Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

tr/drop.delf.aha.10 and tr/vundo.gen [RESOLVED]


  • This topic is locked This topic is locked

#1
justme22

justme22

    New Member

  • Member
  • Pip
  • 9 posts
Hello .I had nod32 and it didn't detected it.It started by hijacking explorer.exe and iexplorer.exe trying to connect on internet, opening some pages and installing dealio toolbar. i think i got rid of it but i am not sure. And i have to many process services svchost.exe opened when i am connected to the internet.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:56 AM, on 4/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
D:\WINDOWS\system32\lkcitdl.exe
D:\WINDOWS\system32\lkads.exe
D:\WINDOWS\system32\lktsrv.exe
D:\mysql\bin\mysqld-max-nt.exe
D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
D:\WINDOWS\system32\nisvcloc.exe
D:\Program Files\Prevx2\PXAgent.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
D:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Prevx2\PXConsole.exe
D:\WINDOWS\WBMKbdAP.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Internet Download Manager\IDMan.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
D:\Program Files\Internet Download Manager\IEMonitor.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Documents and Settings\STORM\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O1 - Hosts file is located at: D:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - D:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - D:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - D:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] D:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PrevxOne] "D:\Program Files\Prevx2\PXConsole.exe"
O4 - HKLM\..\Run: [WBMKEYBD] D:\WINDOWS\WBMKbdAP.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [IDMan] D:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [HomeAlarm] D:\Program Files\Chameleon Clock\ChamClock.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: WinMySQLadmin.lnk = D:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: AutoTask Update.lnk = D:\AT2000\WiseUpdt.exe
O8 - Extra context menu item: Download all links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Download with USDownloader - D:\Program Files\Universal Share Downloader\Ext\downloadie.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: d:\program files\ocean technology\gg e-sports platform\gfilter.dll
O10 - Unknown file in Winsock LSP: d:\program files\ocean technology\gg e-sports platform\gfilter.dll
O10 - Unknown file in Winsock LSP: d:\program files\ocean technology\gg e-sports platform\gfilter.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/...x/AVCheckUp.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EFA2AB1-05D8-4A3F-8119-22D376949424}: NameServer = 86.127.210.178 86.127.210.178
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - D:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Manager Google Desktop 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: LiveUpdate (liveupdate) - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - D:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - D:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - D:\WINDOWS\system32\lktsrv.exe
O23 - Service: Flexlm (lmgrd) - National Instruments, Inc. - (no file)
O23 - Service: MySql - Unknown owner - D:/mysql/bin/mysqld-max-nt.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - D:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - D:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - D:\WINDOWS\system32\nisvcloc.exe
O23 - Service: PREVXAgent - Prevx - D:\Program Files\Prevx2\PXAgent.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - D:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 11121 bytes



Malwarebytes' Anti-Malware 1.11
Database version: 694

Scan type: Quick Scan
Objects scanned: 35728
Time elapsed: 7 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\svchost.JPG (Heuristics.Reserved.Word.Exploit) -> No action taken.




SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/29/2008 at 07:31 AM

Application Version : 4.0.1154

Core Rules Database Version : 3450
Trace Rules Database Version: 1442

Scan type : Complete Scan
Total Scan Time : 01:10:48

Memory items scanned : 487
Memory threats detected : 0
Registry items scanned : 6674
Registry threats detected : 0
File items scanned : 122524
File threats detected : 0






KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 29, 2008 3:11:52 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/04/2008
Kaspersky Anti-Virus database records: 729076
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
Scan Statistics
Total number of scanned objects 346650
Number of viruses found 53
Number of infected objects 170
Number of suspicious objects 0
Duration of the scan process 06:23:18

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\STORM\Local Settings\Application Data\Mozilla\Firefox\Profiles\9kcjhb2q.default\Cache\6AB69769d01 Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\Documents and Settings\STORM\Local Settings\Temp\DGlrtmvU.exe.part Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\Documents and Settings\STORM\Local Settings\Temp\ProduKey.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.i skipped
C:\Documents and Settings\STORM\Local Settings\Temp\WirelessKeyView.exe Infected: not-a-virus:PSWTool.Win32.Messen.v skipped
C:\patcha.rar/patch.exe Infected: Trojan-Dropper.Win32.Delf.aha skipped
C:\patcha.rar RAR: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\c\utorrent\Avira AntiVir Premium v8.1.00.331 + NEW KEYS\Avira AntiVir Premium v8.1.00.331 + NEW KEYS\antivir_workstation_winu_en_hp.exe/is152924.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qpm skipped
D:\c\utorrent\Avira AntiVir Premium v8.1.00.331 + NEW KEYS\Avira AntiVir Premium v8.1.00.331 + NEW KEYS\antivir_workstation_winu_en_hp.exe CAB: infected - 1 skipped
D:\c\utorrent\Avira AntiVir Premium v8.1.00.331 + NEW KEYS.rar/Avira AntiVir Premium v8.1.00.331 + NEW KEYS/antivir_workstation_winu_en_hp.exe/is152924.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qpm skipped
D:\c\utorrent\Avira AntiVir Premium v8.1.00.331 + NEW KEYS.rar/Avira AntiVir Premium v8.1.00.331 + NEW KEYS/antivir_workstation_winu_en_hp.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qpm skipped
D:\c\utorrent\Avira AntiVir Premium v8.1.00.331 + NEW KEYS.rar RAR: infected - 2 skipped
D:\Deckard\System Scanner\backup\DOCUME~1\STORM\LOCALS~1\Temp\ProduKey.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.i skipped
D:\Deckard\System Scanner\backup\DOCUME~1\STORM\LOCALS~1\Temp\WirelessKeyView.exe Infected: not-a-virus:PSWTool.Win32.Messen.v skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Prevx\LDB_FP-00.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Prevx\LDB_FP-Index.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Prevx\Local.dat Object is locked skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\STORM\Application Data\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cert8.db Object is locked skipped
D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\formhistory.dat Object is locked skipped
D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\GoogleToolbarData\googlesafebrowsing.db Object is locked skipped
D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\history.dat Object is locked skipped
D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\key3.db Object is locked skipped
D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\parent.lock Object is locked skipped
D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\search.sqlite Object is locked skipped
D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\urlclassifier2.sqlite Object is locked skipped
D:\Documents and Settings\STORM\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-28-2008( 18-47-9 ).LOG Object is locked skipped
D:\Documents and Settings\STORM\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\STORM\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\STORM\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\STORM\Local Settings\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\Cache\_CACHE_001_ Object is locked skipped
D:\Documents and Settings\STORM\Local Settings\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\Cache\_CACHE_002_ Object is locked skipped
D:\Documents and Settings\STORM\Local Settings\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\Cache\_CACHE_003_ Object is locked skipped
D:\Documents and Settings\STORM\Local Settings\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\Cache\_CACHE_MAP_ Object is locked skipped
D:\Documents and Settings\STORM\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\STORM\Local Settings\Temp\Perflib_Perfdata_1bc.dat Object is locked skipped
D:\Documents and Settings\STORM\Local Settings\Temp\Perflib_Perfdata_830.dat Object is locked skipped
D:\Documents and Settings\STORM\Local Settings\Temp\ProduKey.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.i skipped
D:\Documents and Settings\STORM\Local Settings\Temp\WirelessKeyView.exe Infected: not-a-virus:PSWTool.Win32.Messen.v skipped
D:\Documents and Settings\STORM\Local Settings\Temp\~DF834B.tmp Object is locked skipped
D:\Documents and Settings\STORM\Local Settings\Temp\~DFBEDB.tmp Object is locked skipped
D:\Documents and Settings\STORM\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
D:\Documents and Settings\STORM\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\STORM\ntuser.dat Object is locked skipped
D:\Documents and Settings\STORM\ntuser.dat.LOG Object is locked skipped
D:\patcha.rar/patch.exe Infected: Trojan-Dropper.Win32.Delf.aha skipped
D:\patcha.rar RAR: infected - 1 skipped
D:\Program Files\Prevx2\lclbrk.cache Object is locked skipped
D:\Program Files\Prevx2\log\px-log.txt Object is locked skipped
D:\Program Files\Prevx2\paws.cache Object is locked skipped
D:\Program Files\Prevx2\prevx.cache Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINDOWS\Sti_Trace.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\default Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\Internet.evt Object is locked skipped
D:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
D:\WINDOWS\system32\config\OSession.evt Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\software Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\system Object is locked skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\h323log.txt Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\wiadebug.log Object is locked skipped
D:\WINDOWS\wiaservc.log Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\torent\Total_Commander_Ultima_Prime_v3.4_Key_Incl -H5N1\Setup\tcup34.exe/stream/data2361 Infected: not-a-virus:PSWTool.Win32.Delf.f skipped
F:\torent\Total_Commander_Ultima_Prime_v3.4_Key_Incl -H5N1\Setup\tcup34.exe/stream/data2387 Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
F:\torent\Total_Commander_Ultima_Prime_v3.4_Key_Incl -H5N1\Setup\tcup34.exe/stream/data2388 Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
F:\torent\Total_Commander_Ultima_Prime_v3.4_Key_Incl -H5N1\Setup\tcup34.exe/stream Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
F:\torent\Total_Commander_Ultima_Prime_v3.4_Key_Incl -H5N1\Setup\tcup34.exe NSIS: infected - 4 skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\hard vechi D\codecs\kituri\RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
H:\hard vechi D\codecs\kituri\RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
H:\hard vechi D\codecs\kituri\RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
H:\hard vechi D\codecs\kituri\RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
H:\hard vechi D\codecs\kituri\RADMIN21.EXE Gentee: infected - 4 skipped
H:\hard vechi D\downloads\software\download deskwallp\bikini8aa.exe/WISE0017.BIN Infected: not-a-virus:AdTool.Win32.MyWebSearch.aw skipped
H:\hard vechi D\downloads\software\download deskwallp\bikini8aa.exe WiseSFX: infected - 1 skipped
H:\hard vechi D\downloads\software\download deskwallp\fireworksaa.exe/WISE0020.BIN Infected: not-a-virus:AdTool.Win32.MyWebSearch.aw skipped
H:\hard vechi D\downloads\software\download deskwallp\fireworksaa.exe/WISE0021.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bx skipped
H:\hard vechi D\downloads\software\download deskwallp\fireworksaa.exe WiseSFX: infected - 2 skipped
H:\hard vechi D\downloads\software\download deskwallp\VirtuaGirls_2_12.exe/WISE0033.BIN Infected: not-a-virus:Dialer.Win32.DialerOffline skipped
H:\hard vechi D\downloads\software\download deskwallp\VirtuaGirls_2_12.exe WiseSFX: infected - 1 skipped
H:\hard vechi D\downloads\software\download deskwallp\VirtuaGirls_2_12.exe WiseSFXDropper: infected - 1 skipped
H:\hard vechi D\kits\ccproxysetup.exe/data0002 Infected: not-a-virus:Server-Proxy.Win32.CCProxy.60 skipped
H:\hard vechi D\kits\ccproxysetup.exe/data0003 Infected: not-a-virus:Server-Proxy.Win32.CCProxy.63 skipped
H:\hard vechi D\kits\ccproxysetup.exe Inno: infected - 2 skipped
H:\hard vechi D\kits\Yahoo-Message-Archive-Decoder-Setup-4.0.exe/stream/data0012 Infected: not-a-virus:PSWTool.Win32.Yahoo.c skipped
H:\hard vechi D\kits\Yahoo-Message-Archive-Decoder-Setup-4.0.exe/stream Infected: not-a-virus:PSWTool.Win32.Yahoo.c skipped
H:\hard vechi D\kits\Yahoo-Message-Archive-Decoder-Setup-4.0.exe NSIS: infected - 2 skipped
H:\hard vechi E\A\programe\free to try\vnc-P4_2_5-x86_win32.zip/vnc-P4_2_5-x86_win32.exe/file4 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
H:\hard vechi E\A\programe\free to try\vnc-P4_2_5-x86_win32.zip/vnc-P4_2_5-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
H:\hard vechi E\A\programe\free to try\vnc-P4_2_5-x86_win32.zip ZIP: infected - 2 skipped
H:\hard vechi E\A\programe\IP scan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
H:\hard vechi E\A\programe\jhoos_setup.exe/WISE0014.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
H:\hard vechi E\A\programe\jhoos_setup.exe WiseSFX: infected - 1 skipped
H:\hard vechi E\A\programe\RADMIN\RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
H:\hard vechi E\A\programe\RADMIN\RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
H:\hard vechi E\A\programe\RADMIN\RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
H:\hard vechi E\A\programe\RADMIN\RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
H:\hard vechi E\A\programe\RADMIN\RADMIN21.EXE Gentee: infected - 4 skipped
H:\hard vechi E\A\programe\Remote Administrator 2.2\Remote administrator 2.2.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
H:\hard vechi E\A\programe\Remote Administrator 2.2\Remote administrator 2.2.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
H:\hard vechi E\A\programe\Remote Administrator 2.2\Remote administrator 2.2.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
H:\hard vechi E\A\programe\Remote Administrator 2.2\Remote administrator 2.2.EXE Gentee: infected - 3 skipped
H:\hard vechi E\A\programe\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\hard vechi E\A\programe\SmitfraudFix.zip ZIP: infected - 1 skipped
H:\hard vechi E\A\texte\Spart parole retea\bluesprtscn.zip/BluesPortScan.exe Infected: not-a-virus:NetTool.Win32.Delf.d skipped
H:\hard vechi E\A\texte\Spart parole retea\bluesprtscn.zip ZIP: infected - 1 skipped
H:\hard vechi E\A\yah\Yahoo-Message-Archive-Decoder-Setup.exe/stream/data0009 Infected: not-a-virus:PSWTool.Win32.Yahoo.e skipped
H:\hard vechi E\A\yah\Yahoo-Message-Archive-Decoder-Setup.exe/stream/data0010 Infected: not-a-virus:PSWTool.Win32.Yahoo.c skipped
H:\hard vechi E\A\yah\Yahoo-Message-Archive-Decoder-Setup.exe/stream Infected: not-a-virus:PSWTool.Win32.Yahoo.c skipped
H:\hard vechi E\A\yah\Yahoo-Message-Archive-Decoder-Setup.exe NSIS: infected - 3 skipped
H:\hard vechi E\cccccc\facultatean4\remote-trial.zip/Master.exe Infected: not-a-virus:RemoteAdmin.Win32.RA.51122 skipped
H:\hard vechi E\cccccc\facultatean4\remote-trial.zip/player.exe Infected: not-a-virus:RemoteAdmin.Win32.RA.2929 skipped
H:\hard vechi E\cccccc\facultatean4\remote-trial.zip/Slave.exe Infected: not-a-virus:RemoteAdmin.Win32.RA.52622 skipped
H:\hard vechi E\cccccc\facultatean4\remote-trial.zip ZIP: infected - 3 skipped
H:\hard vechi E\Desktop\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
H:\hard vechi E\kits\3drnrec.exe Infected: not-a-virus:FraudTool.Win32.SpywareDetector.d skipped
H:\hard vechi E\kits\De vazut parolele de sub asteriscuri\Revelation.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.11 skipped
H:\hard vechi E\kits\De vazut parolele de sub asteriscuri\SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
H:\hard vechi E\kits\De vazut parolele de sub asteriscuri\SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
H:\hard vechi E\kits\De vazut parolele de sub asteriscuri\SetupRevelationV2.exe WiseSFX: infected - 2 skipped
H:\hard vechi E\kits\De vazut parolele de sub asterixuri\SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
H:\hard vechi E\kits\De vazut parolele de sub asterixuri\SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
H:\hard vechi E\kits\De vazut parolele de sub asterixuri\SetupRevelationV2.exe WiseSFX: infected - 2 skipped
H:\hard vechi E\kits\radmin\RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
H:\hard vechi E\kits\radmin\RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
H:\hard vechi E\kits\radmin\RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
H:\hard vechi E\kits\radmin\RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
H:\hard vechi E\kits\radmin\RADMIN21.EXE Gentee: infected - 4 skipped
H:\hard vechi E\kits\radmin22.zip/RADMIN22.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
H:\hard vechi E\kits\radmin22.zip/RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
H:\hard vechi E\kits\radmin22.zip/RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
H:\hard vechi E\kits\radmin22.zip/RADMIN22.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
H:\hard vechi E\kits\radmin22.zip ZIP: infected - 4 skipped
H:\hard vechi E\kits\Vista Transformation Pack 6.0 RC1\Vista Transformation Pack 6.0 RC1.exe/WISE0038.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
H:\hard vechi E\kits\Vista Transformation Pack 6.0 RC1\Vista Transformation Pack 6.0 RC1.exe/WISE0059.BIN/WISE0005.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
H:\hard vechi E\kits\Vista Transformation Pack 6.0 RC1\Vista Transformation Pack 6.0 RC1.exe/WISE0059.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
H:\hard vechi E\kits\Vista Transformation Pack 6.0 RC1\Vista Transformation Pack 6.0 RC1.exe WiseSFX: infected - 3 skipped
H:\hard vechi F\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
H:\hard vechi F\Program Files\utorrent\BSPlayer Pro v2.23.953 + ICU KeyGen\bsplayer_pro223.953.exe Infected: Trojan-Dropper.NSIS.Agent.b skipped
H:\hard vechi F\Program Files\utorrent\Radmin 2.2-3.0\Radmin\Radmin\Radmin 2.2-3.0.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
H:\hard vechi F\Program Files\utorrent\Radmin 2.2-3.0\Radmin\Radmin\Radmin 2.2-3.0.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
H:\hard vechi F\Program Files\utorrent\Radmin 2.2-3.0\Radmin\Radmin\Radmin 2.2-3.0.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
H:\hard vechi F\Program Files\utorrent\Radmin 2.2-3.0\Radmin\Radmin\Radmin 2.2-3.0.EXE Gentee: infected - 3 skipped
H:\kituri\Spytech.SpyAgent.v5.11.04.Winall.Cracked-iNFECTED.ZIP/Spytech.SpyAgent.v5.11.04.Winall.Cracked-iNFECTED/i-sa5101.zip/iNFECTED.rar/Crack.zip/sysdiag.exe Infected: not-a-virus:Monitor.Win32.SpyAgent.j skipped
H:\kituri\Spytech.SpyAgent.v5.11.04.Winall.Cracked-iNFECTED.ZIP/Spytech.SpyAgent.v5.11.04.Winall.Cracked-iNFECTED/i-sa5101.zip/iNFECTED.rar/Crack.zip Infected: not-a-virus:Monitor.Win32.SpyAgent.j skipped
H:\kituri\Spytech.SpyAgent.v5.11.04.Winall.Cracked-iNFECTED.ZIP/Spytech.SpyAgent.v5.11.04.Winall.Cracked-iNFECTED/i-sa5101.zip/iNFECTED.rar Infected: not-a-virus:Monitor.Win32.SpyAgent.j skipped
H:\kituri\Spytech.SpyAgent.v5.11.04.Winall.Cracked-iNFECTED.ZIP/Spytech.SpyAgent.v5.11.04.Winall.Cracked-iNFECTED/i-sa5101.zip Infected: not-a-virus:Monitor.Win32.SpyAgent.j skipped
H:\kituri\Spytech.SpyAgent.v5.11.04.Winall.Cracked-iNFECTED.ZIP ZIP: infected - 4 skipped
H:\Programe\CrackingTools.rar/CrackingTools/CrackingTools.exe/AutoPlay/Docs/ad4.401.installer.zip/ad4.401.installer.exe/file12 Infected: not-a-virus:NetTool.Win32.AccessDiver.4401 skipped
H:\Programe\CrackingTools.rar/CrackingTools/CrackingTools.exe/AutoPlay/Docs/ad4.401.installer.zip/ad4.401.installer.exe Infected: not-a-virus:NetTool.Win32.AccessDiver.4401 skipped
H:\Programe\CrackingTools.rar/CrackingTools/CrackingTools.exe/AutoPlay/Docs/ad4.401.installer.zip Infected: not-a-virus:NetTool.Win32.AccessDiver.4401 skipped
H:\Programe\CrackingTools.rar/CrackingTools/CrackingTools.exe/AutoPlay/Docs/brutus-aet2.zip/BrutusA2.exe Infected: not-a-virus:PSWTool.Win32.Brutus skipped
H:\Programe\CrackingTools.rar/CrackingTools/CrackingTools.exe/AutoPlay/Docs/brutus-aet2.zip Infected: not-a-virus:PSWTool.Win32.Brutus skipped
H:\Programe\CrackingTools.rar/CrackingTools/CrackingTools.exe/AutoPlay/Docs/FACE_Setup.zip/FACE_Setup.exe/Proxynator.exe Infected: HackTool.Win32.Ares.a skipped
H:\Programe\CrackingTools.rar/CrackingTools/CrackingTools.exe/AutoPlay/Docs/FACE_Setup.zip/FACE_Setup.exe/Once is Enough.exe Infected: HackTool.Win32.Ares.a skipped
H:\Programe\CrackingTools.rar/CrackingTools/CrackingTools.exe/AutoPlay/Docs/FACE_Setup.zip/FACE_Setup.exe Infected: HackTool.Win32.Ares.a skipped
H:\Programe\CrackingTools.rar/CrackingTools/CrackingTools.exe/AutoPlay/Docs/FACE_Setup.zip Infected: HackTool.Win32.Ares.a skipped
H:\Programe\CrackingTools.rar/CrackingTools/CrackingTools.exe Infected: HackTool.Win32.Ares.a skipped
H:\Programe\CrackingTools.rar RAR: infected - 10 skipped
H:\Programe\Ricks_CapOCR1.7.8.10_AddOn_71118.rar/CapOCR.cab/dialupass.exe Infected: not-a-virus:PSWTool.Win32.Dialupass.an skipped
H:\Programe\Ricks_CapOCR1.7.8.10_AddOn_71118.rar/CapOCR.cab Infected: not-a-virus:PSWTool.Win32.Dialupass.an skipped
H:\Programe\Ricks_CapOCR1.7.8.10_AddOn_71118.rar RAR: infected - 2 skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\GAMES KIT\Clive.Barkers.Jericho.PROPER.CRACK.ONLY-ViTALiTY\vty-0113.rar/ViTALiTY/Jericho.exe/data0001 Infected: Backdoor.Win32.Hupigon.uzg skipped
I:\GAMES KIT\Clive.Barkers.Jericho.PROPER.CRACK.ONLY-ViTALiTY\vty-0113.rar/ViTALiTY/Jericho.exe Infected: Backdoor.Win32.Hupigon.uzg skipped
I:\GAMES KIT\Clive.Barkers.Jericho.PROPER.CRACK.ONLY-ViTALiTY\vty-0113.rar RAR: infected - 2 skipped
I:\softarchive\Adobe PhotoShop CS3 Lite\Adobe PhotoShop CS3 Lite.rar/Adobe PhotoShop CS3 Lite/Adobe PhotoShop CS3 Lite.exe/data0000.cab/is152177.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped
I:\softarchive\Adobe PhotoShop CS3 Lite\Adobe PhotoShop CS3 Lite.rar/Adobe PhotoShop CS3 Lite/Adobe PhotoShop CS3 Lite.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped
I:\softarchive\Adobe PhotoShop CS3 Lite\Adobe PhotoShop CS3 Lite.rar/Adobe PhotoShop CS3 Lite/Adobe PhotoShop CS3 Lite.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped
I:\softarchive\Adobe PhotoShop CS3 Lite\Adobe PhotoShop CS3 Lite.rar RAR: infected - 3 skipped
I:\softarchive\Ardamax.Keylogger.v2.9.Incl.Keygen-HERiTAGE\htgaec9k.zip/HTG.rar/Setup.exe/stream/data0005 Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
I:\softarchive\Ardamax.Keylogger.v2.9.Incl.Keygen-HERiTAGE\htgaec9k.zip/HTG.rar/Setup.exe/stream/data0007 Infected: not-a-virus:Monitor.Win32.Ardamax.o skipped
I:\softarchive\Ardamax.Keylogger.v2.9.Incl.Keygen-HERiTAGE\htgaec9k.zip/HTG.rar/Setup.exe/stream/data0009 Infected: Trojan-Spy.Win32.Ardamax.n skipped
I:\softarchive\Ardamax.Keylogger.v2.9.Incl.Keygen-HERiTAGE\htgaec9k.zip/HTG.rar/Setup.exe/stream/data0010 Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
I:\softarchive\Ardamax.Keylogger.v2.9.Incl.Keygen-HERiTAGE\htgaec9k.zip/HTG.rar/Setup.exe/stream Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
I:\softarchive\Ardamax.Keylogger.v2.9.Incl.Keygen-HERiTAGE\htgaec9k.zip/HTG.rar/Setup.exe Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
I:\softarchive\Ardamax.Keylogger.v2.9.Incl.Keygen-HERiTAGE\htgaec9k.zip/HTG.rar Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
I:\softarchive\Ardamax.Keylogger.v2.9.Incl.Keygen-HERiTAGE\htgaec9k.zip ZIP: infected - 7 skipped
I:\softarchive\Programe\proxyi.exe Infected: not-a-virus:Server-Proxy.Win32.AnalogX.414 skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\www.softarchive.net_ESET_NOD32_Antivirus_Home_Edition_3.0.650.rar/ESET NOD32 Antivirus Home Edition (32-bit)3.0.650/Nologin/NodLogin8.0/setup.exe/script.au3 Infected: Trojan.Win32.KillAV.rx skipped
I:\www.softarchive.net_ESET_NOD32_Antivirus_Home_Edition_3.0.650.rar/ESET NOD32 Antivirus Home Edition (32-bit)3.0.650/Nologin/NodLogin8.0/setup.exe Infected: Trojan.Win32.KillAV.rx skipped
I:\www.softarchive.net_ESET_NOD32_Antivirus_Home_Edition_3.0.650.rar RAR: infected - 2 skipped
J:\browse\amalgam\CryptLoadSetup.rar/CryptLoadSetup.exe/data0045 Infected: Trojan.MSIL.Dedem.z skipped
J:\browse\amalgam\CryptLoadSetup.rar/CryptLoadSetup.exe/data0049 Infected: Trojan.MSIL.Dedem.z skipped
J:\browse\amalgam\CryptLoadSetup.rar/CryptLoadSetup.exe/data0051 Infected: Trojan.MSIL.Dedem.aa skipped
J:\browse\amalgam\CryptLoadSetup.rar/CryptLoadSetup.exe/data0068 Infected: Trojan.MSIL.Dedem.u skipped
J:\browse\amalgam\CryptLoadSetup.rar/CryptLoadSetup.exe/data0069 Infected: Trojan.MSIL.Dedem.v skipped
J:\browse\amalgam\CryptLoadSetup.rar/CryptLoadSetup.exe/data0083 Infected: Trojan.MSIL.Dedem.y skipped
J:\browse\amalgam\CryptLoadSetup.rar/CryptLoadSetup.exe/data0097 Infected: Trojan.MSIL.Dedem.t skipped
J:\browse\amalgam\CryptLoadSetup.rar/CryptLoadSetup.exe/data0098 Infected: Trojan.MSIL.Dedem.ad skipped
J:\browse\amalgam\CryptLoadSetup.rar/CryptLoadSetup.exe/data0100 Infected: Trojan.MSIL.Dedem.w skipped
J:\browse\amalgam\CryptLoadSetup.rar/CryptLoadSetup.exe/data0110 Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
J:\browse\amalgam\CryptLoadSetup.rar/CryptLoadSetup.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
J:\browse\amalgam\CryptLoadSetup.rar RAR: infected - 11 skipped
J:\browse\BooksBooks\CryptLoadSetup_new.rar/CryptLoadSetup.exe/data0045 Infected: Trojan.MSIL.Dedem.z skipped
J:\browse\BooksBooks\CryptLoadSetup_new.rar/CryptLoadSetup.exe/data0049 Infected: Trojan.MSIL.Dedem.z skipped
J:\browse\BooksBooks\CryptLoadSetup_new.rar/CryptLoadSetup.exe/data0051 Infected: Trojan.MSIL.Dedem.aa skipped
J:\browse\BooksBooks\CryptLoadSetup_new.rar/CryptLoadSetup.exe/data0068 Infected: Trojan.MSIL.Dedem.u skipped
J:\browse\BooksBooks\CryptLoadSetup_new.rar/CryptLoadSetup.exe/data0069 Infected: Trojan.MSIL.Dedem.v skipped
J:\browse\BooksBooks\CryptLoadSetup_new.rar/CryptLoadSetup.exe/data0083 Infected: Trojan.MSIL.Dedem.y skipped
J:\browse\BooksBooks\CryptLoadSetup_new.rar/CryptLoadSetup.exe/data0097 Infected: Trojan.MSIL.Dedem.t skipped
J:\browse\BooksBooks\CryptLoadSetup_new.rar/CryptLoadSetup.exe/data0098 Infected: Trojan.MSIL.Dedem.ad skipped
J:\browse\BooksBooks\CryptLoadSetup_new.rar/CryptLoadSetup.exe/data0100 Infected: Trojan.MSIL.Dedem.w skipped
J:\browse\BooksBooks\CryptLoadSetup_new.rar/CryptLoadSetup.exe/data0110 Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
J:\browse\BooksBooks\CryptLoadSetup_new.rar/CryptLoadSetup.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
J:\browse\BooksBooks\CryptLoadSetup_new.rar RAR: infected - 11 skipped
J:\browse\Programe\bearshare_accelerator_free.exe/file10 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
J:\browse\Programe\bearshare_accelerator_free.exe Inno: infected - 1 skipped
J:\browse\Programe\Download_apex-video-converter-pro635.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
J:\browse\Programe\Ricks_AntiCaptcha3.6.8_AddOn_71119.rar/AntiCap.cab/dialupass.exe Infected: not-a-virus:PSWTool.Win32.Dialupass.an skipped
J:\browse\Programe\Ricks_AntiCaptcha3.6.8_AddOn_71119.rar/AntiCap.cab Infected: not-a-virus:PSWTool.Win32.Dialupass.an skipped
J:\browse\Programe\Ricks_AntiCaptcha3.6.8_AddOn_71119.rar RAR: infected - 2 skipped
J:\browse\Programe\Ricks_CapOCR1.7.8.10_AddOn_71118\CapOCR.cab/dialupass.exe Infected: not-a-virus:PSWTool.Win32.Dialupass.an skipped
J:\browse\Programe\Ricks_CapOCR1.7.8.10_AddOn_71118\CapOCR.cab CAB: infected - 1 skipped
J:\kituri\ariskkey.exe/data0009 Infected: not-a-virus:PSWTool.Win32.Aster.55 skipped
J:\kituri\ariskkey.exe/data0011 Infected: not-a-virus:PSWTool.Win32.Aster.55 skipped
J:\kituri\ariskkey.exe NSIS: infected - 2 skipped
J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
  • 0

Advertisements


#2
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hello justme22 , welcome to GeeksToGo! :)

My name is Tal, and I will be assisting you in the process of removing malware from your computer. I am going through your logs now, and I'll be back soon with instructions on how to proceed.

As I'm still in training, my replies to you have to be approved before posting, so please excuse delays between replies.

Tal.

Edited by Tal, 29 April 2008 - 07:36 AM.

  • 0

#3
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hello Justme22 ,

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:
  • Please don't be afraid to ask questions! :) No question is considered dumb here. It's better to be safe than sorry!
  • Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
  • NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you witness a certain entry or program you're unsure about, please don't hesitate to ask! :)

And i have to many process services svchost.exe opened when i am connected to the internet.

This is normal, since you have a lot of services active. If you want to make your PC faster, let me know and we can trim some of these services and remove unnecessary startups.

Let's disable SpyBot & PrevX temporarily as they can hinder the fix. Don't forget to re-enable them once we're done.

Disabling Spybot S&D (Teatimer)

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Disabling Prevx Realtime Protection

1. Right click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose Show Management Console..
2. On the Management Console click the Protection Level drop-down menu. You will see three levels:

Maximum
Off
User Defined

3. To disable all protection set the level to Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.
4. Click the X on the upper right hand corner to exit the Management console.

Step1 : Correcting entries with HijackThis

Please re-open HijackThis and click Scan. Put a check next to the following entries presented in the window: (Do NOT click Fix yet!)
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user'


Now, close all other windows but HijackThis, including Explorer windows (folders) and this window, and click Fix. Note: It is vital you close all other windows, otherwise the fix will not succeed.

Restart your computer...

Step2 : Deleting files with OTMoveIt/b]

Please download the OTMoveIt2 by OldTimer. Please note: If you already have OTMoveIt on your system, please replace it with this newer version.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    D:\Windows\system32\tscupgrd.exe
    
    C:\Documents and Settings\STORM\Local Settings\Application Data\Mozilla\Firefox\Profiles\9kcjhb2q.default\Cache\6AB69769d01
    C:\Documents and Settings\STORM\Local Settings\Temp\DGlrtmvU.exe.part
    C:\Documents and Settings\STORM\Local Settings\Temp\ProduKey.exe
    C:\Documents and Settings\STORM\Local Settings\Temp\WirelessKeyView.exe
    C:\patcha.rar
    D:\c\utorrent\Avira AntiVir Premium v8.1.00.331 + NEW KEYS\Avira AntiVir Premium v8.1.00.331 + NEW KEYS\antivir_workstation_winu_en_hp.exe
    D:\c\utorrent\Avira AntiVir Premium v8.1.00.331 + NEW KEYS.rar
    D:\Documents and Settings\STORM\Local Settings\Temp\ProduKey.exe
    D:\Documents and Settings\STORM\Local Settings\Temp\WirelessKeyView.exe
    D:\patcha.rar
    F:\torent\Total_Commander_Ultima_Prime_v3.4_Key_Incl -H5N1\Setup\tcup34.exe
    H:\hard vechi D\downloads\software\download deskwallp\bikini8aa.exe
    H:\hard vechi D\downloads\software\download deskwallp\fireworksaa.exe
    H:\hard vechi D\downloads\software\download deskwallp\VirtuaGirls_2_12.exe
    H:\hard vechi D\kits\ccproxysetup.exe
    H:\hard vechi D\kits\Yahoo-Message-Archive-Decoder-Setup-4.0.exe
    H:\hard vechi E\A\programe\IP scan.exe
    H:\hard vechi E\A\programe\jhoos_setup.exe
    H:\hard vechi E\A\texte\Spart parole retea\bluesprtscn.zip
    H:\hard vechi E\A\yah\Yahoo-Message-Archive-Decoder-Setup.exe
    H:\hard vechi E\Desktop\ipscan.exe
    H:\hard vechi E\kits\3drnrec.exe
    H:\hard vechi E\kits\De vazut parolele de sub asteriscuri\Revelation.exe
    H:\hard vechi E\kits\De vazut parolele de sub asteriscuri\SetupRevelationV2.exe
    H:\hard vechi E\kits\De vazut parolele de sub asterixuri\SetupRevelationV2.exe
    H:\hard vechi F\ipscan.exe
    H:\hard vechi F\Program Files\utorrent\BSPlayer Pro v2.23.953 + ICU KeyGen\bsplayer_pro223.953.exe
    H:\kituri\Spytech.SpyAgent.v5.11.04.Winall.Cracked-iNFECTED.ZIP
    H:\Programe\CrackingTools.rar
    H:\Programe\Ricks_CapOCR1.7.8.10_AddOn_71118.rar
    I:\GAMES KIT\Clive.Barkers.Jericho.PROPER.CRACK.ONLY-ViTALiTY\vty-0113.rar
    I:\softarchive\Adobe PhotoShop CS3 Lite\Adobe PhotoShop CS3 Lite.rar
    I:\softarchive\Ardamax.Keylogger.v2.9.Incl.Keygen-HERiTAGE\htgaec9k.zip
    I:\softarchive\Programe\proxyi.exe
    I:\www.softarchive.net_ESET_NOD32_Antivirus_Home_Edition_3.0.650.rar
    J:\browse\amalgam\CryptLoadSetup.rar
    J:\browse\BooksBooks\CryptLoadSetup_new.rar
    J:\browse\Programe\bearshare_accelerator_free.exe
    J:\browse\Programe\Download_apex-video-converter-pro635.exe
    J:\browse\Programe\Ricks_AntiCaptcha3.6.8_AddOn_71119.rar
    J:\browse\Programe\Ricks_CapOCR1.7.8.10_AddOn_71118\CapOCR.cab
    J:\kituri\ariskkey.exe
    H:\Programe\CrackingTools.rar/CrackingTools/CrackingTools.exe
    H:\kituri\Spytech.SpyAgent.v5.11.04.Winall.Cracked-iNFECTED.ZIP
    J:\kituri\ariskkey.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step3 : Batch fix to remove un-needed services


Please open a new notepad file in a convenient location, such as on your desktop. Paste the following code into it:
sc stop liveupdate
sc delete liveupdate

Now please click File > Save As... > Name the file BatchFix1.bat > Change the filetype setting to All Files > Hit Save. Now locate the file and double click it - a black window will appear on the screen for a moment then disappear - this is normal.

Step4 : Removing anti virus and anti spyware programs

You have two anti virus products installed: Prevx and [b]AntiVir
. This is not a good idea since this will cause system slowdowns and worse detection rates. Please uninstall one of them (it's up to you which one to choose). Also you have AVG AntiSpyware, SuperAntiSpyware and Ad Aware 2007 installed. Please remove two of them so that you are left with only 1 active.

Please include a new HijackThis log in your next reply
  • 0

#4
justme22

justme22

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hello. Thanks for helping me. I done everything you said.
"If you want to make your PC faster, let me know and we can trim some of these services and remove unnecessary startups. " Yes i want that.
I had an error with otmoveit. when it got to move H:\Programe\CrackingTools.rar/CrackingTools/CrackingTools.exe invalid time flag (CrackingTools.exe)
must be numerical, so my log is a little thin because it didn't logged files moved before cracktools. Some files i allready moved in a folder infected before your reply. What antivirus do you use? what are those vulnerabilities(61) that panda says? with panda i can't scan all computer because when i got to partition h it freezes. I forgot to tell i have another problem when my computer starts the icon for sound volume in taskbar is missing and if i connect to the internet the icon for internet appears only after i tick place volume icon in taskbar in control panel , but after restart i must do this again!!!

File/Folder H:\kituri\Spytech.SpyAgent.v5.11.04.Winall.Cracked-iNFECTED.ZIP not found.
File/Folder J:\kituri\ariskkey.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04302008_213609

File/Folder D:\c\infected\Ardamax.Keylogger.v2.9.Incl.Keygen-HERiTAGE\htgaec9k.zip not found.
D:\c\infected\BSPlayer Pro v2.23.953 + ICU KeyGen\bsplayer_pro223.953.exe moved successfully.
File move failed. D:\c\infected\CryptLoadSetup.rar scheduled to be moved on reboot.
D:\c\infected\CryptLoadSetup_new.rar moved successfully.
D:\c\infected\nu\ccproxysetup.exe moved successfully.
D:\c\infected\Total_Commander_Ultima_Prime_v3.4_Key_Incl -H5N1\Setup\tcup34.exe moved successfully.
D:\c\infected\Vista Transformation Pack 6.0 RC1\Vista Transformation Pack 6.0 RC1.exe moved successfully.
D:\c\infected\www.softarchive.net_ESET_NOD32_Antivirus_Home_Edition_3.0.650.rar moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04302008_223234

Files moved on Reboot...
D:\c\infected\CryptLoadSetup.rar moved successfully.
D:\c\infected\CrackingTools.rar moved successfully.
D:\c\infected\Ardamax.Keylogger.v2.9.Incl.Keygen-HERiTAGE\htgaec9k.zip moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04302008_224612




Avira AntiVir Premium
Report file date: Wednesday, April 30, 2008 21:54
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'OTMoveIt2.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'IEMonitor.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'taskmgr.exe' - '1' Module(s) have been scanned
Scan process 'Ymsgr_tray.exe' - '1' Module(s) have been scanned
Scan process 'Traymon.exe' - '1' Module(s) have been scanned
Scan process 'osd.exe' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
Scan process 'IDMan.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
D:\WINDOWS\
Scan process 'soundman.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'MMKeybd.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'avwebgrd.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nisvcloc.exe' - '1' Module(s) have been scanned
Scan process 'nidmsrv.exe' - '1' Module(s) have been scanned
Scan process 'mysqld-max-nt.exe' - '1' Module(s) have been scanned
Scan process 'lktsrv.exe' - '1' Module(s) have been scanned
Scan process 'lkads.exe' - '1' Module(s) have been scanned
Scan process 'lkcitdl.exe' - '1' Module(s) have been scanned
Scan process 'avesvc.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'nhksrv.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
44 processes with 44 modules were scanned













Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:32 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
D:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
D:\WINDOWS\system32\lkcitdl.exe
D:\WINDOWS\system32\lkads.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\lktsrv.exe
D:\mysql\bin\mysqld-max-nt.exe
D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
D:\WINDOWS\system32\nisvcloc.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
D:\WINDOWS\Explorer.EXE
D:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Internet Download Manager\IDMan.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Netropa\Onscreen Display\osd.exe
D:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
D:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
D:\Program Files\Internet Download Manager\IEMonitor.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] D:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [IDMan] D:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Netropa® Onscreen Display] D:\Program Files\Netropa\Onscreen Display\osd.exe
O8 - Extra context menu item: Download all links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Download with USDownloader - D:\Program Files\Universal Share Downloader\Ext\downloadie.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: d:\program files\ocean technology\gg e-sports platform\gfilter.dll
O10 - Unknown file in Winsock LSP: d:\program files\ocean technology\gg e-sports platform\gfilter.dll
O10 - Unknown file in Winsock LSP: d:\program files\ocean technology\gg e-sports platform\gfilter.dll
O15 - Trusted Zone: http://www.bitdefender.com
O15 - Trusted Zone: http://www.kaspersky.com
O15 - Trusted Zone: http://www.pandasecurity.com
O15 - Trusted Zone: http://www.windowsmarketplace.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...wlscbase370.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/...x/AVCheckUp.ocx
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EFA2AB1-05D8-4A3F-8119-22D376949424}: NameServer = 86.127.210.178 86.127.210.178
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - D:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Manager Google Desktop 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - D:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - D:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - D:\WINDOWS\system32\lktsrv.exe
O23 - Service: Flexlm (lmgrd) - National Instruments, Inc. - (no file)
O23 - Service: MySql - Unknown owner - D:/mysql/bin/mysqld-max-nt.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - D:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - D:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - D:\WINDOWS\system32\nisvcloc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - D:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9157 bytes








panda scan online partitions c and d
;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-04-30 20:32:23
PROTECTIONS: 1
MALWARE: 36
SUSPECTS: 1
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Avira AntiVir PersonalEdition 8.0.1.15 No Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00040297 adware/blazefind Adware No 0 Yes No d:\windows\system32\wsaupdater.exe
00100400 Application/Brutus.A HackTools No 0 No No D:\c\infected\CrackingTools.rar[CrackingTools\CrackingTools.exe][AutoPlay/Docs/brutus-aet2.zip][BrutusA2.exe]
00139535 Application/Processor HackTools No 0 No No D:\Documents and Settings\STORM\Desktop\SDFix_2.exe[SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 No No D:\Documents and Settings\STORM\Desktop\SDFix.exe[SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 No No D:\Documents and Settings\STORM\Desktop\VirtumundoBeGone.exe[²ƒÇ]
00139535 Application/Processor HackTools No 0 Yes No D:\Documents and Settings\STORM\Desktop\l2mfix\Process.exe
00139535 Application/Processor HackTools No 0 Yes No D:\Documents and Settings\STORM\Desktop\process203.zip[Process.exe]
00139535 Application/Processor HackTools No 0 Yes No D:\Documents and Settings\STORM\Desktop\l2mfix.exe[l2mfix/Process.exe]
00139535 Application/Processor HackTools No 0 Yes No D:\WINDOWS\system32\Process.exe
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.247realmedia.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.tribalfusion.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Cookies\[email protected][1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies-1.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.com.com/]
00167647 Cookie/Yadro TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.yadro.ru/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.xiti.com/]
00167749 Cookie/Toplist TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.toplist.cz/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.bs.serving-sys.com/]
00168109 Cookie/Adtech TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.adtech.de/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[server.iad.liveperson.net/hc/85787926]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[server.iad.liveperson.net/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[server.iad.liveperson.net/hc/27059876]
00168116 Cookie/Comclick TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[fl01.ct2.comclick.com/]
00168116 Cookie/Comclick TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[fl01.ct2.comclick.com/]
00168116 Cookie/Comclick TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[fl01.ct2.comclick.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.ads.pointroll.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.questionmarket.com/]
00185663 HackTool/NetCat.A HackTools No 0 No No D:\c\infected\CryptLoadSetup.rar[CryptLoadSetup.exe][nc.exe]
00185663 HackTool/NetCat.A HackTools No 0 No No D:\c\infected\CryptLoadSetup_new.rar[CryptLoadSetup.exe][nc.exe]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies-1.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies-1.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies-1.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies-1.txt[.adultfriendfinder.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.atwola.com/]
00519333 Application/Processor HackTools No 0 Yes No D:\Documents and Settings\STORM\Desktop\VirtumundoBeGone.exe
00833684 Generic Trojan Virus/Trojan No 0 No No D:\c\infected\CrackingTools.rar[CrackingTools\CrackingTools.exe][AutoPlay/Docs/FACE_Setup.zip][FACE_Setup.exe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No D:\c\utorrent\moz\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No D:\c\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01185375 Application/Psexec.A HackTools No 0 Yes No D:\Documents and Settings\STORM\DoctorWeb\Quarantine\PSEXESVC.EXE
01426024 Generic Malware Virus/Trojan No 0 Yes No D:\Documents and Settings\STORM\Desktop\l2mfix.exe
01606636 Cookie/Adserver TrackingCookie No 0 Yes No D:\Documents and Settings\STORM\Application Data\Mozilla\Firefox\Profiles\0vfsjgbn.default\cookies.txt[.adserver.easyad.info/]
02004248 Generic Malware Virus/Trojan No 0 No No D:\c\infected\CrackingTools.rar[CrackingTools\CrackingTools.exe][AutoPlay/Docs/ad4.401.installer.zip][ad4.401.installer.exe]
02055696 Trj/Downloader.MDW Virus/Trojan No 1 No No D:\c\infected\Total_Commander_Ultima_Prime_v3.4_Key_Incl -H5N1\Setup\tcup34.exe[Windows_Commander_FTP_Password_RIPPER.exe]
02894628 Application/Ardamax HackTools No 0 No No D:\c\infected\Ardamax.Keylogger.v2.9.Incl.Keygen-HERiTAGE\htgaec9k.zip[HTG.rar][Setup.exe]
02894631 Application/Ardamax HackTools No 0 No No D:\c\infected\Ardamax.Keylogger.v2.9.Incl.Keygen-HERiTAGE\htgaec9k.zip[HTG.rar][Setup.exe][AKV.exe]
02894636 Application/Ardamax HackTools No 0 No No D:\c\infected\Ardamax.Keylogger.v2.9.Incl.Keygen-HERiTAGE\htgaec9k.zip[HTG.rar][Setup.exe][HTV.exe]
02894644 Application/Ardamax HackTools No 0 No No D:\c\infected\Ardamax.Keylogger.v2.9.Incl.Keygen-HERiTAGE\htgaec9k.zip[HTG.rar][Setup.exe][HTV.003]
02894645 Application/Ardamax HackTools No 0 No No D:\c\infected\Ardamax.Keylogger.v2.9.Incl.Keygen-HERiTAGE\htgaec9k.zip[HTG.rar][Setup.exe][HTV.004]
02894646 Application/Ardamax HackTools No 0 No No D:\c\infected\Ardamax.Keylogger.v2.9.Incl.Keygen-HERiTAGE\htgaec9k.zip[HTG.rar][Setup.exe][HTV.006]
02894647 Application/Ardamax HackTools No 0 No No D:\c\infected\Ardamax.Keylogger.v2.9.Incl.Keygen-HERiTAGE\htgaec9k.zip[HTG.rar][Setup.exe][HTV.007]
02908613 Application/ProduKey HackTools No 0 Yes No D:\Documents and Settings\STORM\Local Settings\Temp\ProduKey.exe
02908613 Application/ProduKey HackTools No 0 Yes No C:\Documents and Settings\STORM\Local Settings\Temp\ProduKey.exe
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location
;===============================================================================
================================================================================
=
===================
No D:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IDMAN.EXE
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description
;===============================================================================
================================================================================
=
===================
184380 MEDIUM MS08-002
184379 MEDIUM MS08-001
182048 HIGH MS07-069
182046 HIGH MS07-067
182043 HIGH MS07-064
179553 HIGH MS07-061
176382 HIGH MS07-057
176383 HIGH MS07-058
170911 HIGH MS07-050
170907 HIGH MS07-046
170906 HIGH MS07-045
170904 HIGH MS07-043
164915 HIGH MS07-035
164913 HIGH MS07-033
164911 HIGH MS07-031
160623 HIGH MS07-027
157262 HIGH MS07-022
157261 HIGH MS07-021
157260 HIGH MS07-020
157259 HIGH MS07-019
156477 HIGH MS07-017
150253 HIGH MS07-016
150249 HIGH MS07-013
150248 HIGH MS07-012
150247 HIGH MS07-011
150243 HIGH MS07-008
150242 HIGH MS07-007
150241 MEDIUM MS07-006
145501 HIGH MS07-004
141034 HIGH MS06-076
141033 MEDIUM MS06-075
137571 HIGH MS06-070
133387 MEDIUM MS06-065
133386 MEDIUM MS06-064
133385 MEDIUM MS06-063
133379 HIGH MS06-057
129977 MEDIUM MS06-053
129976 MEDIUM MS06-052
126093 HIGH MS06-051
126092 MEDIUM MS06-050
126087 HIGH MS06-046
126086 MEDIUM MS06-045
126082 HIGH MS06-041
126081 HIGH MS06-040
123421 HIGH MS06-036

Edited by justme22, 30 April 2008 - 03:40 PM.

  • 0

#5
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hi justme22,

Yes i want that.

OK, but you'll need to tell me which programs you need to run on startup (when the PC boots up) and which you don't. Remember you can always start them up when you need, most programs don't need to be ran on startup.

Lookout Citadel Server - National Instruments, Inc.
National Instruments PSP Server Locator - National Instruments, Inc.
National Instruments Time Synchronization - National Instruments, Inc.
MySql
Netropa NHK Server
National Instruments Domain Service
NILM License Manager
NI Service Locator - National Instruments Corp.

And the following programs:
  • Yahoo! Pager
  • Internet Download Manager
  • Onscreen Display
  • Google Desktop


  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    H:\hard vechi F\Program Files\utorrent\BSPlayer Pro v2.23.953 + ICU KeyGen\bsplayer_pro223.953.exe
    H:\Programe\CrackingTools.rar
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please include a new HijackThis log in your next reply along with the information I asked for.

Tal
  • 0

#6
justme22

justme22

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hello,
NO=don't run
Lookout Citadel Server - National Instruments, Inc. NO
National Instruments PSP Server Locator - National Instruments, Inc. NO
National Instruments Time Synchronization - National Instruments, Inc. NO
MySql
Netropa NHK Server NO
National Instruments Domain Service NO
NILM License Manager NO
NI Service Locator - National Instruments Corp. NO

And the following programs:

* Yahoo! Pager NO
* Internet Download Manager NO
* Onscreen Display
* Google Desktop NO





H:\hard vechi F\Program Files\utorrent\BSPlayer Pro v2.23.953 + ICU KeyGen\bsplayer_pro223.953.exe moved successfully.
H:\Programe\CrackingTools.rar moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05022008_183032



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:39 PM, on 5/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
D:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
D:\WINDOWS\system32\lkcitdl.exe
D:\WINDOWS\system32\lkads.exe
D:\WINDOWS\system32\lktsrv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
D:\WINDOWS\system32\nisvcloc.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
D:\WINDOWS\Explorer.EXE
D:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
D:\Program Files\Netropa\Onscreen Display\OSD.exe
D:\Program Files\Internet Download Manager\IDMan.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\LClock\LClock.exe
D:\Program Files\Vista Sidebar\sidebar.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Internet Download Manager\IEMonitor.exe
D:\DOCUME~1\STORM\LOCALS~1\Temp\procexp.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\ViStart\ViStart.exe
D:\Documents and Settings\STORM\Desktop\utorrent.exe
D:\Program Files\Webteh\BSplayerPro\bsplayer.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - D:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] D:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [IDMan] D:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Netropa® Onscreen Display] D:\Program Files\Netropa\Onscreen Display\osd.exe
O4 - HKCU\..\Run: [LClock] D:\Program Files\LClock\LClock.exe
O4 - HKCU\..\Run: [Vista Sidebar] D:\Program Files\Vista Sidebar\sidebar.exe
O4 - HKCU\..\Run: [ViStart] D:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViOrb] D:\Program Files\ViOrb\ViOrb.exe
O8 - Extra context menu item: Download all links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Download with USDownloader - D:\Program Files\Universal Share Downloader\Ext\downloadie.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.bitdefender.com
O15 - Trusted Zone: http://www.kaspersky.com
O15 - Trusted Zone: http://www.pandasecurity.com
O15 - Trusted Zone: http://www.windowsmarketplace.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan....s/ascstubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...wlscbase370.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/...x/AVCheckUp.ocx
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...285/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EFA2AB1-05D8-4A3F-8119-22D376949424}: NameServer = 86.127.210.178 86.127.210.178
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - D:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Manager Google Desktop 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - D:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - D:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - D:\WINDOWS\system32\lktsrv.exe
O23 - Service: Flexlm (lmgrd) - National Instruments, Inc. - (no file)
O23 - Service: MySql - Unknown owner - D:/mysql/bin/mysqld-max-nt.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - D:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - D:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - D:\WINDOWS\system32\nisvcloc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - D:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9724 bytes



What about the questions i asked?
  • 0

#7
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hi justme22,

Sorry, I forgot to answer your questions.

What antivirus do you use? what are those vulnerabilities(61) that panda says? with panda i can't scan all computer because when i got to partition h it freezes.


I've been using NOD32 for two years, it's excellent. The vulnerabilities appear at all Panda logs, they are nothing to worry about. As for your problems with scanning Panda - seeing as Kaspersky did the scan just fine, this is probably an issue on your or their side. If you want, you can send them an email, but there are a lot of other scanners to use, that are even better (I prefer Kaspersky).

Now let's speed up your PC a bit, as you wanted.

Step 1 : Correcting entries with HijackThis

Please re-open HijackThis and click Scan. Put a check next to the following entries presented in the window: (Do NOT click Fix yet!)
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [IDMan] D:\Program Files\Internet Download Manager\IDMan.exe /onboot
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - D:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Manager Google Desktop 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - D:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - D:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - D:\WINDOWS\system32\lktsrv.exe
O23 - Service: Flexlm (lmgrd) - National Instruments, Inc. - (no file)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - D:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - D:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - D:\WINDOWS\system32\nisvcloc.exe



Now, close all other windows but HijackThis, including Explorer windows (folders) and this window, and click Fix. Note: It is vital you close all other windows, otherwise the fix will not succeed.

Restart your computer.

Now, how is the PC doing? Do you experience more malware issues?
  • 0

#8
justme22

justme22

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hello Tal,
Thanks for the answers. It doesn't fix O23 not one even if he asked for restart after i clicked fix checked.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:02 PM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
D:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
D:\WINDOWS\system32\lkcitdl.exe
D:\WINDOWS\system32\lkads.exe
D:\WINDOWS\system32\lktsrv.exe
D:\mysql\bin\mysqld-max-nt.exe
D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
D:\WINDOWS\system32\nisvcloc.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
D:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Netropa\Onscreen Display\osd.exe
D:\Program Files\LClock\LClock.exe
D:\Program Files\ViStart\ViStart.exe
D:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
D:\WINDOWS\system32\msiexec.exe
D:\WINDOWS\system32\MsiExec.exe
D:\Program Files\Winamp\winamp.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - D:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] D:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Netropa® Onscreen Display] D:\Program Files\Netropa\Onscreen Display\osd.exe
O4 - HKCU\..\Run: [LClock] D:\Program Files\LClock\LClock.exe
O4 - HKCU\..\Run: [Vista Sidebar] D:\Program Files\Vista Sidebar\sidebar.exe
O4 - HKCU\..\Run: [ViStart] D:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViOrb] D:\Program Files\ViOrb\ViOrb.exe
O8 - Extra context menu item: Download all links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Download with USDownloader - D:\Program Files\Universal Share Downloader\Ext\downloadie.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: d:\program files\ocean technology\gg e-sports platform\gfilter.dll
O10 - Unknown file in Winsock LSP: d:\program files\ocean technology\gg e-sports platform\gfilter.dll
O10 - Unknown file in Winsock LSP: d:\program files\ocean technology\gg e-sports platform\gfilter.dll
O15 - Trusted Zone: http://www.bitdefender.com
O15 - Trusted Zone: http://www.kaspersky.com
O15 - Trusted Zone: http://www.pandasecurity.com
O15 - Trusted Zone: http://www.windowsmarketplace.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan....s/ascstubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...wlscbase370.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/...x/AVCheckUp.ocx
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...285/mcfscan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: AutorunsDisabled - D:\WINDOWS\
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - D:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Manager Google Desktop 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - D:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - D:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - D:\WINDOWS\system32\lktsrv.exe
O23 - Service: Flexlm (lmgrd) - National Instruments, Inc. - (no file)
O23 - Service: MySql - Unknown owner - D:/mysql/bin/mysqld-max-nt.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - D:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - D:\WINDOWS\system32\nisvcloc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - D:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9145 bytes


Still u didn't answer to this "i have another problem when my computer starts the icon for sound volume in taskbar is not there and if i connect to the internet the icon for internet appears only after i tick place volume icon in taskbar in control panel , but after restart i must do this again and again!!!"
Is there any registry that ticks place volume icon on taskbar? I tried unninstall install driver for sound card(it is incorporated) it didn't work. I think i deleted something before u answered first to me. I used fix checked from hijackthis and combofix dss smithfraudfix sdfix.etc

Edited by justme22, 04 May 2008 - 07:40 AM.

  • 0

#9
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hello justme22,

Still u didn't answer to this "i have another problem when my computer starts the icon for sound volume in taskbar is not there and if i connect to the internet the icon for internet appears only after i tick place volume icon in taskbar in control panel , but after restart i must do this again and again!!!"

That doesn't seem like a malware issue. Try following the steps HERE and see if it helps. If not, please refer to the Windows XP™, 2000, 2003, NT forum, and make a new post describing the issues you're experiencing.

Now let's try stopping the services using another method.


Please open a new notepad file in a convenient location, such as on your desktop. Paste the following code into it:
sc stop dvpapi
sc stop GoogleDesktopManager-010108-205858
sc stop LkCitadelServer
sc stop lkClassAds
sc stop lkTimeSync
sc stop lmgrd
sc stop nhksrv
sc stop NIDomainService
sc stop niSvcLoc

Now please click File > Save As... > Name the file BatchFix1.bat > Change the filetype setting to All Files > Hit Save. Now locate the file and double click it - a black window will appear on the screen for a moment then disappear - this is normal.
  • 0

#10
justme22

justme22

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Tal
i did what u asked but the services are still there.
What about this O17 - HKLM\System\CCS\Services\Tcpip\..\{2EFA2AB1-05D8-4A3F-8119-22D376949424}: NameServer = 86.127.210.178 86.127.210.178 what does it do?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:31 PM, on 5/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
D:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
D:\WINDOWS\system32\lkcitdl.exe
D:\WINDOWS\system32\lkads.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
D:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Netropa\Onscreen Display\osd.exe
D:\Program Files\LClock\LClock.exe
D:\Program Files\ViStart\ViStart.exe
D:\Program Files\ViOrb\ViOrb.exe
D:\Program Files\Internet Download Manager\IDMan.exe
D:\WINDOWS\system32\lktsrv.exe
D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
D:\WINDOWS\system32\nisvcloc.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
D:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\taskmgr.exe
D:\WINDOWS\system32\msiexec.exe
D:\WINDOWS\system32\MsiExec.exe
D:\Program Files\Internet Download Manager\IEMonitor.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - D:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] D:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Netropa® Onscreen Display] D:\Program Files\Netropa\Onscreen Display\osd.exe
O4 - HKCU\..\Run: [LClock] D:\Program Files\LClock\LClock.exe
O4 - HKCU\..\Run: [Vista Sidebar] D:\Program Files\Vista Sidebar\sidebar.exe
O4 - HKCU\..\Run: [ViStart] D:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViOrb] D:\Program Files\ViOrb\ViOrb.exe
O4 - HKCU\..\Run: [IDMan] D:\Program Files\Internet Download Manager\IDMan.exe /onboot
O8 - Extra context menu item: Download all links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Download with USDownloader - D:\Program Files\Universal Share Downloader\Ext\downloadie.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: d:\program files\ocean technology\gg e-sports platform\gfilter.dll
O10 - Unknown file in Winsock LSP: d:\program files\ocean technology\gg e-sports platform\gfilter.dll
O10 - Unknown file in Winsock LSP: d:\program files\ocean technology\gg e-sports platform\gfilter.dll
O15 - Trusted Zone: http://www.bitdefender.com
O15 - Trusted Zone: http://www.kaspersky.com
O15 - Trusted Zone: http://www.pandasecurity.com
O15 - Trusted Zone: http://www.windowsmarketplace.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan....s/ascstubie.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...wlscbase370.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/...x/AVCheckUp.ocx
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...285/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EFA2AB1-05D8-4A3F-8119-22D376949424}: NameServer = 86.127.210.178 86.127.210.178
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: AutorunsDisabled - D:\WINDOWS\
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - D:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Manager Google Desktop 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - D:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - D:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - D:\WINDOWS\system32\lktsrv.exe
O23 - Service: Flexlm (lmgrd) - National Instruments, Inc. - (no file)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - D:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - D:\WINDOWS\system32\nisvcloc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - D:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9476 bytes
  • 0

Advertisements


#11
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hi justme22,

Replies are going to be faster now :) I know why the services don't leave.


Please open a new notepad file in a convenient location, such as on your desktop. Paste the following code into it:
sc stop dvpapi
sc stop GoogleDesktopManager-010108-205858
sc stop LkCitadelServer
sc stop lkClassAds
sc stop lkTimeSync
sc stop lmgrd
sc stop nhksrv
sc stop NIDomainService
sc stop niSvcLoc
sc disable dvpapi
sc disable GoogleDesktopManager-010108-205858
sc disable LkCitadelServer
sc disable lkClassAds
sc disable lkTimeSync
sc disable lmgrd
sc disable nhksrv
sc disable NIDomainService
sc disable niSvcLoc

Now please click File > Save As... > Name the file BatchFix1.bat > Change the filetype setting to All Files > Hit Save. Now locate the file and double click it - a black window will appear on the screen for a moment then disappear - this is normal.

Please include a new HijackThis log in your next reply.

Tal
  • 0

#12
justme22

justme22

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hello
What about this O17 - HKLM\System\CCS\Services\Tcpip\..\{2EFA2AB1-05D8-4A3F-8119-22D376949424}: NameServer = 86.127.210.178 86.127.210.178 what does it do?
this appeared when i ran BatchFix1.bat


D:\Documents and Settings\STORM\Desktop>sc stop dvpapi
[SC] ControlService FAILED 1062:

The service has not been started.


D:\Documents and Settings\STORM\Desktop>sc stop GoogleDesktopManager-010108-2058
58
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.


D:\Documents and Settings\STORM\Desktop>sc stop LkCitadelServer
[SC] ControlService FAILED 1062:

The service has not been started.


D:\Documents and Settings\STORM\Desktop>sc stop lkClassAds
[SC] ControlService FAILED 1062:

The service has not been started.


D:\Documents and Settings\STORM\Desktop>sc stop lkTimeSync
[SC] ControlService FAILED 1062:

The service has not been started.


D:\Documents and Settings\STORM\Desktop>sc stop lmgrd
[SC] ControlService FAILED 1062:

The service has not been started.


D:\Documents and Settings\STORM\Desktop>sc stop nhksrv
[SC] ControlService FAILED 1062:

The service has not been started.


D:\Documents and Settings\STORM\Desktop>sc stop NIDomainService
[SC] ControlService FAILED 1062:

The service has not been started.


D:\Documents and Settings\STORM\Desktop>sc stop niSvcLoc
[SC] ControlService FAILED 1062:

The service has not been started.


D:\Documents and Settings\STORM\Desktop>sc disable dvpapi
*** Unrecognized Command ***
DESCRIPTION:
SC is a command line program used for communicating with the
NT Service Controller and services.
USAGE:
sc <server> [command] [service name] <option1> <option2>...

The option <server> has the form "\\ServerName"
Further help on commands can be obtained by typing: "sc [command]"
Commands:
query-----------Queries the status for a service, or
enumerates the status for types of services.
queryex---------Queries the extended status for a service, or
enumerates the status for types of services.
start-----------Starts a service.
pause-----------Sends a PAUSE control request to a service.
interrogate-----Sends an INTERROGATE control request to a service.
continue--------Sends a CONTINUE control request to a service.
stop------------Sends a STOP request to a service.
config----------Changes the configuration of a service (persistant).
description-----Changes the description of a service.
failure---------Changes the actions taken by a service upon failure.
qc--------------Queries the configuration information for a service.
qdescription----Queries the description for a service.
qfailure--------Queries the actions taken by a service upon failure.
delete----------Deletes a service (from the registry).
create----------Creates a service. (adds it to the registry).
control---------Sends a control to a service.
sdshow----------Displays a service's security descriptor.
sdset-----------Sets a service's security descriptor.
GetDisplayName--Gets the DisplayName for a service.
GetKeyName------Gets the ServiceKeyName for a service.
EnumDepend------Enumerates Service Dependencies.

The following commands don't require a service name:
sc <server> <command> <option>
boot------------(ok | bad) Indicates whether the last boot should
be saved as the last-known-good boot configuration
Lock------------Locks the Service Database
QueryLock-------Queries the LockStatus for the SCManager Database
EXAMPLE:
sc start MyService

Would you like to see help for the QUERY and QUERYEX commands? [ y | n ]:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:45 PM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Netropa\Onscreen Display\osd.exe
D:\mysql\bin\winmysqladmin.exe
D:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] D:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Netropa® Onscreen Display] D:\Program Files\Netropa\Onscreen Display\osd.exe
O4 - HKCU\..\Run: [LClock] D:\Program Files\LClock\LClock.exe
O4 - HKCU\..\Run: [Vista Sidebar] D:\Program Files\Vista Sidebar\sidebar.exe
O4 - HKCU\..\Run: [ViStart] D:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViOrb] D:\Program Files\ViOrb\ViOrb.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: WinMySQLadmin.lnk = D:\mysql\bin\winmysqladmin.exe
O8 - Extra context menu item: Download all links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Download with USDownloader - D:\Program Files\Universal Share Downloader\Ext\downloadie.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: d:\program files\ocean technology\gg e-sports platform\gfilter.dll
O15 - Trusted Zone: http://www.bitdefender.com
O15 - Trusted Zone: http://www.kaspersky.com
O15 - Trusted Zone: http://www.pandasecurity.com
O15 - Trusted Zone: http://www.windowsmarketplace.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/...x/AVCheckUp.ocx
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...285/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EFA2AB1-05D8-4A3F-8119-22D376949424}: NameServer = 86.127.210.178 86.127.210.178
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: AutorunsDisabled - D:\WINDOWS\
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - D:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - D:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - D:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - D:\WINDOWS\system32\lktsrv.exe
O23 - Service: Flexlm (lmgrd) - National Instruments, Inc. - (no file)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - D:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - D:\WINDOWS\system32\nisvcloc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - D:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8408 bytes


StartupList report, 5/6/2008, 5:16:16 PM
StartupList version: 1.52.2
Started from : D:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.20733)
* Using default options
==================================================

Running processes:

D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Netropa\Onscreen Display\osd.exe
D:\mysql\bin\winmysqladmin.exe
D:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[D:\Documents and Settings\STORM\Start Menu\Programs\Startup]
WinMySQLadmin.lnk = D:\mysql\bin\winmysqladmin.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = D:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
GrooveMonitor = "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
MULTIMEDIA KEYBOARD = D:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
avgnt = "D:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = D:\WINDOWS\system32\ctfmon.exe
Netropa® Onscreen Display = D:\Program Files\Netropa\Onscreen Display\osd.exe
LClock = D:\Program Files\LClock\LClock.exe
Vista Sidebar = D:\Program Files\Vista Sidebar\sidebar.exe
ViStart = D:\Program Files\ViStart\ViStart.exe
ViOrb = D:\Program Files\ViOrb\ViOrb.exe
Yahoo! Pager = "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
visualtasktips =

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

[AutorunsDisabled]
IDMan = D:\Program Files\Internet Download Manager\IDMan.exe /onboot
SUPERAntiSpyware = D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\Text-FileType\shell\open\command

(Default) = notepad.exe %1

--------------------------------------------------

Shell & screensaver key from D:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=D:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - D:\Program Files\Internet Download Manager\IDMIECC.dll - {0055C089-8582-441B-A0BF-17B458C2A3A8}
(no name) - D:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll - {00C6482D-C502-44C8-8409-FCE54AD9C208}
(no name) - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - D:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll - {72853161-30C5-4D22-B7F9-0BBC1D38A37E}
(no name) - D:\Program Files\Java\jre1.6.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
Uniblue SpeedUpMyPC Nag.job
Uniblue SpeedUpMyPC.job
Uniblue SpyEraser.job

--------------------------------------------------

Enumerating Download Program Files:

[CKAVWebScan Object]
InProcServer32 = D:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky...can_unicode.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = D:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://download.micr...heckControl.cab

[Symantec AntiVirus scanner]
InProcServer32 = D:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.syma...bin/AvSniff.cab

[{56762DEC-6B0D-4AB4-A8AD-989993B5D08B}]
CODEBASE = http://www.eset.eu/b...lineScanner.cab

[BDSCANONLINE Control]
InProcServer32 = D:\WINDOWS\DOWNLO~1\CONFLICT.1\oscan82.ocx
CODEBASE = http://download.bitd...can8/oscan8.cab

[Symantec RuFSI Utility Class]
InProcServer32 = D:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.syma...n/bin/cabsa.cab

[iolo.AV.OnlineVirusScanner]
CODEBASE = http://www.iolo.com/...x/AVCheckUp.ocx

[F-Secure Online Scanner 3.3]
InProcServer32 = D:\WINDOWS\Downloaded Program Files\fscax.dll
CODEBASE = http://support.f-sec...m/ols/fscax.cab

[McFreeScan Class]
InProcServer32 = D:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcaf...285/mcfscan.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: avsda.dll (file MISSING)
Protocol #2: avsda.dll (file MISSING)
Protocol #3: D:\Program Files\Ocean Technology\GG E-Sports Platform\gfilter.dll
Protocol #30: avsda.dll (file MISSING)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: D:\WINDOWS\system32\webcheck.dll
WPDShServiceObj: D:\WINDOWS\system32\wpdshserviceobj.dll

--------------------------------------------------
End of report, 7,641 bytes
Report generated in 0.047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
  • 0

#13
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hi justme22,

Looks like I messed up on the batch script again. This time, it should work. As for your question, this is a DNS address, relating to your ISP.

inetnum: 86.127.210.0 - 86.127.210.255
netname: RDS-INFRA
descr: Galati Branch
country: RO
admin-c: RDS-RIPE
tech-c: RDS-RIPE
status: ASSIGNED PA
remarks: INFRA-AW
remarks: +-----------------------------------------------------------+
remarks: | ABUSE CONTACT: IN CASE OF HACK ATTACKS, |
remarks: | ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES, SPAM, ETC. |
remarks: +-----------------------------------------------------------+
mnt-by: AS8708-MNT
mnt-lower: AS8708-MNT
source: RIPE # Filtered

role: Romania Data Systems NOC
address: 71-75 Dr. Staicovici
address: Bucharest / ROMANIA
phone: +40 21 30 10 888
fax-no: +40 21 30 10 892
abuse-mailbox:
admin-c: CN19-RIPE
admin-c: GEPU1-RIPE
tech-c: CN19-RIPE
tech-c: GEPU1-RIPE
nic-hdl: RDS-RIPE
mnt-by: AS8708-MNT
remarks: +--------------------------------------------------------------+
remarks: | ABUSE CONTACT: IN CASE OF HACK ATTACKS, |
remarks: | ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES, SPAM, ETC. |
remarks: | !! PLEASE DO NOT CONTACT OTHER PERSONS FOR THESE PROBLEMS !! |
remarks: +--------------------------------------------------------------+
source: RIPE # Filtered

route: 86.120.0.0/13
descr: RDSNET
origin: AS8708
mnt-by: AS8708-MNT
source: RIPE # Filtered

Do you recognize this? Is this your ISP? If so, these are needed entries. Do not delete them, otherwise you might lose access to the internet.


Please open a new notepad file in a convenient location, such as on your desktop. Paste the following code into it:
sc delete dvpapi
sc delete GoogleDesktopManager-010108-205858
sc delete LkCitadelServer
sc delete lkClassAds
sc delete lkTimeSync
sc delete lmgrd
sc delete nhksrv
sc delete NIDomainService
sc delete niSvcLoc

Now please click File > Save As... > Name the file BatchFix2.bat > Change the filetype setting to All Files > Hit Save. Now locate the file and double click it - a black window will appear on the screen for a moment then disappear - this is normal.

Regards,

Tal :)
  • 0

#14
justme22

justme22

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
thanks for all the help
that worked.
oh by the way i still have those viruses in that folder _otmoveit.

Edited by justme22, 06 May 2008 - 12:38 PM.

  • 0

#15
Tal

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
You're welcome :) And it's fine, they are stored there as backups should anything go wrong. We'll delete them now, and I'll give you some tips on how to avoid re-infection.

  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]
System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

You should also have a good firewall. Here are 3 free ones available for personal use:
and a good antivirus (these are also free for personal use):
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

Tal
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP