Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Major trojan confusion [CLOSED]

Started by Injektilo* , Apr 28 2008 01:08 PM

  • This topic is locked This topic is locked

#1
Injektilo*
Posted 28 April 2008 - 01:08 PM

Injektilo*

    Member

  • Member
  • PipPip
  • 18 posts
Hello. I have a bit of a trojan problem and I'm hoping someone on here can help me. I currently own two external Seagate hard drives and regularly backup my data onto these drives. There is an identical folder that I keep on both drives. When I backup this folder on one drive, I back it up on the other so I always have two backup copies of the same data. Each folder contains the same files and sub-folders and the exact same structure as the other.

So here's the part thats got me stumped. I just conducted an AVG scan and on one of these drives there were (and still are after a rescan) several entries of "Trojan horse Downloader.Generic6.ALF" and a couple called "Trojan horse Small.AD". A scan of the exact same folders on the other drive showed them to be completely virus free. I am currently running AVG Free Edition Version 7.5.524 and my virus definitions are right up-to-date. I perhaps don't do full system scans as often as I should but I'm puzzled as to why they should show up on one drive and not the other. Without uninstalling AVG and installing an alternative virus scanner, is there any way to know whether AVG is producing a false positive? Even if it is, I'm still confused as to why it's doing it on one set of files and not on the other, which for all intents and purposes are identical. Any insights would be greatly appreciated.

Edited by Injektilo*, 28 April 2008 - 01:08 PM.

  • 0

Advertisements

#2
Rorschach112
Posted 11 May 2008 - 05:11 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please read the Sticky Threads and follow the steps there. Then post the required logs here
  • 0

#3
Injektilo*
Posted 11 May 2008 - 10:47 AM

Injektilo*

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Ok, my problems are snowballing now and I barely know where to start. :) I visited the Sticky Threads and did the initial clean ups, then downloaded the Malwarebytes' Anti-Malware program and set it to run on all my drives - internal and external. My system then crashed and I received a bsod that I've been seeing a lot lately saying something like "IRQL NOT LESS OR EQUAL", strings of numbers and letters and "ndisuio.sys". Whether this is linked to a malware problem or is something else entirely, I don't know...I'm hoping you might.

I decided to boot into safe mode before running the program a second time so I hit F8 at start up. More problems. It will not let me boot into safe mode. Instead I get a black screen full top to bottom with text reading: "multi(0)disk(0)rdisk(0)partition(1)\windows\system32\drivers..." followed by a long list of .sys files. Turning my external drives off made no difference.

I was a little reluctant to run the Malware scan program immediately after the crash in case the same thing happened again so I'm hoping a hijackthis log will help:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:44:37, on 11/05/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
D:\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\Logi_MwX.Exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\System32\ElkCtrl.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
F:\Ad Muncher\AdMunch.exe
F:\ProtoWall\ProtoWall.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
F:\Skype\Phone\Skype.exe
C:\Program Files\PDT\VoIPVoice Integration\VoIPVoice Integration.exe
F:\utorrent.exe
F:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
F:\Program Files\WordWeb\wweb32.exe
F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
F:\Program Files\Rainlendar\Rainlendar.exe
F:\Program Files\Rainmeter\Rainmeter.exe
F:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=slb-webcache.hull.ac.uk:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - F:\PROGRA~1\POPUPCOP\PopUpCop.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2575.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - F:\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [farstone] NULL
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\System32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Ad Muncher] "F:\Ad Muncher\AdMunch.exe" /bt
O4 - HKCU\..\Run: [ProtoWall] F:\ProtoWall\ProtoWall.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Skype] "F:\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SkypeClient] "C:\Program Files\PDT\VoIPVoice Integration\VoIPVoice Integration.exe"
O4 - HKCU\..\Run: [µTorrent] "F:\utorrent.exe"
O4 - HKCU\..\Run: [AnyDVD] F:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Veoh] "F:\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Rainlendar.lnk = F:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: Rainmeter.lnk = F:\Program Files\Rainmeter\Rainmeter.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WordWeb Pro.lnk = F:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher...d=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher...d=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher...id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher...menu_ie_exclude
O8 - Extra context menu item: Download using LeechGet - file://F:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://F:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window - res://F:\Program Files\PopUpCop\popupcop.dll/imagenew
O8 - Extra context menu item: Parse with LeechGet - file://F:\Program Files\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher...=menu_ie_report
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Video Poker - http://download2.gam...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Backgammon - http://download2.gam...nts/y/at1_x.cab
O16 - DPF: Yahoo! Blackjack - http://download2.gam...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download2.gam...ts/y/dot9_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Literati - http://download2.gam...nts/y/tt5_x.cab
O16 - DPF: Yahoo! Poker - http://download2.gam...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.gam...ts/y/poti_x.cab
O16 - DPF: Yahoo! Reversi - http://download2.gam...nts/y/rt0_x.cab
O16 - DPF: Yahoo! Spades - http://download2.gam...nts/y/st3_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab27571.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.co...pside_web18.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.mess.../Medialogic.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - F:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1148236988718
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - F:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - F:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcSandraSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 14833 bytes


Any insights at all would be very much appreciated.
  • 0

#4
Rorschach112
Posted 11 May 2008 - 10:55 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#5
Injektilo*
Posted 11 May 2008 - 12:16 PM

Injektilo*

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Ok I did a further HijackThis scan and deleted the entries as instructed. I then downloaded and ran Deckard's System Scanner five separate times. Each time I ran the program, it crashed and gave me a bsod once it got to the part where it was "backing up registry hives". Most of these blue screens gave "DRIVER_IRQL_NOT_LESS_OR_EQUAL" messages and a stop error. Whether the string of numbers that followed these messages is any use to you whatsoever I don't know but I can certainly post them if you need me too.

The last blue screen I received also had the following information: "nv4_mini.sys - Address BAB04DBO base at BAA8C000 DateStamp 453bddb2". A bit of poking around online tells me these blue screens could either be a problem with my graphics card or my RAM but I'm feeling a bit lost with all the conflicting information. :) Either way I seem unable to run the DSS program until this issue is resolved so if you can give me any advice on how to progress with this, I'd be extremely grateful. Thanks for your help so far.
  • 0

#6
Rorschach112
Posted 11 May 2008 - 12:55 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Yeah I am pretty sure this isn't a malware problem

Try this

Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Under Additional Scans check the boxes beside Reg - Bot Check, Reg - Desktop Components, Reg - Disabled MS Config Items, Reg Mountpoints2, File - Lop Check, and File - Purity Scan.
  • Under Drivers change it to Non-Microsoft.
  • Under Files Created Within and Files Modified Within change it to 90 days.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way
  • 0

#7
Injektilo*
Posted 11 May 2008 - 02:57 PM

Injektilo*

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Ok, I've attached the report from the OTScanIt program below.

Attached Files


  • 0

#8
Rorschach112
Posted 11 May 2008 - 03:24 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello



Start OTScanIt. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> farstone -> [NULL]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> ~EmptyValue -> []
< Internet Explorer Bars [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
*.windowsupdate_microsoft.com [*] -> Trusted sites
YN -> {4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {92A40B0A-740A-4A11-9DDB-70460C6DA383} [HKEY_LOCAL_MACHINE] -> F:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration974.dll [Copernic Desktop Search]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\google\googletoolbar2.dll [&Google]
YN -> WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\google\googletoolbar2.dll [&Google]
YN -> WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar]
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
YN -> Block frame with Ad Muncher ->
YN -> Block image with Ad Muncher ->
YN -> Block link with Ad Muncher ->
YN -> Don't filter page with Ad Muncher ->
YN -> Download using LeechGet ->
YN -> Download using LeechGet Wizard ->
YN -> Parse with LeechGet ->
YN -> Report page to the Ad Muncher developers ->
[Files/Folders - Created Within 90 days]
NY -> FOUND.021 -> %SystemDrive%\FOUND.021
NY -> FOUND.022 -> %SystemDrive%\FOUND.022
NY -> FOUND.023 -> %SystemDrive%\FOUND.023
NY -> FOUND.024 -> %SystemDrive%\FOUND.024
NY -> FOUND.025 -> %SystemDrive%\FOUND.025
NY -> FOUND.026 -> %SystemDrive%\FOUND.026
NY -> FOUND.027 -> %SystemDrive%\FOUND.027
NY -> FOUND.028 -> %SystemDrive%\FOUND.028
NY -> FOUND.029 -> %SystemDrive%\FOUND.029
NY -> FOUND.030 -> %SystemDrive%\FOUND.030
NY -> FOUND.031 -> %SystemDrive%\FOUND.031
NY -> FOUND.032 -> %SystemDrive%\FOUND.032
NY -> FOUND.033 -> %SystemDrive%\FOUND.033
NY -> FOUND.034 -> %SystemDrive%\FOUND.034
NY -> FOUND.035 -> %SystemDrive%\FOUND.035
NY -> FOUND.036 -> %SystemDrive%\FOUND.036
NY -> Deckard -> %SystemDrive%\Deckard
NY -> FOUND.037 -> %SystemDrive%\FOUND.037
NY -> FOUND.038 -> %SystemDrive%\FOUND.038
NY -> FOUND.039 -> %SystemDrive%\FOUND.039
NY -> 2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Empty Temp Folders]
[Start Explorer]
[Reboot]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.



Also tell me how your PC is running
  • 0

#9
Rorschach112
Posted 15 May 2008 - 06:09 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP