALL --> C:\Program Files\ASIO4ALL v2\uninstall.exe
BounceBack Professional --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Documents and Settings\Ner0z\Application Data\InstallShield Installation Information\{95632566-071E-4A02-92C1-4BD907065736}\Setup.exe" -l0x9
CLSetup for Tiger Woods PGA Tour 07 --> "C:\Program Files\CLSetup07\uninstall.exe"
CodeCoopEncrypt --> MsiExec.exe /I{AB6AC54F-E2AA-49C2-B414-6DAD0C7C0ABF}
Collab --> C:\Program Files\Image-Line\Collab\uninstall.exe
CuteFTP 8 Home --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{949DBB22-2FB7-4DE1-804C-23D495A988D8}\Setup.exe" -l0x9
Devine Machine Standalone 1.0 & VSTi 1.1 --> "c:\VSTi\uninstall.exe"
Duplicate Email Remover --> MsiExec.exe /I{7AA36634-4324-4EF4-8C0C-D8EF1FC2BEA4}
EA SPORTS online 2008 --> C:\Program Files\EA SPORTS\EA SPORTS online\EASOUNInstaller.exe
eMule --> "C:\Program Files\eMule\Uninstall.exe"
EPSON Attach To Email --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Copy Utility 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\SETUP.EXE" -l0x9 -UnInstall
EPSON Event Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48F22622-1CC2-4A83-9C1E-644DD96F832D}\Setup.exe" -l0x9 -u
EPSON Perfection V100 Photo Scanner Driver Update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1C278B97-9D25-48B0-9A4E-F4F2BB992043}\Setup.exe"
EPSON Perfection V100P User's Guide --> C:\Program Files\epson\guide\pv100p_e\uninstall.exe
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Scan Assistant --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x9 -u
ESET NOD32 Antivirus --> MsiExec.exe /I{57ECFB4D-FE11-491A-9AA0-0AF7C3ABC51D}
EZdrummer --> MsiExec.exe /I{43E8D9E7-AFC9-4BA3-8106-B95E02B87AB7}
EZplayer --> MsiExec.exe /I{D93399F6-C902-47E8-B2A4-9C38ACAC03B5}
EZXDfh --> MsiExec.exe /I{DB1299AF-9EE0-422B-959E-F4171B2AE0F7}
Fast Track Pro --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3E67F68D-3797-4B6A-B02C-27BC98DFEBDA}\setup.exe" -l0x9 -removeonly
FixTunes (remove only) --> "C:\Program Files\Cloudbrain\FixTunes\uninstall.exe"
FL Studio 7 --> C:\Program Files\Image-Line\FL Studio 7.3 Beta\uninstall.exe
Good Sync version 4.6.10 --> "C:\Program Files\Siber Systems\Good Sync\unins000.exe"
Google Earth --> MsiExec.exe /I{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
IL Download Manager --> C:\Program Files\Image-Line\Downloader\uninstall.exe
iTunes --> MsiExec.exe /I{02DFB3FD-CF52-4183-8BCA-2A127D4888F4}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Johnson Amplification J-Edit --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Johnson Amplification\Uninst.isu"
Live 5.0.4 --> C:\PROGRA~1\Ableton\LIVE50~1.4\Install\UNWISE.EXE C:\PROGRA~1\Ableton\LIVE50~1.4\Install\INSTALL.LOG
LUXONIX Purity --> C:\Program Files\LUXONIX\Purity\uninst Purity.exe
Mastering Effects Bundle for Sound Forge --> "C:\Program Files\iZotope\SoundForgeMasteringBundle\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MOTU USB MIDI Installer --> MsiExec.exe /I{3CA12A20-67E8-43F4-B692-ED04E92E42EC}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Ner0z\Application Data\Move Networks\ie_bin\Uninst.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MusicLab Fill-in Drummer --> "C:\Program Files\MusicLab\FillinDrummer\Uninstall.exe" "C:\Program Files\MusicLab\FillinDrummer\install.log"
MusicLab SlicyDrummer --> "C:\Program Files\MusicLab\SlicyDrummer\Uninstall.exe" "C:\Program Files\MusicLab\SlicyDrummer\install.log"
Native Instruments Battery 3 --> C:\PROGRA~1\NATIVE~1\BATTER~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\BATTER~1\INSTALL.LOG
Native Instruments Guitar Rig 3 --> C:\PROGRA~1\NATIVE~1\GUITAR~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\GUITAR~1\INSTALL.LOG
Native Instruments Service Center --> C:\PROGRA~1\NATIVE~1\SERVIC~1\UNWISE.EXE C:\PROGRA~1\NATIVE~1\SERVIC~1\INSTALL.LOG
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NoteBurner 1.40 --> "C:\Program Files\NoteBurner\unins000.exe"
Nuton Tuner EX 2.0 --> "C:\Program Files\VstPlugins\TunerExUninst.exe"
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Paint Shop Pro 7 ESD --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
PC Study Bible (remove only) --> C:\Program Files\Common Files\pcsbclean.exe /uninstall
Power Tab Editor 1.7 --> C:\PROGRA~1\PTSOFT~1\PTEDIT~1\UNWISE.EXE C:\PROGRA~1\PTSOFT~1\PTEDIT~1\INSTALL.LOG
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
REAPER --> "C:\Program Files\REAPER\Uninstall.exe"
Reasonable NoClone 2007 Home --> MsiExec.exe /I{3AC91151-98F3-4723-8E22-E9BEA94556C1}
ReValver Mk II --> "C:\Program Files\Alien Connections\ReValver Mk II\unins000.exe"
rgc:audio z3ta+ 1.5 --> "C:\Program Files\Cakewalk\z3ta+\unins000.exe"
rgc:audio z3ta+ VSTi v1.4 DEMO --> "C:\Program Files\VstPlugins\unins001.exe"
ScanSoft OmniPage Pro 14.0 --> MsiExec.exe /I{7ED00F05-2109-4F42-B3DC-370EE3E2C1FE}
ScanSoft PDF Converter --> MsiExec.exe /I{87001C85-FF5F-42F9-B78A-114A7ED373BE}
ScanSoft PDF Printer --> MsiExec.exe /I{9E1BC481-AE76-49D3-913C-D901D8CFDFCA}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Sony Noise Reduction Plug-In 2.0h --> MsiExec.exe /X{06A1BE8A-4CA4-4A39-B9E4-E815AA8FE05C}
Sony Sound Forge 9.0 --> MsiExec.exe /X{CCA51496-49D4-4FBF-9866-A2E2F40FAC7A}
Speedsoft VSampler 3 --> C:\Program Files\Speedsoft\VSampler3\bin\UnInstall.exe "C:\Program Files\Speedsoft\VSampler3\bin\uninstall.dat"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Tiger Woods PGA TOUR 06 --> C:\Program Files\EA SPORTS\Tiger Woods PGA TOUR 06\EAUninstall.exe
Tiger Woods PGA TOUR 07 --> C:\Program Files\EA SPORTS\Tiger Woods PGA TOUR 07\EAUninstall.exe
Tiger Woods PGA TOUR 08 --> C:\Program Files\EA Sports\Tiger Woods PGA TOUR 08\EAUninstall.exe
Vanguard 1.03 --> "C:\Program Files\VstPlugins\unins000.exe"
VeryPDF PDF2Word v3.0 --> "C:\Program Files\VeryPDF PDF2Word v3.0\unins000.exe"
VIA Platform Device Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
Virtools 3D Life Player --> C:\Program Files\Virtools\3D Life Player\WebplayerConfig.exe -u
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB898549 --> "C:\WINDOWS\$NtUninstallKB898549$\spuninst\spuninst.exe"
WinPatrol 2007 --> C:\PROGRA~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WISE-FTP 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D21C9D95-DDBA-4962-899D-D1D350186555}\setup.exe" -l0x9 -removeonly


-- Application Event Log -------------------------------------------------------

Event Record #/Type1136 / Error
Event Submitted/Written: 02/13/2008 08:47:28 AM
Event ID/Source: 455 / ESENT
Event Description:
wuaueng.dll (1224) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Event Record #/Type1135 / Error
Event Submitted/Written: 02/13/2008 08:47:28 AM
Event ID/Source: 489 / ESENT
Event Description:
wuauclt (1224) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Event Record #/Type1134 / Error
Event Submitted/Written: 02/13/2008 08:47:13 AM
Event ID/Source: 455 / ESENT
Event Description:
wuaueng.dll (1224) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Event Record #/Type1133 / Error
Event Submitted/Written: 02/13/2008 08:47:13 AM
Event ID/Source: 489 / ESENT
Event Description:
wuauclt (1224) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Event Record #/Type1087 / Warning
Event Submitted/Written: 02/11/2008 05:25:11 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5416 / Error
Event Submitted/Written: 02/13/2008 08:28:55 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {97D90E0F-6AF7-46F9-A8A3-9047200D5A0A} did not register with DCOM within the required timeout.

Event Record #/Type5361 / Error
Event Submitted/Written: 02/13/2008 09:45:42 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type5360 / Error
Event Submitted/Written: 02/13/2008 09:45:32 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
easdrv
epfwtdir
Fips
IPSec
MRxSmb
NetBIOS
NetBT
Processor
RasAcd
Rdbss
SASDIFSV
SASKUTIL
Tcpip

Event Record #/Type5359 / Error
Event Submitted/Written: 02/13/2008 09:45:32 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type5358 / Error
Event Submitted/Written: 02/13/2008 09:45:32 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-02-13 20:48:50 ------------
  • 0

#8
kahdah
Posted 13 February 2008 - 09:20 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Let's do this.

Go ahead and uninstall SUPERAntiSpyware Free Edition

After that please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below: (All are optional only doing this to pinpoint the erronious software and to help with lag)

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe


Now click on Fix Checked and then close Hijackthis.
==================================
After that go Here and download CCleaner.
Double click on it to install it.
Click on your language then Next then I agree then next again.
When you come to the Installation options window (the next window after clicking next)
Uncheck all but Create a Desktop Shortcut.
Then Click on Install.

After it is installed double click on the icon on your desktop to run it.
Choose Run Cleaner then yes at the prompt to permanently delete files.
It may take a while so let it finish.

After that Click on the icon to the left called Registry
Then click on scan for issues.
Then click on Fix selected issues.
And then yes to making a backup.
It will save it in your MY Documents Folder.
Then Click on Fix all selected issues and yes that you really want to do it.
After that is done then exit out of CCleaner.
================================
Then download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Post that log in your next reply alomg with a new Hijackthis log.

(Note if you cannot open the log it produces then right click on it and choose rename.
Rename it to .txt and you will be able to open it)
=======================================
Also let me know how things are running after doing the above?
  • 0

#9
chaztrip
Posted 13 February 2008 - 10:12 PM

chaztrip

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
This is going to take a while so I will post tomorrow the results.

Thanks
  • 0

#10
chaztrip
Posted 14 February 2008 - 06:28 PM

chaztrip

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
here are the results I had to run it twice becuse it looked like the first time it died.... explorer.exe is now not pegging and seems to be running normal...


C.bat;C:\327882R2FWJFW;Probably BATCH.Virus;Incurable.Deleted.;
psexec.cfexe;C:\327882R2FWJFW;Program.PsExec.171;Incurable.Deleted.;
Process.exe;C:\Documents and Settings\Ner0z\Desktop\Mark\SmitfraudFix;Tool.Prockill;Incurable.Deleted.;
restart.exe;C:\Documents and Settings\Ner0z\Desktop\Mark\SmitfraudFix;Tool.ShutDown.11;Incurable.Deleted.;
C.bat;C:\327882R2FWJFW;Probably BATCH.Virus;Invalid path to file ;
psexec.cfexe;C:\327882R2FWJFW;Program.PsExec.171;Invalid path to file ;
Process.exe;C:\Documents and Settings\Ner0z\Desktop\Mark\SmitfraudFix;Tool.Prockill;Invalid path to file ;
restart.exe;C:\Documents and Settings\Ner0z\Desktop\Mark\SmitfraudFix;Tool.ShutDown.11;Invalid path to file ;
A0000138.bat;C:\System Volume Information\_restore{6A38E2D4-CB53-415E-8633-A0563D44115F}\RP1;Probably BATCH.Virus;Incurable.Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Deleted.;
ASetup.exe;F:\OlderMicron\devine\Win2KXP5216;Trojan.DownLoader.origin;Incurable.Moved.;
ASetup.exe;F:\OlderMicron\OldMicronDrive\devine\Win2KXP5216;Trojan.DownLoader.origin;Incurable.Moved.;
A0000456.exe;F:\System Volume Information\_restore{6A38E2D4-CB53-415E-8633-A0563D44115F}\RP3;Trojan.DownLoader.origin;Incurable.Moved.;
A0000457.exe;F:\System Volume Information\_restore{6A38E2D4-CB53-415E-8633-A0563D44115F}\RP3;Trojan.DownLoader.origin;Incurable.Moved.;










A0000460.bat;C:\System Volume Information\_restore{6A38E2D4-CB53-415E-8633-A0563D44115F}\RP3;Probably BATCH.Virus;Incurable.Deleted.;
A0000461.exe;C:\System Volume Information\_restore{6A38E2D4-CB53-415E-8633-A0563D44115F}\RP3;Tool.Prockill;Incurable.Deleted.;
A0000462.exe;C:\System Volume Information\_restore{6A38E2D4-CB53-415E-8633-A0563D44115F}\RP3;Tool.ShutDown.11;Incurable.Deleted.;
A0000463.exe;C:\System Volume Information\_restore{6A38E2D4-CB53-415E-8633-A0563D44115F}\RP3;Tool.Prockill;Incurable.Deleted.;




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:04 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\NoteBurner\VTBurnerGUI.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CMS Products\BounceBack Professional\BBLauncher.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [DUMPREP ] C:\WINDOWS%\SYSTEM32\DUMPREP 0 -U
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: BounceBack Launcher.lnk = ?
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1200413034894
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1200413007816
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/...tall/AxCtp2.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: M-Audio USB Installer (MAudioUSBService) - M-Audio - C:\Program Files\M-Audio\Fast Track Pro\MAUSBInst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 5890 bytes
  • 0

Advertisements

#11
kahdah
Posted 14 February 2008 - 06:59 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Great :)

Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#12
chaztrip
Posted 15 February 2008 - 07:14 AM

chaztrip

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here are the results of that scan.... I did not do anything with them...


KASPERSKY ONLINE SCANNER REPORT
Friday, February 15, 2008 7:11:48 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/02/2008
Kaspersky Anti-Virus database records: 567256


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
X:\

Scan Statistics
Total number of scanned objects 318474
Number of viruses found 6
Number of infected objects 16
Number of suspicious objects 22
Duration of the scan process 03:14:51

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB Object is locked skipped

C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Ner0z\Application Data\Microsoft\Outlook\Outlook.NK2 Object is locked skipped

C:\Documents and Settings\Ner0z\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped

C:\Documents and Settings\Ner0z\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped

C:\Documents and Settings\Ner0z\Application Data\Microsoft\Word\AutoRecovery save of Normal.as$ Object is locked skipped

C:\Documents and Settings\Ner0z\Application Data\Microsoft\Word\STARTUP\Finereader6.sprint.dot Object is locked skipped

C:\Documents and Settings\Ner0z\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Ner0z\Desktop\Mark\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Ner0z\Desktop\Mark\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Ner0z\Desktop\Mark\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Ner0z\Desktop\Mark\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\Ner0z\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Ner0z\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Ner0z\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\Ner0z\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Object is locked skipped

C:\Documents and Settings\Ner0z\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Ner0z\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Ner0z\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ner0z\Local Settings\Temp\~DF4F9D.tmp Object is locked skipped

C:\Documents and Settings\Ner0z\Local Settings\Temp\~DF7339.tmp Object is locked skipped

C:\Documents and Settings\Ner0z\Local Settings\Temp\~DF780A.tmp Object is locked skipped

C:\Documents and Settings\Ner0z\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Ner0z\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ner0z\Local Settings\Temporary Internet Files\Content.Word\~WRF0001.tmp Object is locked skipped

C:\Documents and Settings\Ner0z\Local Settings\Temporary Internet Files\Content.Word\~WRS0000.tmp Object is locked skipped

C:\Documents and Settings\Ner0z\My Documents\NoteBurner\vtb.log Object is locked skipped

C:\Documents and Settings\Ner0z\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Ner0z\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\QooBox\Quarantine\catchme2008-02-13_ 90503.76.zip/hcykbgvk.dat Infected: Rootkit.Win32.Agent.zx skipped

C:\QooBox\Quarantine\catchme2008-02-13_ 90503.76.zip/ciodmn.dll Infected: Trojan.Win32.BHO.ati skipped

C:\QooBox\Quarantine\catchme2008-02-13_ 90503.76.zip ZIP: infected - 2 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{6A38E2D4-CB53-415E-8633-A0563D44115F}\RP3\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\_OTMoveIt\MovedFiles\02132008_201543\WINDOWS\system32\AppCert\wsil32.dll Infected: Trojan-Downloader.Win32.Agent.hkb skipped

D:\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

D:\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

D:\SmitfraudFix.exe RarSFX: infected - 2 skipped

E:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB835732$\browser.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped

E:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped

E:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped

E:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped

F:\OlderMicron\images\backup.pst/Personal Folders/Inbox/16 Jul 2002 05:14 from zallison:Letter of City.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

F:\OlderMicron\images\backup.pst/Personal Folders/Inbox/24 Oct 2002 23:19 from Pjhodak:HTML 4.0 Transitional.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

F:\OlderMicron\images\backup.pst/Personal Folders/Inbox/16 Jul 2002 05:14 from zallison:Letter of City.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

F:\OlderMicron\images\backup.pst Mail MS Mail: suspicious - 3 skipped

F:\OlderMicron\images\backup12_2003.pst/Personal Folders/Inbox/16 Jul 2002 05:14 from zallison:Letter of City.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

F:\OlderMicron\images\backup12_2003.pst Mail MS Mail: suspicious - 1 skipped

F:\OlderMicron\images\scontact.pst/Personal Folders/Deleted Items/10 Nov 2004 01:44 from eBay Suspension:eBay Possible unauthorize.html Infected: Trojan-Spy.HTML.Bayfraud.aq skipped

F:\OlderMicron\images\scontact.pst/Personal Folders/Inbox/24 Oct 2002 23:19 from Pjhodak:HTML 4.0 Transitional.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

F:\OlderMicron\images\scontact.pst/Personal Folders/Sent Items/27 Apr 2002 04:17 to jmctemp:RE: Cellpadding.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

F:\OlderMicron\images\scontact.pst/Personal Folders/Sent Items/27 Apr 2002 04:31 to [email protected]:FW: Cellpadding.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

F:\OlderMicron\images\scontact.pst/Personal Folders/Sent Items/01 May 2002 18:31 to jmctemp:RE: Cellpadding.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

F:\OlderMicron\images\scontact.pst/Personal Folders/Sent Items/02 May 2002 20:34 to [email protected]:RE: Cellpadding.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

F:\OlderMicron\images\scontact.pst Mail MS Mail: infected - 1, suspicious - 5 skipped

G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

H:\PST\backup.pst/Personal Folders/Inbox/16 Jul 2002 05:14 from zallison:Letter of City.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

H:\PST\backup.pst/Personal Folders/Inbox/24 Oct 2002 23:19 from Pjhodak:HTML 4.0 Transitional.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

H:\PST\backup.pst/Personal Folders/Inbox/16 Jul 2002 05:14 from zallison:Letter of City.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

H:\PST\backup.pst Mail MS Mail: suspicious - 3 skipped

H:\PST\backup092007.pst Object is locked skipped

H:\PST\backup12_2003.pst/Personal Folders/Inbox/16 Jul 2002 05:14 from zallison:Letter of City.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

H:\PST\backup12_2003.pst Mail MS Mail: suspicious - 1 skipped

H:\PST\scontact.pst/Personal Folders1/Sent Items/27 Apr 2002 04:17 to jmctemp:RE: Cellpadding.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

H:\PST\scontact.pst/Personal Folders1/Sent Items/27 Apr 2002 04:31 to [email protected]:FW: Cellpadding.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

H:\PST\scontact.pst/Personal Folders1/Sent Items/01 May 2002 18:31 to jmctemp:RE: Cellpadding.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

H:\PST\scontact.pst/Personal Folders1/Sent Items/02 May 2002 20:34 to [email protected]:RE: Cellpadding.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

H:\PST\scontact.pst Mail MS Mail: suspicious - 4 skipped

H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
  • 0

#13
kahdah
Posted 15 February 2008 - 11:50 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please delete all instances of Smitfraudfix.
Here:
C:\Documents and Settings\Ner0z\Desktop\Mark\SmitfraudFix
D:\SmitfraudFix.exe

After that
It appears that you have some suspicious e-mails on your backup drives but they are not a threat maybe just something that stood out to kaspersky.
You can delete them if you wish or leave them they are not active.
But they are in this location if you want to delete them:
F:\OlderMicron\images\backup.pst/Personal Folders/Inbox/16 Jul 2002 05:14 from zallison:Letter of City.html
F:\OlderMicron\images\backup.pst/Personal Folders/Inbox/24 Oct 2002 23:19 from Pjhodak:HTML
F:\OlderMicron\images\backup12_2003.pst/Personal Folders/Inbox/16 Jul 2002 05:14 from zallison:Letter of City.html
F:\OlderMicron\images\scontact.pst/Personal Folders/Deleted Items/10 Nov 2004 01:44 from eBay Suspension < this one needs to go
F:\OlderMicron\images\scontact.pst/Personal Folders/Inbox/24 Oct 2002 23:19 from Pjhodak:HTML
F:\OlderMicron\images\scontact.pst/Personal Folders/Sent Items/27 Apr 2002 04:17 to jmctemp:RE: Cellpadding.html
F:\OlderMicron\images\scontact.pst/Personal Folders/Sent Items/27 Apr 2002 04:31 to [email protected]:FW: Cellpadding.html
F:\OlderMicron\images\scontact.pst/Personal Folders/Sent Items/02 May 2002 20:34 to [email protected]:RE: Cellpadding.html
H:\PST\backup.pst/Personal Folders/Inbox/16 Jul 2002 05:14 from zallison:Letter of City.html
H:\PST\backup.pst/Personal Folders/Inbox/24 Oct 2002 23:19 from Pjhodak:HTML 4.0 Transitional.html
H:\PST\backup.pst/Personal Folders/Inbox/16 Jul 2002 05:14 from zallison:Letter of City.html
H:\PST\backup12_2003.pst/Personal Folders/Inbox/16 Jul 2002 05:14 from zallison:Letter of City.html
H:\PST\scontact.pst/Personal Folders1/Sent Items/27 Apr 2002 04:17 to jmctemp:RE: Cellpadding.html
H:\PST\scontact.pst/Personal Folders1/Sent Items/01 May 2002 18:31 to jmctemp:RE: Cellpadding.htm
H:\PST\scontact.pst/Personal Folders1/Sent Items/02 May 2002 20:34 to [email protected]:RE: Cellpadding.html
===============================================================================
After that please empty your recycle bin then :
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

    The above procedure will delete the following:

    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Clean System Restore points.

Also delete anything that we used that is left over.
=====================================
After that Your log is clean. :)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
  • 0

#14
chaztrip
Posted 15 February 2008 - 12:34 PM

chaztrip

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I have done all that.... is this case closed then? I want to ask you some personal opinion questions can I PM you?

Also if i dontate to you via Paypal does that go right to you???

Thanks
  • 0

#15
kahdah
Posted 15 February 2008 - 03:00 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes you can pm me and yes it does go directly to me.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP