Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan malware [CLOSED]


  • This topic is locked This topic is locked

#1
paintingnat

paintingnat

    New Member

  • Member
  • Pip
  • 1 posts
computer either slows to no memory or just freezes totaly.

have tried to upload hijack this notes file but got Upload failed. You are not permitted to upload this type of file

Attached Files


  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi paintingnat

welcome to geekstogo :)

lets do a deeper scan of your machine for me to analyse. could you copy and paste the logs in your reply, dont upload them......you can look in other peoples posts to see what i mean.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

you may need to post the logs over 2 replies to ensure all the information is posted.

andrewuk
  • 0

#3
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
user pmd me with the DSS scan:

Deckard's System Scanner v20071014.68
Run by natalie on 2008-04-19 22:51:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-04-19 21:52:02 UTC - RP232 - Deckard's System Scanner Restore Point
2: 2008-04-18 21:23:49 UTC - RP231 - Agnitum Outpost Security Suite Pro Restore Point: uninstall
1: 2008-04-18 19:30:15 UTC - RP230 - Agnitum Outpost Security Suite Pro Restore Point: install


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as natalie.exe) ---------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-19 22:55:37
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrlS.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PAVFNSVR.EXE
C:\Program Files\Common Files\Panda Software\PavShld\PavPrSrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PAVSRV51.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\FIREWALL\PSHost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\apvxdwin.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cable & Wireless\Common\C&WConfig.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Medion\ScanPanel\ScnPanel.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\Aware.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\SrvLoad.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\Marker.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
C:\Documents and Settings\natalie\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ukonline.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\rundll64.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies Inc\Notebook Software\NotebookPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Cable & Wireless Wireless Utility.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: ScanPanel.lnk = ?
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardTools.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan....s/ascstubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1190900013953
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrlS.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PAVFNSVR.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\PavPrSrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PAVSRV51.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\FIREWALL\PSHost.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe


--
End of file - 10946 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - C:\PROGRA~1\PANDAS~2\PANDAI~1\PavScrip.exe "%1" %*
.vbs - VBSFile - shell\open\command - C:\PROGRA~1\PANDAS~2\PANDAI~1\PavScrip.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 DgiVecp (Team MFP Comm Driver) - c:\windows\system32\drivers\dgivecp.sys <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>
R3 AvFlt (Antivirus Filter Driver) - c:\windows\system32\drivers\av5flt.sys (file missing)
R3 PavSRK.sys - c:\windows\system32\pavsrk.sys (file missing)
R3 PavTPK.sys - c:\windows\system32\pavtpk.sys (file missing)
R3 RT73 (Cable & Wireless 11g Wireless USB XR Adapter Driver) - c:\windows\system32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>

S2 SampleScanner (USB-Flachbettscanner) - c:\windows\system32\drivers\artecgt.sys <Not Verified; ; USB Scanner Driver>
S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S2 SysEnforce - c:\progra~1\trisna~1\ssi\sysenf~1.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-19 12:00:11 414 --a------ C:\WINDOWS\Tasks\Auto-scheduled task of Free Registry Fix.job
2008-02-19 14:55:08 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-19 and 2008-04-19 -----------------------------

2008-04-19 19:03:37 0 d-------- C:\Documents and Settings\natalie\Application Data\Malwarebytes
2008-04-19 19:03:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-19 19:03:20 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-19 19:02:24 0 d-------- C:\Program Files\Common Files\Download Manager
2008-04-19 13:43:59 0 d-------- C:\HJT
2008-04-19 11:41:42 159744 --a------ C:\WINDOWS\system32\hasher.dll <Not Verified; ; hasher Dynamic Link Library>
2008-04-19 11:41:39 0 d-------- C:\Program Files\Trisnap Technologies
2008-04-17 22:34:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-19 19:43:06 0 d-------- C:\Program Files\MathBase


-- Find3M Report ---------------------------------------------------------------

2008-04-19 19:02:24 0 d-------- C:\Program Files\Common Files
2008-04-16 21:45:46 0 d-------- C:\Program Files\Panda Security
2008-04-15 12:02:33 0 d-------- C:\Program Files\Free Registry Fix
2008-04-13 16:42:12 0 d-------- C:\Documents and Settings\natalie\Application Data\cardit!
2008-04-04 18:42:53 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-10 19:33:23 0 d-------- C:\Documents and Settings\natalie\Application Data\FUJIFILM
2008-03-09 09:06:01 0 d-------- C:\Program Files\Cardit!
2008-03-07 21:38:50 0 d-------- C:\Documents and Settings\natalie\Application Data\Help
2008-03-03 19:05:23 0 d-------- C:\Program Files\Natura Sound Therapy
2008-02-19 16:25:52 0 d-------- C:\Program Files\Driving Theory Test Express
2008-01-26 19:16:09 261 --a------ C:\WINDOWS\system32\PavCPL.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/2002 22:32]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [12/01/2006 16:40]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [27/10/2006 00:47]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [13/08/2001 16:44]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [16/12/2002 16:51]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [31/03/2003 19:28]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/11/2007 14:04]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.exe" [23/07/2007 19:30]
"SCANINICIO"="C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe" [11/07/2007 16:17]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 17:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 13:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cable & Wireless Wireless Utility.lnk - C:\Program Files\Cable & Wireless\Common\C&WConfig.exe [27/10/2007 23:47:15]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [29/09/2007 23:21:22]
ScanPanel.lnk - C:\Program Files\Medion\ScanPanel\ScnPanel.exe [19/10/2007 20:45:35]
SMART Board Tools.lnk - C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardTools.exe [02/11/2007 06:48:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\rundll64.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 15/02/2007 21:02 50736 C:\WINDOWS\system32\avldr.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{169a8700-0c91-11dd-93da-000e2ea21ac8}]
AutoRun\command- F:\.\RECYCLER\INFO
explore\Command- F:\.\RECYCLER\INFO
Open\command- F:\.\RECYCLER\INFO

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fd4200a-ca61-11dc-933b-000e2ea21ac8}]
Auto\command- tel.xls.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49079c56-7e1f-11dc-a939-0002a5fa8f3b}]
AutoRun\command- E:\.\RECYCLER\INFO
explore\Command- E:\.\RECYCLER\INFO
Open\command- E:\.\RECYCLER\INFO

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79a9ba60-8324-11dc-9249-0002a5fa8f3b}]
AutoRun\command- F:\.\RECYCLER\INFO
explore\Command- F:\.\RECYCLER\INFO
Open\command- F:\.\RECYCLER\INFO

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fa2d948-dfe2-11dc-937a-000e2ea21ac8}]
AutoRun\command- .\RECYCLER\INFO
explore\Command- .\RECYCLER\INFO
Open\command- .\RECYCLER\INFO

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce1aae10-b213-11dc-92e6-000e2ea21ac8}]
AutoRun\command- G:\.\RECYCLER\INFO
explore\Command- G:\.\RECYCLER\INFO
Open\command- G:\.\RECYCLER\INFO

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2ab8e62-823f-11dc-923e-0002a5fa8f3b}]
AutoRun\command- .\RECYCLER\INFO
explore\Command- .\RECYCLER\INFO
Open\command- .\RECYCLER\INFO

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dda70ee7-7e7b-11dc-9224-0002a5fa8f3b}]
AutoRun\command- .\RECYCLER\INFO
explore\Command- .\RECYCLER\INFO
Open\command- .\RECYCLER\INFO


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{KEDT456S-FJKR-DG53-8427-45182378KUDG}]
C:\WINDOWS\system32\winsetup.exe



-- End of Deckard's System Scanner: finished at 2008-04-19 22:58:06 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.50GHz
Percentage of Memory in Use: 71%
Physical Memory (total/avail): 511.42 MiB / 143.67 MiB
Pagefile Memory (total/avail): 1250.16 MiB / 757.24 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1901.77 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 38.28 GiB total, 21.3 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
H: is Fixed (FAT) - 0.06 GiB total, 0 GiB free.

\\.\PHYSICALDRIVE0 - Maxtor 6E040L0 - 38.28 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 38.28 GiB - C:

\\.\PHYSICALDRIVE1 - Generic Flash Disk USB Device - 54.91 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 62.48 MiB - H:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Panda Internet Security 2008 v12.00.00 (Panda Security)
AV: Panda Internet Security 2008 v12.00.00 (Panda Security)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe:*:Enabled:javaw"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\natalie\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PC1955
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\natalie
LOGONSERVER=\\PC1955
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\SYSTEM32;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\PROGRAM FILES\QUICKTIME\QTSYSTEM\;C:\Program Files\Panda Security\Panda Internet Security 2008\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\natalie\LOCALS~1\Temp
TMP=C:\DOCUME~1\natalie\LOCALS~1\Temp
USERDOMAIN=PC1955
USERNAME=natalie
USERPROFILE=C:\Documents and Settings\natalie
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

natalie (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Action Sats Learning Early Science --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Action Sats Learning\Early Science\Uninst.isu"
Action Sats Learning Tables --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Action Sats Learning\Tables\Uninst.isu"
ACTIVflipchart Viewer --> MsiExec.exe /I{BC615277-FB87-4E05-9691-98751268627D}
Activprimary Flipchart Viewer v3.0.1753 --> MsiExec.exe /I{F499BB32-E16B-443B-8DEF-77094B421180}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{685A56F8-75B6-44AD-B3DA-FB0A3266B47C}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Cable & Wireless 11g Wireless USB XR Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E91E8912-769D-42F0-8408-0E329443BABC}\setup.exe" -l0x9 -removeonly
Cardit! (natalie's Cardit') --> "C:\Program Files\Cardit!\unins000.exe"
Clicker 5 English UK Standalone --> MsiExec.exe /I{05992981-5E37-4CDD-8D58-9DE4BDF44174}
Color LaserJet 2600n --> C:\Program Files\Zenographics\{D950B35B-F871-4E8B-930D-6EA57C2019B5}\setup.exe -u "HPCLJKCInstaller.dll=CLJ2600.INF"
Driving Theory Test Express v1.5.0.0 --> "C:\Program Files\Driving Theory Test Express\unins000.exe"
FinePixViewer Ver.4.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{24ED4D80-8294-11D5-96CD-0040266301AD}\SETUP.EXE"
Focus Educational Images --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7070A625-9830-4DFE-99FE-46944AFBFFC8}
FUJIFILM USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\SETUP.EXE"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 1.99.1 --> C:\HJT\HijackThis.exe /uninstall
hp LaserJet 1010 Series --> MsiExec.exe /x {292C47B2-8DB7-47BF-896C-C3C5EE8108C4}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MathBase1 FSUL06 --> MsiExec.exe /I{A5198229-A264-4B27-957F-7206883DB5D7}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Natura Sound Therapy --> C:\Program Files\Natura Sound Therapy\uninstall.exe
Nero 7 Essentials --> MsiExec.exe /I{A7661EF6-352F-D5A3-B913-B762230C1033}
Panda Internet Security 2008 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EEBA9416-3207-47E0-9022-116440599DBC}\SETUP.EXE" -l0x9 -removeonly
Panda TotalScan --> C:\Program Files\Panda Security\TotalScan\ascuninst.exe
Presto! PageManager --> C:\WINDOWS\uninst.exe -f"C:\Program Files\NewSoft\PageManager\DeIsL1.isu"
Presto! PageType --> C:\WINDOWS\uninst.exe -f"C:\Program Files\NewSoft\PageManager\PageType\DeIsL1.isu"
QuickTime --> MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121}
RAW FILE CONVERTER LE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D680C913-5955-469D-9D88-C1940F7506D6}\SETUP.EXE" -l0x9
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Office 2007 (KB934062) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Publisher 2007 (KB936646) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A32E4BAF-6477-45FA-B8AB-E743FA8D63FF}
Security Update for the 2007 Microsoft Office System (KB936960) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}
Security Update for Visio 2007 (KB947590) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Sherston Software - Rhyme and Analogy --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Sherston Software\Rhyme and Analogy\Uninst.isu"
SMART Board Software --> MsiExec.exe /I{46486451-E60F-42C3-92D7-796D8594688A}
SMART Essentials for Educators --> MsiExec.exe /X{2348B97D-C991-438F-BC44-294C931E7B8B}
Update for Office 2007 (KB932080) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Office 2007 (KB934391) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Office 2007 (KB934393) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {92FBAD46-E7F6-49FA-89B5-C39FC5BFAD15}
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb949037) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B4F188C6-6DBF-42A5-A8A3-3086D1A384F2}
Update for Word 2007 (KB934173) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C6A89125-5473-45E3-B413-ED8186437475}
USB-Flachbettscanner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{60B81442-7AB5-49A2-BF90-02A2786587ED}\setup.exe"
Versal FileDownload ActiveX Control Trial Version --> C:\Program Files\Universal\UFileDownloadD\USetup.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type7161 / Error
Event Submitted/Written: 04/19/2008 07:15:41 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 492146877.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type7159 / Error
Event Submitted/Written: 04/19/2008 07:14:24 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application AVENGINE.EXE, version 2.1.29.0, faulting module pskpack.dll, version 1.4.3.1, fault address 0x00004f47.
Processing media-specific event for [AVENGINE.EXE!ws!]

Event Record #/Type7149 / Error
Event Submitted/Written: 04/19/2008 05:06:44 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application scnpanel.exe, version 1.5.2.1, faulting module unknown, version 0.0.0.0, fault address 0x5b2d3b35.
Processing media-specific event for [scnpanel.exe!ws!]

Event Record #/Type7141 / Error
Event Submitted/Written: 04/19/2008 04:11:30 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 02082512.

Event Record #/Type7140 / Error
Event Submitted/Written: 04/19/2008 04:11:11 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application prestopm.exe, version 1.0.0.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type18546 / Warning
Event Submitted/Written: 04/19/2008 05:15:30 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 000E2EA21AC8. The IP address being used is 169.254.107.3.

Event Record #/Type18544 / Warning
Event Submitted/Written: 04/19/2008 05:15:26 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 000E2EA21AC8. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type18527 / Error
Event Submitted/Written: 04/19/2008 05:14:28 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SysEnforce service failed to start due to the following error:
%%2

Event Record #/Type18526 / Error
Event Submitted/Written: 04/19/2008 05:14:28 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The USB-Flachbettscanner service failed to start due to the following error:
%%1058

Event Record #/Type18519 / Warning
Event Submitted/Written: 04/19/2008 05:05:57 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 000E2EA21AC8. The IP address being used is 169.254.107.3.



-- End of Deckard's System Scanner: finished at 2008-04-19 22:58:06 ------------

Edited by andrewuk, 19 April 2008 - 04:11 PM.

  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi paintingnat

i can see a password stealer trojan in your logs which is capable of stealing passwords for your financial websites as well as other sites. therefore, as a matter of priority, you should change your passwords from a clean machine. you should also take whatever action you deem neccessary to ensure your financial information has not been compromised. see here for more details: http://www.sophos.co...jcashgrabu.html and http://www.bleepingc....exe-12995.html

in this post we will clear the malware i can see and do a couple of further scans to see what else is lurking on your machine. it also looks like you have attached a removable drive (ie a flash drive) to your machine in the past which has possibly passed an infection onto your machine, we will deal with that also.

the scans will likely take 3 hours, quite possibly much longer. so just let them run.

there is a lot of steps in this post, so feel free to post the results of each log as you go along. when you reply to me, could you copy and paste the text in the logs into the forum by clicking the Add Reply button at the bottom right.


====STEP 1====
Please download the OTMoveIt2 by OldTimer and Save it to your desktop.

Do NOT run it yet



====STEP 2====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\rundll64.exe,

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.



====STEP 3====
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\rundll64.exe
    C:\WINDOWS\system32\winsetup.exe
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{169a8700-0c91-11dd-93da-000e2ea21ac8}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fd4200a-ca61-11dc-933b-000e2ea21ac8}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49079c56-7e1f-11dc-a939-0002a5fa8f3b}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79a9ba60-8324-11dc-9249-0002a5fa8f3b}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fa2d948-dfe2-11dc-937a-000e2ea21ac8}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce1aae10-b213-11dc-92e6-000e2ea21ac8}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2ab8e62-823f-11dc-923e-0002a5fa8f3b}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dda70ee7-7e7b-11dc-9224-0002a5fa8f3b}
    HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{KEDT456S-FJKR-DG53-8427-45182378KUDG}
    Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


====STEP 4====
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /daft
This will open up Deckard's File Association Tool
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.

====STEP 5====
  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


====STEP 6====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


====STEP 7====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

====STEP 8====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

In your next reply could i see:
1. the OTMoveIT log
2. the SUPERantispyware log
3. the Kaspersky scan log
4. a new hijackthis log

when you reply to me, could you copy and paste the logs into the forum by clicking the Add Reply button at the bottom right.

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#5
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP