Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please help - programs and Internet won't load! [RESOLVED]

Started by Kirsty S , Mar 19 2008 02:34 PM

  • This topic is locked This topic is locked

#1
Kirsty S
Posted 19 March 2008 - 02:34 PM

Kirsty S

    Member

  • Member
  • PipPip
  • 11 posts
Hi.

I am new here so I hope someone can help.

When I switch on my computer and go into my user, I can't access any programs at all. They are all there where they are normally but when I click on them, I get the egg timer come up and then the cursor again but no programs start. When I try to load the Internet, it continues to say connecting and then freezes. I wonder, is this a virus?

I am using admin mode at the moment as I can access the Internet fine through there and all the programs work in admin mode.

Could someone please help me to fix my user account as I have a lot of files on there which I need to access.

Many thanks,

Kirsty. S.
  • 0

Advertisements

#2
Kirsty S
Posted 21 March 2008 - 03:54 AM

Kirsty S

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Please note that I can no longer use admin mode to access programs and the internet now. I can only access programs and the internet through safe mode.

Thanks.
  • 0

#3
kahdah
Posted 21 March 2008 - 08:05 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Kirsty S

Welcome to G2Go. :)
=====================
* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\Hijack This.
  • Click on I agree
  • Then Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#4
Kirsty S
Posted 21 March 2008 - 09:36 AM

Kirsty S

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here's the HiJack This log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:37:05, on 21/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: Gamburg provider - {FFFFFFFF-8F0D-4322-B01F-B42439E0B71C} - tkcom32.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Profiler] "C:\Program Files\Saitek\Software\ProfilerU.exe"
O4 - HKLM\..\Run: [SaiMfd] "C:\Program Files\Saitek\Software\SaiMfd.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Registration .LNK = C:\Program Files\Ubisoft\Telltale Games\CSI-Hard Evidence\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epso...rg/ESTPTest.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: mljihhh - mljihhh.dll (file missing)
O20 - Winlogon Notify: webhits32 - C:\WINDOWS\SYSTEM32\webhits32.dll
O21 - SSODL: zip - {6eb8030a-e597-417f-acba-ae8c60742be9} - C:\WINDOWS\Installer\{6eb8030a-e597-417f-acba-ae8c60742be9}\zip.dll
O21 - SSODL: zi? - {6eb8030a-e597-417f-acba-ae8c60742be9} - C:\WINDOWS\Installer\{6eb8030a-e597-417f-acba-ae8c60742be9}\zip.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx1\PXAgent.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 8454 bytes
  • 0

#5
kahdah
Posted 21 March 2008 - 09:43 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Note after your computer reboots let it go into normal mode to finish and to get the log.
Or it will not work correctly.
=============================

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

  • 0

#6
Kirsty S
Posted 21 March 2008 - 03:01 PM

Kirsty S

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks so much for the help so far, I am using normal mode at the moment. Here are the SDfix and HiJack This logs:

SDfix log:


SDFix: Version 1.159

Run by Kirsty on 21/03/2008 at 20:32

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Kirsty\Desktop\SDFix

Checking Services :

Name:
guntest

Path:

guntest - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Installer\{6eb8030a-e597-417f-acba-ae8c60742be9}\zip.dll - Deleted
C:\WINDOWS\Installer\{6eb8030a-e597-417f-acba-ae8c60742be9}\zip.dll - Deleted
C:\WINDOWS\Installer\{6eb8030a-e597-417f-acba-ae8c60742be9}\zip.dll - Deleted
C:\WINDOWS\Installer\{6eb8030a-e597-417f-acba-ae8c60742be9}\zip.dll - Deleted
C:\WINDOWS\SYSTEM32\SFSYNC02.DLL - Deleted
C:\748978~1 - Deleted
C:\Program Files\IE Extensions\cj.v2.dll - Deleted
C:\WINDOWS\system32\sex1.ico - Deleted
C:\WINDOWS\system32\sex2.ico - Deleted
C:\WINDOWS\offlog.txt - Deleted
C:\WINDOWS\system\smvss.exe - Deleted
C:\WINDOWS\system32\cmds.txt - Deleted
C:\WINDOWS\system32\hi.sfc - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\rc.dat - Deleted
C:\WINDOWS\system32\tkcom32.dll - Deleted
C:\WINDOWS\help\guntest.chm - Deleted
C:\WINDOWS\system32\wowfx.dll - Deleted
C:\WINDOWS\system32\wowfx.dll - Deleted
C:\WINDOWS\system32\wowfx.dll - Deleted



Folder C:\WINDOWS\Installer\{6eb8030a-e597-417f-acba-ae8c60742be9} - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 20:43:03
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\DOCUME~1\Kirsty\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 18 Apr 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 12 Mar 2008 22,786 ..SHR --- "C:\WINDOWS\Installer\{001dd947-9c05-4f27-a346-462143dd374d}\zip.dll"
Wed 12 Mar 2008 22,734 ..SHR --- "C:\WINDOWS\Installer\{390a0fd0-f24f-4780-a78f-bf32413adeb6}\zip.dll"
Wed 12 Mar 2008 22,734 ..SHR --- "C:\WINDOWS\Installer\{6398a7a2-26f0-43f9-9d48-ccd015f75c1c}\zip.dll"
Wed 12 Mar 2008 22,734 ..SHR --- "C:\WINDOWS\Installer\{b964291b-5821-4cbe-bd99-9e76b6bec13c}\zip.dll"
Wed 12 Mar 2008 22,722 ..SHR --- "C:\WINDOWS\Installer\{cd46d462-482a-4073-af04-2a285e7c0cb9}\zip.dll"
Wed 12 Mar 2008 22,786 ..SHR --- "C:\WINDOWS\Installer\{e00899dc-8fdf-4873-9066-b544dba8c3f4}\zip.dll"
Wed 12 Mar 2008 22,786 ..SHR --- "C:\WINDOWS\Installer\{e3013624-1543-47fe-b2bf-2eb630cf3256}\zip.dll"
Wed 12 Mar 2008 22,694 ..SHR --- "C:\WINDOWS\Installer\{e626e74b-e1bb-449b-afbf-c8dfada4b8ea}\zip.dll"
Wed 12 Mar 2008 22,630 ..SHR --- "C:\WINDOWS\Installer\{f0b397f9-42b4-4996-8953-5b01b1f8575e}\zip.dll"
Thu 27 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Tue 22 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BITB.tmp"

Finished!



HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:03:05, on 21/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\AdwareAlert\AdwareAlert.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Profiler] "C:\Program Files\Saitek\Software\ProfilerU.exe"
O4 - HKLM\..\Run: [SaiMfd] "C:\Program Files\Saitek\Software\SaiMfd.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Registration .LNK = C:\Program Files\Ubisoft\Telltale Games\CSI-Hard Evidence\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epso...rg/ESTPTest.cab
O20 - Winlogon Notify: mljihhh - mljihhh.dll (file missing)
O20 - Winlogon Notify: webhits32 - C:\WINDOWS\SYSTEM32\webhits32.dll
O21 - SSODL: zi? - {6eb8030a-e597-417f-acba-ae8c60742be9} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx1\PXAgent.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 9584 bytes
  • 0

#7
kahdah
Posted 21 March 2008 - 07:07 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome :)
=================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\Installer\{001dd947-9c05-4f27-a346-462143dd374d}
C:\WINDOWS\Installer\{390a0fd0-f24f-4780-a78f-bf32413adeb6}
C:\WINDOWS\Installer\{6398a7a2-26f0-43f9-9d48-ccd015f75c1c}
C:\WINDOWS\Installer\{b964291b-5821-4cbe-bd99-9e76b6bec13c}
C:\WINDOWS\Installer\{cd46d462-482a-4073-af04-2a285e7c0cb9}
C:\WINDOWS\Installer\{e00899dc-8fdf-4873-9066-b544dba8c3f4}
C:\WINDOWS\Installer\{e3013624-1543-47fe-b2bf-2eb630cf3256}
C:\WINDOWS\Installer\{e626e74b-e1bb-449b-afbf-c8dfada4b8ea}
C:\WINDOWS\Installer\{f0b397f9-42b4-4996-8953-5b01b1f8575e}
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

#8
Kirsty S
Posted 22 March 2008 - 06:23 PM

Kirsty S

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi. Here are the 2 requested log files:

OTMoveIt2 log file:

C:\WINDOWS\Installer\{001dd947-9c05-4f27-a346-462143dd374d} moved successfully.
C:\WINDOWS\Installer\{390a0fd0-f24f-4780-a78f-bf32413adeb6} moved successfully.
C:\WINDOWS\Installer\{6398a7a2-26f0-43f9-9d48-ccd015f75c1c} moved successfully.
C:\WINDOWS\Installer\{b964291b-5821-4cbe-bd99-9e76b6bec13c} moved successfully.
C:\WINDOWS\Installer\{cd46d462-482a-4073-af04-2a285e7c0cb9} moved successfully.
C:\WINDOWS\Installer\{e00899dc-8fdf-4873-9066-b544dba8c3f4} moved successfully.
C:\WINDOWS\Installer\{e3013624-1543-47fe-b2bf-2eb630cf3256} moved successfully.
C:\WINDOWS\Installer\{e626e74b-e1bb-449b-afbf-c8dfada4b8ea} moved successfully.
C:\WINDOWS\Installer\{f0b397f9-42b4-4996-8953-5b01b1f8575e} moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03222008_220331




MBAM log file:

Malwarebytes' Anti-Malware 1.09
Database version: 521

Scan type: Full Scan (C:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 142142
Time elapsed: 1 hour(s), 7 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\AdwareAlert\ (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\AdwareAlert\FilterDrv\ (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Documents and Settings\All Users\Start Menu\Programs\AdwareAlert\ (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\FilterDrv (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Installer\{A6B741C4-6CE7-42D7-87CB-3FF734045E7B}\Icon.exe (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Difxapi.dll (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\Launcher.exe (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\FilterDrv\AdwareAlert.amd64.sys (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\AdwareAlert\FilterDrv\AdwareAlert.x86.sys (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winrzf32.dll (Dialer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnmllm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
  • 0

#9
kahdah
Posted 22 March 2008 - 06:27 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
===============================================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#10
Kirsty S
Posted 26 March 2008 - 02:02 AM

Kirsty S

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi.

I am having to use safe mode again to access the Internet as it freezes in normal mode (but programs are running ok in normal mode). I ran the ATF Cleaner - all ok. I also ran the Kaspersky online scan and when it was finished, I clicked on Save Report As but it won't save the report anywhere as a text file or as a web page. How do I get round this?
  • 0

Advertisements

#11
Kirsty S
Posted 26 March 2008 - 02:09 AM

Kirsty S

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sorry - ignore the last comment, was being really stupid... of course you have to give the file a name before you save it otherwise it won't save! :) Internet still not working in normal mode though.

Kapersky report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 26, 2008 8:03:22 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/03/2008
Kaspersky Anti-Virus database records: 663509
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 110771
Number of viruses found: 19
Number of infected objects: 50
Number of suspicious objects: 3
Duration of the scan process: 01:23:59

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\09931a5f417751d4072f96d35aee21cb_94cad141-e4fa-43f8-86c4-620edf7a31c3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3e4b5b049aa9de4f9535b7119b5da99f_94cad141-e4fa-43f8-86c4-620edf7a31c3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4dc82193e05b1970ff0effe844406a06_94cad141-e4fa-43f8-86c4-620edf7a31c3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6ff6fa02a5d041c82ffe5450bc99614c_94cad141-e4fa-43f8-86c4-620edf7a31c3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\722b1149dd7e811b540b502668cd88a7_94cad141-e4fa-43f8-86c4-620edf7a31c3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a7b039197d1a19e685cdf19f76750a6f_94cad141-e4fa-43f8-86c4-620edf7a31c3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b64830b37d64d67504bed8af56b71fd3_94cad141-e4fa-43f8-86c4-620edf7a31c3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bea8590946afd2c1e172355f133c884f_94cad141-e4fa-43f8-86c4-620edf7a31c3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e28f39c660c8ae92c1159f71508739ab_94cad141-e4fa-43f8-86c4-620edf7a31c3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f881c099591b86f9177d1f220020cab1_94cad141-e4fa-43f8-86c4-620edf7a31c3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\Kirsty\Application Data\Sun\Java\Deployment\cache\6.0\12\4ef9724c-3eda855c/MagicApplet.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Documents and Settings\Kirsty\Application Data\Sun\Java\Deployment\cache\6.0\12\4ef9724c-3eda855c/OwnClassLoader.class Infected: Trojan.Java.ClassLoader.au skipped
C:\Documents and Settings\Kirsty\Application Data\Sun\Java\Deployment\cache\6.0\12\4ef9724c-3eda855c/Installer.class Infected: Trojan-Downloader.Java.Agent.a skipped
C:\Documents and Settings\Kirsty\Application Data\Sun\Java\Deployment\cache\6.0\12\4ef9724c-3eda855c ZIP: infected - 3 skipped
C:\Documents and Settings\Kirsty\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kirsty\Desktop\SDFix\backups\catchme.zip/guntest.chm Infected: Rootkit.Win32.Agent.aey skipped
C:\Documents and Settings\Kirsty\Desktop\SDFix\backups\catchme.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Kirsty\Desktop\SDFix\backups_old1\tkcom32.dll Infected: Trojan-Downloader.Win32.BHO.dn skipped
C:\Documents and Settings\Kirsty\Local Settings\Application Data\Identities\{FE196BFF-A7E8-432C-B7E5-DCD240E97AF2}\Microsoft\Outlook Express\Deleted Items.dbx/[From "+Grey_Falcon /(+GF@MPLUS/)" <[email protected]>][Date Fri, 13 Jun 2003 11:46:25 +0100]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Kirsty\Local Settings\Application Data\Identities\{FE196BFF-A7E8-432C-B7E5-DCD240E97AF2}\Microsoft\Outlook Express\Deleted Items.dbx/[From "+Grey_Falcon /(+GF@MPLUS/)" <[email protected]>][Date Fri, 13 Jun 2003 11:46:25 +0100]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Kirsty\Local Settings\Application Data\Identities\{FE196BFF-A7E8-432C-B7E5-DCD240E97AF2}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: suspicious - 2 skipped
C:\Documents and Settings\Kirsty\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kirsty\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kirsty\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kirsty\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Kirsty\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kirsty\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kirsty\NtUser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Kirsty's work\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Kirsty's work\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Kirsty's work\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Program Files\eMule\Incoming\Nero 7.8.5.0.rar/Nero Burning Rom v.7.8.5.0 Premium ESP + Plantillas + KeyGen_DnGnMsTr/Nero-7.8.5.0_esp_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Program Files\eMule\Incoming\Nero 7.8.5.0.rar/Nero Burning Rom v.7.8.5.0 Premium ESP + Plantillas + KeyGen_DnGnMsTr/Nero-7.8.5.0_esp_trial.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Program Files\eMule\Incoming\Nero 7.8.5.0.rar RAR: infected - 2 skipped
C:\Program Files\eMule\Incoming\Spyware Doctor v4.0.0.2618 Multilangages Incl-Crack.rar/sdsetup.exe/file090 Infected: not-a-virus:Monitor.Win32.KeyLogger.dq skipped
C:\Program Files\eMule\Incoming\Spyware Doctor v4.0.0.2618 Multilangages Incl-Crack.rar/sdsetup.exe Infected: not-a-virus:Monitor.Win32.KeyLogger.dq skipped
C:\Program Files\eMule\Incoming\Spyware Doctor v4.0.0.2618 Multilangages Incl-Crack.rar RAR: infected - 2 skipped
C:\Program Files\eMule\Incoming\ultra mp4 video converter Share Accelerator.zip/ShareAcceleratorMM_SSZ11_-1198571865.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.Shopper.r skipped
C:\Program Files\eMule\Incoming\ultra mp4 video converter Share Accelerator.zip/ShareAcceleratorMM_SSZ11_-1198571865.exe Infected: not-a-virus:AdWare.Win32.Shopper.r skipped
C:\Program Files\eMule\Incoming\ultra mp4 video converter Share Accelerator.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP115\A0067749.exe Infected: Backdoor.Win32.VB.bwt skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP115\A0068828.dll Infected: not-a-virus:AdWare.Win32.BHO.cc skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP115\A0071818.exe Infected: Trojan-Dropper.Win32.Agent.ftv skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP116\A0084947.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.h skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP116\A0084948.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP116\A0084950.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP116\A0084951.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP116\A0084952.exe Infected: Trojan-Dropper.Win32.Agent.ftv skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP116\A0084953.exe Infected: Trojan-Dropper.Win32.Agent.ftv skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP116\A0084954.exe Infected: Trojan-Dropper.Win32.Agent.ftv skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP116\A0084955.exe Infected: Trojan-Dropper.Win32.Agent.ftv skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP116\A0084957.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP116\A0084958.dll Infected: not-a-virus:AdWare.Win32.E404.p skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP122\A0104240.exe Infected: Trojan.Win32.Agent.ftz skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP122\A0104241.exe Infected: P2P-Worm.Win32.Archivarius.a skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP123\A0106242.exe Infected: Trojan.Win32.Agent.ftz skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP123\A0106243.exe Infected: P2P-Worm.Win32.Archivarius.a skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP123\A0107942.exe Infected: P2P-Worm.Win32.Archivarius.a skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP125\A0114942.exe Infected: Trojan.Win32.Agent.ftz skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP125\A0115004.dll Infected: Trojan-Dropper.Win32.Agent.ftv skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP125\A0115010.dll Infected: Trojan-Downloader.Win32.BHO.dn skipped
C:\System Volume Information\_restore{C07E0D7D-D58F-4E60-8E50-11FCB7B40F34}\RP125\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\webhits32.dll Infected: Trojan.Win32.Agent.dwg skipped
C:\_OTMoveIt\MovedFiles\03222008_220331\WINDOWS\Installer\{001dd947-9c05-4f27-a346-462143dd374d}\zip.dll Infected: Trojan-Dropper.Win32.Agent.ftv skipped
C:\_OTMoveIt\MovedFiles\03222008_220331\WINDOWS\Installer\{390a0fd0-f24f-4780-a78f-bf32413adeb6}\zip.dll Infected: Trojan-Dropper.Win32.Agent.ftv skipped
C:\_OTMoveIt\MovedFiles\03222008_220331\WINDOWS\Installer\{6398a7a2-26f0-43f9-9d48-ccd015f75c1c}\zip.dll Infected: Trojan-Dropper.Win32.Agent.ftv skipped
C:\_OTMoveIt\MovedFiles\03222008_220331\WINDOWS\Installer\{b964291b-5821-4cbe-bd99-9e76b6bec13c}\zip.dll Infected: Trojan-Dropper.Win32.Agent.ftv skipped
C:\_OTMoveIt\MovedFiles\03222008_220331\WINDOWS\Installer\{cd46d462-482a-4073-af04-2a285e7c0cb9}\zip.dll Infected: Trojan-Dropper.Win32.Agent.ftv skipped
C:\_OTMoveIt\MovedFiles\03222008_220331\WINDOWS\Installer\{e00899dc-8fdf-4873-9066-b544dba8c3f4}\zip.dll Infected: Trojan-Dropper.Win32.Agent.ftv skipped
C:\_OTMoveIt\MovedFiles\03222008_220331\WINDOWS\Installer\{e3013624-1543-47fe-b2bf-2eb630cf3256}\zip.dll Infected: Trojan-Dropper.Win32.Agent.ftv skipped
C:\_OTMoveIt\MovedFiles\03222008_220331\WINDOWS\Installer\{e626e74b-e1bb-449b-afbf-c8dfada4b8ea}\zip.dll Infected: Trojan-Dropper.Win32.Agent.ftv skipped
C:\_OTMoveIt\MovedFiles\03222008_220331\WINDOWS\Installer\{f0b397f9-42b4-4996-8953-5b01b1f8575e}\zip.dll Infected: Trojan-Dropper.Win32.Agent.ftv skipped

Scan process completed.
  • 0

#12
kahdah
Posted 26 March 2008 - 07:29 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Documents and Settings\Kirsty\Application Data\Sun\Java\Deployment\cache\6.0\12\4ef9724c-3eda855c.ZIP
C:\Kirsty's work\SmitfraudFix
C:\Program Files\eMule\Incoming\Nero 7.8.5.0.rar
C:\Program Files\eMule\Incoming\Spyware Doctor v4.0.0.2618 Multilangages Incl-Crack.rar
C:\Program Files\eMule\Incoming\ultra mp4 video converter Share Accelerator.zip 
C:\WINDOWS\system32\webhits32.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==================
Please also uninstall

Prevx1
AVG Anti-Spyware 7.5
Spyware Doctor

and if this program is out of date then also uninstall it as well:
SpySweeper

After that reboot and post a new Hijackthis log and the OTMove it log and try to do it in normal mode.

Uninstalling these programs should make a difference with the internet speed.
  • 0

#13
Kirsty S
Posted 27 March 2008 - 06:50 AM

Kirsty S

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Am posting this from normal mode :) I uninstalled all the programs you said including spy sweeper as I no longer use this program. Logs are below :)


HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:27, on 27/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Profiler] "C:\Program Files\Saitek\Software\ProfilerU.exe"
O4 - HKLM\..\Run: [SaiMfd] "C:\Program Files\Saitek\Software\SaiMfd.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [EPSON Stylus DX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE /FU "C:\WINDOWS\TEMP\E_SB0.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Registration .LNK = C:\Program Files\Ubisoft\Telltale Games\CSI-Hard Evidence\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epso...rg/ESTPTest.cab
O20 - Winlogon Notify: mljihhh - mljihhh.dll (file missing)
O20 - Winlogon Notify: webhits32 - webhits32.dll (file missing)
O21 - SSODL: zi? - {6eb8030a-e597-417f-acba-ae8c60742be9} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 8322 bytes




_OTMoveIt log:

File/Folder C:\Documents and Settings\Kirsty\Application Data\Sun\Java\Deployment\cache\6.0\12\4ef9724c-3eda855c.ZIP not found.
C:\Kirsty's work\SmitfraudFix\SmitfraudFix moved successfully.
C:\Kirsty's work\SmitfraudFix moved successfully.
C:\Program Files\eMule\Incoming\Nero 7.8.5.0.rar moved successfully.
C:\Program Files\eMule\Incoming\Spyware Doctor v4.0.0.2618 Multilangages Incl-Crack.rar moved successfully.
C:\Program Files\eMule\Incoming\ultra mp4 video converter Share Accelerator.zip moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\webhits32.dll
C:\WINDOWS\system32\webhits32.dll NOT unregistered.
C:\WINDOWS\system32\webhits32.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03272008_123438
  • 0

#14
kahdah
Posted 27 March 2008 - 09:54 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Great I assume that the internet is working correctly as well?

========================================
  • Please go to Start > Control Panel
  • on the top left hand corner will be a setting to Switch to Classic view.
  • Click that unless it is like that already.
  • Then double click on the Java icon.
  • Under the General tab at the top look at the bottom and you will see a setting called Temporary Internet Files.
  • Click on Settings and then click on Delete Files click ok at the prompt and then close out of that
============================================================================
After that please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - Winlogon Notify: mljihhh - mljihhh.dll (file missing)
O20 - Winlogon Notify: webhits32 - webhits32.dll (file missing)
O21 - SSODL: zi? - {6eb8030a-e597-417f-acba-ae8c60742be9} - (no file)


Now click on Fix Checked and then close Hijackthis.
====================================
Cleanup::
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Delete\uninstall anything we used.
================================
Then I will need you to reset your System Restore points, please note that you will need to log into your computer with an account which has full administrator access.
You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
Click on *Start
Right-click *My Computer
Click *Properties
Click the *System Restore tab
Check *Turn off System Restore
Click *Apply, and then click *OK.

2. Reboot.

3. Turn ON System Restore.
Click on *Start
Right-click *My Computer
Click *Properties
*UN-Check *Turn off System Restore*
Check *Turn on System Restore
Click *Apply, and then click *OK.


How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us
========================================
After that your log is clean. :)

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Ad-Aware-Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Castle Cops To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
  • 0

#15
Kirsty S
Posted 27 March 2008 - 04:48 PM

Kirsty S

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Brilliant, thanks.

Can I download all the programs suggested and have them running at the same time? Or will this slow my system down?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP