Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Blue desktop, fake warnings, disable task manager, etc. [RESOLVED]


  • This topic is locked This topic is locked

#16
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello greengum,

OTMoveIt2 hung up again. It got through the first two files before it froze

Should I try deleting the files manually?

Please don't try deleting those files yet, we will try something else after we get those other logs on here. :)

Or skip to the next step?

Yes, please goto step 2. :)
  • 0

Advertisements


#17
greengum

greengum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
A few of the files are still there, but it's getting better. It also took me a couple tries to get ComboFix to work -- I downloaded it again, and when it did work I forgot that I had re-enabled my virus scan. I shut McAfee off as quickly as I could, but I do think it blocked something. When the computer rebooted I also got a message from Google toolbar refusing some change.

I think my internet connection was being throttled, and it seems better now. I also haven't gotten any popups yet.

Here are the logs for the programs that worked:

Rootkit Revealer

HKU\S-1-5-21-1271827394-577113160-764586664-1006\Software\Adobe\MediaBrowser\MRU\illustrator\ApplicationPath 7/10/2006 8:56 PM 91 bytes Data mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC* 7/28/2005 4:52 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 7/28/2005 4:52 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{0D5AB0BD-A677-11d7-A773-00C04F68F44E}\Pins\Input\Types\{10ed2d83-f16f-0348-2000-8c26b23e9a26}\22 4/19/2007 8:12 PM 91 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 1/2/2007 9:42 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 1/2/2007 9:42 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 1/2/2007 9:42 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 1/2/2007 9:42 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 1/2/2007 9:42 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 1/2/2007 9:42 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 1/2/2007 9:42 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 1/2/2007 9:42 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 1/2/2007 9:42 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 1/2/2007 9:42 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 1/2/2007 9:42 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 1/2/2007 9:42 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\webcal\URL Protocol 12/25/2005 11:27 AM 13 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\McAfee\HackerWatch\HwTime 4/24/2008 7:16 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\McAfee\VirusScan\SysMon\Cache\5\Timestamp\01C3346C241652F43AED8E2149881BFE 4/24/2008 7:13 PM 8 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\McAfee\VirusScan\SysMon\Cache\5\Timestamp\84885F9B82F4D55C6146EBF6065D75D2 4/24/2008 7:13 PM 8 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 1/14/2007 11:17 AM 0 bytes Access is denied.



Malwarebytes


Malwarebytes' Anti-Malware 1.11
Database version: 599

Scan type: Quick Scan
Objects scanned: 30271
Time elapsed: 24 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 3
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nNeeBtsr.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\rwpxmtkr.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bbf11700-ef17-4886-8b20-e7eff77bbad4} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{bbf11700-ef17-4886-8b20-e7eff77bbad4} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{8be6d422-7105-4c5a-b183-ae5fe7364dd9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8be6d422-7105-4c5a-b183-ae5fe7364dd9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\nneebtsr -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Bat (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\nNeeBtsr.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rstBeeNn.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rstBeeNn.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pogptmmw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wmmtpgop.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rwpxmtkr.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vizkrczs.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.



ComboFix


ComboFix 08-04-22.5 - Dan 2008-04-24 20:32:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.156 [GMT -4:00]
Running from: C:\Documents and Settings\Dan\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Dan\Application Data\macromedia\Flash Player\#SharedObjects\HXAUVSJL\www.broadcaster.com
C:\Documents and Settings\Dan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Dan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\sstem3~1
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\jkkLDTkk.dll
C:\WINDOWS\system32\poaitrjx.dll
C:\WINDOWS\system32\qeihiist.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-24 19:40 . 2008-04-24 19:40 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Malwarebytes
2008-04-24 19:39 . 2008-04-24 19:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-24 19:39 . 2008-04-24 19:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-23 18:52 . 2008-04-23 18:52 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-21 20:05 . 2008-04-22 23:28 109,734 --a------ C:\WINDOWS\BMb78e940f.xml
2008-04-21 19:14 . 2008-04-21 19:14 <DIR> d-------- C:\VundoFix Backups
2008-04-20 14:24 . 2008-04-20 14:24 <DIR> d-------- C:\Deckard
2008-04-20 13:37 . 2008-04-20 13:37 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-20 13:32 . 2008-04-20 14:19 <DIR> d-------- C:\SDFix
2008-04-19 18:25 . 2008-04-19 18:25 <DIR> d-------- C:\_OTMoveIt
2008-04-16 20:38 . 2008-04-16 20:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 21:57 . 2008-04-21 20:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-06 21:57 . 2008-04-06 21:57 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\SUPERAntiSpyware.com
2008-04-06 21:57 . 2008-04-06 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-06 21:56 . 2008-04-06 21:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 19:37 . 2008-04-06 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-06 18:17 . 2008-04-21 18:59 3,306 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-06 15:29 . 2008-04-06 15:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-04-06 15:28 . 2005-07-28 16:40 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-06 15:28 . 2005-07-28 17:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-04-06 15:28 . 2005-07-28 17:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-04-06 15:28 . 2005-07-28 17:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-04-06 15:28 . 2005-07-28 17:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-06 15:28 . 2005-12-25 18:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-06 15:28 . 2008-04-06 15:28 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-06 15:28 . 2008-04-24 20:32 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-06 14:42 . 2008-04-06 14:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\levwvezq
2008-04-06 14:41 . 2008-04-20 14:06 <DIR> d-------- C:\WINDOWS\uprjiefj
2008-04-06 14:41 . 2008-04-06 14:41 182,784 --a------ C:\WINDOWS\xmnwnyzq.dll
2008-04-06 14:41 . 2008-04-06 14:41 67,584 --a------ C:\WINDOWS\dsrmvads.dll
2008-04-06 14:41 . 2008-04-06 14:41 67,584 --a------ C:\Documents and Settings\All Users\Application Data\afsdoxcl.dll
2008-04-06 14:39 . 2008-04-06 14:39 396 --a------ C:\WINDOWS\system32\LE502.tmp
2008-04-06 14:39 . 2008-04-06 14:39 396 --a------ C:\WINDOWS\system32\LE349.tmp
2008-04-06 14:39 . 2008-04-06 14:39 396 --a------ C:\WINDOWS\system32\LE259.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 00:42 --------- d-----w C:\Documents and Settings\Dan\Application Data\WTablet
2008-04-21 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-21 23:42 --------- d-----w C:\Program Files\Azureus
2008-04-06 03:33 --------- d-----w C:\Program Files\Trillian
2008-03-24 22:48 70,400 ----a-w C:\Documents and Settings\Dan\Application Data\GDIPFONTCACHEV1.DAT
2008-03-20 00:11 --------- d-----w C:\Program Files\Soulseek
2008-03-08 02:54 --------- d-----w C:\Documents and Settings\Dan\Application Data\CoreFTP
2008-03-04 23:25 --------- d-----w C:\Program Files\McAfee
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b1f03258-1dd1-11b2-844a-d95ac99666f6}]
2008-04-06 14:41 67584 --a------ C:\WINDOWS\dsrmvads.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 06:48 157592]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 23:04 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 19:25 73728]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2005-08-10 14:23 356352]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-07 23:02 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-07 22:59 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-07 23:03 114688]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 19:17 88358 C:\WINDOWS\agrsmmsg.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-07-28 19:26 82009]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 17:07 729177]
"TFncKy"="TFncKy.exe" []
"TPSMain"="TPSMain.exe" [2005-06-01 00:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 17:03 1077301]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 19:13 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 20:37 151552]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 09:33 122941]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 15:27 385024]
"SoundVolumeHotkeys.{9547D1C7-4F18-4104-8674-046DCD12BDF9}"="C:\Program Files\Sound Volume Hotkeys\SoundVolumeHotkeys.exe" [2005-02-28 00:58 58368]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]

C:\Documents and Settings\Dan\Start Menu\Programs\Startup\
Omega ASIO Control Panel.lnk - C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe [2004-08-11 13:35:08 274432]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-25 17:04:35 110592]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-25 17:04:35 110592]
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2006-02-25 16:07:52 135680]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-07-28 16:56:17 155648]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2006-02-05 22:24:55 132656]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 15:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkLDTkk]
jkkLDTkk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"= usbmn4x4.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
--a------ 2005-10-23 01:00 385024 C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 15:18 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notebook Maximizer]
--a------ 2004-05-25 17:35 28672 C:\Program Files\Notebook Maximizer\maximizer_startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\CoreFTP\\coreftp.exe"=
"C:\\Documents and Settings\\Dan\\Desktop\\downloads\\utorrent.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"51222:TCP"= 51222:TCP:51222
"51222:UDP"= 51222:UDP:51222 udp

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-11 13:05]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 21:08]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 15:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 14:30]
R3 WacomVKHid;Virtual Keyboard Driver;C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 20:11]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;C:\WINDOWS\system32\Drivers\CEUSBAUD.sys [2003-11-05 14:11]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-05-30 21:28]
S3 USB44LDR;M-Audio USB MidiSport 4x4 Loader;C:\WINDOWS\system32\drivers\usb44ldr.sys [2007-02-18 19:07]
S3 USBMN4X4;M-Audio USB MidiSport 4x4;C:\WINDOWS\system32\drivers\usbmn4x4.sys [2007-02-18 19:07]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 06:32:54 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-04-01 05:00:12 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 20:43:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-04-24 20:48:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-25 00:48:08

Pre-Run: 19,381,616,640 bytes free
Post-Run: 19,306,467,328 bytes free

214 --- E O F --- 2008-04-20 19:24:04




HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:04 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Sound Volume Hotkeys\SoundVolumeHotkeys.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {b1f03258-1dd1-11b2-844a-d95ac99666f6} - C:\WINDOWS\dsrmvads.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SoundVolumeHotkeys.{9547D1C7-4F18-4104-8674-046DCD12BDF9}] C:\Program Files\Sound Volume Hotkeys\SoundVolumeHotkeys.exe -a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Omega ASIO Control Panel.lnk = C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: jkkLDTkk - jkkLDTkk.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 10878 bytes
  • 0

#18
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello greengum,

STEP 1

Please reopen HijackThis and click on Do a system scan only.And put a check next to these entries.

O2 - BHO: (no name) - {b1f03258-1dd1-11b2-844a-d95ac99666f6} - C:\WINDOWS\dsrmvads.dll
O20 - Winlogon Notify: jkkLDTkk - jkkLDTkk.dll (file missing)

Once you have the checks in those entries please make sure all open windows are closed(keep HijackThis open) and click fix checked on HijackThis.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\dsrmvads.dll
C:\WINDOWS\system32\tmp.reg
C:\Documents and Settings\All Users\Application Data\afsdoxcl.dll
C:\WINDOWS\xmnwnyzq.dll
C:\WINDOWS\BMb78e940f.xml
C:\WINDOWS\system32\LE502.tmp
C:\WINDOWS\system32\LE349.tmp
C:\WINDOWS\system32\LE259.tmp
Folder::
C:\Documents and Settings\All Users\Application Data\levwvezq
C:\WINDOWS\uprjiefj



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#19
greengum

greengum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
ComboFix

ComboFix 08-04-22.5 - Dan 2008-04-25 19:20:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.184 [GMT -4:00]
Running from: C:\Documents and Settings\Dan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dan\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\afsdoxcl.dll
C:\WINDOWS\BMb78e940f.xml
C:\WINDOWS\dsrmvads.dll
C:\WINDOWS\system32\LE259.tmp
C:\WINDOWS\system32\LE349.tmp
C:\WINDOWS\system32\LE502.tmp
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\xmnwnyzq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\afsdoxcl.dll
C:\Documents and Settings\All Users\Application Data\levwvezq
C:\Documents and Settings\All Users\Application Data\levwvezq\twrinsza.exe
C:\WINDOWS\BMb78e940f.xml
C:\WINDOWS\dsrmvads.dll
C:\WINDOWS\system32\LE259.tmp
C:\WINDOWS\system32\LE349.tmp
C:\WINDOWS\system32\LE502.tmp
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\uprjiefj
C:\WINDOWS\uprjiefj\Thumbs.db
C:\WINDOWS\xmnwnyzq.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-24 19:40 . 2008-04-24 19:40 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Malwarebytes
2008-04-24 19:39 . 2008-04-24 19:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-24 19:39 . 2008-04-24 19:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-23 18:52 . 2008-04-23 18:52 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-21 19:14 . 2008-04-21 19:14 <DIR> d-------- C:\VundoFix Backups
2008-04-20 14:24 . 2008-04-20 14:24 <DIR> d-------- C:\Deckard
2008-04-20 13:37 . 2008-04-20 13:37 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-20 13:32 . 2008-04-20 14:19 <DIR> d-------- C:\SDFix
2008-04-19 18:25 . 2008-04-19 18:25 <DIR> d-------- C:\_OTMoveIt
2008-04-16 20:38 . 2008-04-16 20:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 21:57 . 2008-04-21 20:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-06 21:57 . 2008-04-06 21:57 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\SUPERAntiSpyware.com
2008-04-06 21:57 . 2008-04-06 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-06 21:56 . 2008-04-06 21:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 19:37 . 2008-04-06 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-06 15:29 . 2008-04-06 15:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-04-06 15:28 . 2005-07-28 16:40 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-06 15:28 . 2005-07-28 17:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-04-06 15:28 . 2005-07-28 17:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-04-06 15:28 . 2005-07-28 17:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-04-06 15:28 . 2005-07-28 17:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-06 15:28 . 2005-12-25 18:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-06 15:28 . 2008-04-06 15:28 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-06 15:28 . 2008-04-24 20:32 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 23:07 --------- d-----w C:\Documents and Settings\Dan\Application Data\WTablet
2008-04-21 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-21 23:42 --------- d-----w C:\Program Files\Azureus
2008-04-06 03:33 --------- d-----w C:\Program Files\Trillian
2008-03-24 22:48 70,400 ----a-w C:\Documents and Settings\Dan\Application Data\GDIPFONTCACHEV1.DAT
2008-03-20 00:11 --------- d-----w C:\Program Files\Soulseek
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-08 02:54 --------- d-----w C:\Documents and Settings\Dan\Application Data\CoreFTP
2008-03-04 23:25 --------- d-----w C:\Program Files\McAfee
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:32 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( [email protected]_20.47.53.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-25 00:41:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-25 23:06:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 06:48 157592]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 23:04 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 19:25 73728]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2005-08-10 14:23 356352]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-07 23:02 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-07 22:59 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-07 23:03 114688]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 19:17 88358 C:\WINDOWS\agrsmmsg.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-07-28 19:26 82009]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-08-01 17:07 729177]
"TFncKy"="TFncKy.exe" []
"TPSMain"="TPSMain.exe" [2005-06-01 00:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 17:03 1077301]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 19:13 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 20:37 151552]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 09:33 122941]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 15:27 385024]
"SoundVolumeHotkeys.{9547D1C7-4F18-4104-8674-046DCD12BDF9}"="C:\Program Files\Sound Volume Hotkeys\SoundVolumeHotkeys.exe" [2005-02-28 00:58 58368]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]

C:\Documents and Settings\Dan\Start Menu\Programs\Startup\
Omega ASIO Control Panel.lnk - C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe [2004-08-11 13:35:08 274432]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-25 17:04:35 110592]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-25 17:04:35 110592]
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2006-02-25 16:07:52 135680]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-07-28 16:56:17 155648]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2006-02-05 22:24:55 132656]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 15:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"= usbmn4x4.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
--a------ 2005-10-23 01:00 385024 C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 15:18 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notebook Maximizer]
--a------ 2004-05-25 17:35 28672 C:\Program Files\Notebook Maximizer\maximizer_startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\CoreFTP\\coreftp.exe"=
"C:\\Documents and Settings\\Dan\\Desktop\\downloads\\utorrent.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"51222:TCP"= 51222:TCP:51222
"51222:UDP"= 51222:UDP:51222 udp

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-11 13:05]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 21:08]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 15:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 14:30]
R3 WacomVKHid;Virtual Keyboard Driver;C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 20:11]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;C:\WINDOWS\system32\Drivers\CEUSBAUD.sys [2003-11-05 14:11]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-05-30 21:28]
S3 USB44LDR;M-Audio USB MidiSport 4x4 Loader;C:\WINDOWS\system32\drivers\usb44ldr.sys [2007-02-18 19:07]
S3 USBMN4X4;M-Audio USB MidiSport 4x4;C:\WINDOWS\system32\drivers\usbmn4x4.sys [2007-02-18 19:07]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 06:32:54 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-04-01 05:00:12 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 19:23:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-25 19:25:02
ComboFix-quarantined-files.txt 2008-04-25 23:24:53
ComboFix2.txt 2008-04-25 00:48:15

Pre-Run: 19,278,815,232 bytes free
Post-Run: 19,266,314,240 bytes free

189 --- E O F --- 2008-04-20 19:24:04



HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:10 PM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Sound Volume Hotkeys\SoundVolumeHotkeys.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SoundVolumeHotkeys.{9547D1C7-4F18-4104-8674-046DCD12BDF9}] C:\Program Files\Sound Volume Hotkeys\SoundVolumeHotkeys.exe -a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Omega ASIO Control Panel.lnk = C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 10641 bytes
  • 0

#20
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello greengum,

STEP 1
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
STEP 2
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
~~~~~~~~~~
In your next reply please have this log.
The Kaspersky log
And are you having any errors or other problems with your computer?
  • 0

#21
greengum

greengum

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
The Kasperksy log is below. Is there a way to get rid of the backups of the bad files in System Volume Information? Some of them are still popping up as viruses in McAfee.

This computer doesn't have too many problems besides just being kind of old and slow; just trying to nurse it through a few more months before I get a new one. The only really annoying issue is that some things like flash movies cause the CPU to max out, eventually over heat, and shut down. I think it's probably just full of dust.

Thanks again for all your help!


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, April 27, 2008 8:13:49 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/04/2008
Kaspersky Anti-Virus database records: 727826
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 87305
Number of viruses found: 6
Number of infected objects: 22
Number of suspicious objects: 0
Duration of the scan process: 02:04:05

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{0D4C9A12-A273-4134-93C4-FF74CFE1AE7F}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{A38C0B05-1A4D-42FB-99B9-6223E295ACC2}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\aerb5oqf.default\cert8.db Object is locked skipped
C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\aerb5oqf.default\history.dat Object is locked skipped
C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\aerb5oqf.default\key3.db Object is locked skipped
C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\aerb5oqf.default\parent.lock Object is locked skipped
C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\aerb5oqf.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\aerb5oqf.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Dan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dan\Desktop\downloads\mirc63.exe/stream/data0001/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
C:\Documents and Settings\Dan\Desktop\downloads\mirc63.exe/stream/data0001/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
C:\Documents and Settings\Dan\Desktop\downloads\mirc63.exe/stream/data0001 Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
C:\Documents and Settings\Dan\Desktop\downloads\mirc63.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
C:\Documents and Settings\Dan\Desktop\downloads\mirc63.exe NSIS: infected - 4 skipped
C:\Documents and Settings\Dan\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Dan\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Dan\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Dan\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dan\Local Settings\Application Data\Mozilla\Firefox\Profiles\aerb5oqf.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Dan\Local Settings\Application Data\Mozilla\Firefox\Profiles\aerb5oqf.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Dan\Local Settings\Application Data\Mozilla\Firefox\Profiles\aerb5oqf.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Dan\Local Settings\Application Data\Mozilla\Firefox\Profiles\aerb5oqf.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Dan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dan\Local Settings\History\History.IE5\MSHist012008042720080428\index.dat Object is locked skipped
C:\Documents and Settings\Dan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Dan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\poaitrjx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.qgr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qeihiist.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.qoy skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B992AC1F-1409-469D-9617-074D63E04B5E}\RP773\A0081563.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.gr skipped
C:\System Volume Information\_restore{B992AC1F-1409-469D-9617-074D63E04B5E}\RP773\A0081563.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B992AC1F-1409-469D-9617-074D63E04B5E}\RP773\A0081564.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{B992AC1F-1409-469D-9617-074D63E04B5E}\RP773\A0081564.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B992AC1F-1409-469D-9617-074D63E04B5E}\RP776\A0082720.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{B992AC1F-1409-469D-9617-074D63E04B5E}\RP776\A0082720.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{B992AC1F-1409-469D-9617-074D63E04B5E}\RP776\A0082720.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{B992AC1F-1409-469D-9617-074D63E04B5E}\RP778\A0083941.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{B992AC1F-1409-469D-9617-074D63E04B5E}\RP782\A0084647.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qgr skipped
C:\System Volume Information\_restore{B992AC1F-1409-469D-9617-074D63E04B5E}\RP782\A0084648.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qoy skipped
C:\System Volume Information\_restore{B992AC1F-1409-469D-9617-074D63E04B5E}\RP786\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcmsc_8Fnw26upk0inB2a Object is locked skipped
C:\WINDOWS\Temp\mcmsc_DWzpdlJ5p6KKaxu Object is locked skipped
C:\WINDOWS\Temp\mcmsc_gediBEKJPWqgVcF Object is locked skipped
C:\WINDOWS\Temp\mcmsc_lNNBbGnUAEEYhfX Object is locked skipped
C:\WINDOWS\Temp\mcmsc_WhOECnBQg6bklS8 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#22
Jimmy2012

Jimmy2012

    Trusted Helper

  • Retired Staff
  • 6,238 posts
Hello greengum,

This computer doesn't have too many problems besides just being kind of old and slow; just trying to nurse it through a few more months before I get a new one. The only really annoying issue is that some things like flash movies cause the CPU to max out, eventually over heat, and shut down. I think it's probably just full of dust.

If you want you could post a new topic in the XP forum and see if someone there could help with that.

Thanks again for all your help!

No problem. :)

WTG your logs look clean. :)
Just a few more steps before we are done.

  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
And anything that is leftover from what we had you download you may delete/uninstall.

Is there a way to get rid of the backups of the bad files in System Volume Information?

Yes please do this to get rid of them.

Click start,right click my computer then click Properties.Click the System Restore tab,check Turn off System Restore.Click Apply,and then click ok.Then reboot you computer. Now to turn it back on.
Right click my computer,click Properties.Click the System Restore tab,un-check Turn off System Restore.Click Apply,and then click ok.

And that will take care of them.


The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0

#23
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP