Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

System shutting down - Cannot get Internet connection or LAN [RESOLVED


  • This topic is locked This topic is locked

#1
uzi9mm

uzi9mm

    Member

  • Member
  • PipPip
  • 34 posts
Hi,

Over the last few days I have occasionally been getting a system shutdown dialog box that says:

This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM.

Windows must now restart because the DCOM Server Process Launcher service terminated unexpectedly.

That is the message I get.

Also I can't connect to my LAN, it usually picks up the network right away as soon as I log in, but after a few secs it will just lose connection. I am using a Netgear USB wireless adaptor, which I have been using for a few years now. Both the green lights on the adaptor itself are on and solid which is correct. This has to be linked with that system shutdown message because they have both started happening at more or less the sametime.

I am using my dad's PC to start this topic and his PC is directly connected to the router and there is nothing wrong with his connection.

Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:42, on 29/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\alg.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\System32\wbem\wmiprvse.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C6C4BA2-1646-0F3A-1FAE-B393C162C92E} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft....ayx_vp3_mp3.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5471 bytes



Any help would be much appreciated.

Kind Regards,

uzi9mm
  • 0

Advertisements


#2
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, my name is fenzodahl512 and welcome to Geekstogo... Please do the following...


Whenever the "computer will shut down in 60/30 seconds" box appears, please do the following..

Go to Start >> Run >> Copy/paste below command >> Press Enter

shutdown -a





NEXT


Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.




NEXT


Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • Please let your firewall allow the scanning/downloading process.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.



Please post the following logs in your next reply.. Post each log in separate post...

1. SDFix
2. Deckard System Scanner (both main.txt and extra.txt)



Regards
fenzodahl512
  • 0

#3
uzi9mm

uzi9mm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hi fenzodahl512. Thanks for the reply.



Here are the logs:


SDFix: Version 1.198
Run by Uzi on 29/06/2008 at 14:18

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINNT\system32\ntos.exe - Deleted
C:\WINNT\system32\wsnpoem\video.dll - Deleted
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\wsnpoem\audio.dll - Deleted
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Application Data\wsnpoem\audio.dll - Deleted
C:\WINNT\system32\wsnpoem\audio.dll - Deleted



Folder C:\WINNT\system32\wsnpoem - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 14:33:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 1 Oct 2005 71,168 A.SHR --- "C:\Program Files\PPLive\Setup.exe"
Sat 17 Dec 2005 71,168 A.SHR --- "C:\Program Files\PPLive TV\Setup.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 15 May 2003 43,008 A..H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Fri 28 May 2004 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Fri 28 May 2004 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Fri 22 Feb 2008 165,232 A..H. --- "C:\Documents and Settings\Uzi.USMAN\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll"

Finished!
  • 0

#4
uzi9mm

uzi9mm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Deckard's System Scanner v20071014.68
Run by Uzi on 2008-06-29 14:43:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
81: 2008-06-29 13:43:48 UTC - RP308 - Deckard's System Scanner Restore Point
80: 2008-06-28 22:33:15 UTC - RP307 - Unsigned driver install
79: 2008-06-28 22:31:13 UTC - RP306 - Installed WG121 Smart Wizard
78: 2008-06-28 18:37:51 UTC - RP305 - Removed Ad-Aware 2007
77: 2008-06-27 21:01:24 UTC - RP304 - System Checkpoint


-- First Restore Point --
1: 2008-03-31 20:08:21 UTC - RP228 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Uzi.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:44:30, on 29/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\Uzi.USMAN\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Uzi.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C6C4BA2-1646-0F3A-1FAE-B393C162C92E} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft....ayx_vp3_mp3.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5179 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\winnt\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R3 catchme - c:\docume~1\uzi~1.usm\locals~1\temp\catchme.sys (file missing)
R3 wg121 (NETGEAR WG121 802.11g Wireless USB2.0 Adapter) - c:\winnt\system32\drivers\wg121nd5.sys <Not Verified; NETGEAR, Inc.; NETGEAR 802.11g Wireless LAN>

S3 NSNDIS5 (NSNDIS5 NDIS Protocol Driver) - c:\winnt\system32\nsndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); NetStumbler>
S3 se27nd5 (Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (NDIS)) - c:\winnt\system32\drivers\se27nd5.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB Ethernet Emulation>
S3 se27unic (Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM)) - c:\winnt\system32\drivers\se27unic.sys <Not Verified; MCCI; Sony Ericsson Device 039 USB Ethernet Emulation>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2702&SUBSYS_8D881043&REV_01\4&3B1CAF2B&0&28F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2702&SUBSYS_8D881043&REV_01\4&3B1CAF2B&0&28F0
Service:

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia 6680
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6680
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-05-01 16:45:04 284 --a------ C:\WINNT\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-29 and 2008-06-29 -----------------------------

2008-06-29 14:09:13 0 d-------- C:\WINNT\ERUNT
2008-06-28 19:38:47 0 d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Desktop
2008-06-17 22:15:51 0 d-------- C:\Program Files\Save


-- Find3M Report ---------------------------------------------------------------

2008-06-28 23:31:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-17 22:18:59 0 d-------- C:\Program Files\Common Files
2008-05-04 19:15:19 0 d-------- C:\Program Files\Microsoft AntiSpyware
2008-05-04 19:13:24 0 d-------- C:\Program Files\CCleaner
2008-05-04 12:25:50 0 d-------- C:\Documents and Settings\Uzi.USMAN\Application Data\vlc
2008-04-20 14:36:33 45056 --a------ C:\pgvumt.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C6C4BA2-1646-0F3A-1FAE-B393C162C92E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINNT\System32\igfxtray.exe" [10/01/2008 21:41]
"HotKeysCmds"="C:\WINNT\System32\hkcmd.exe" [10/01/2008 21:41]
"Athan"="C:\Program Files\Athan\Athan.exe" [10/01/2008 21:17]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 02:11]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 10:25]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 18:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINNT\system32\ctfmon.exe" [04/08/2004 00:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [10/01/2008 21:42]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 12:43]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/01/2008 21:41]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [10/12/2007 11:12]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Smart Wizard Wireless Settings.lnk - C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [27/02/2004 16:41:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7230d438-48bd-11dc-91d7-806d6172696f}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7230d438-48bd-11dc-91d7-806d6172696f}\shellAutocommand- MicroSofts.pif]




-- End of Deckard's System Scanner: finished at 2008-06-29 14:44:58 ------------
  • 0

#5
uzi9mm

uzi9mm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.06GHz
Percentage of Memory in Use: 57%
Physical Memory (total/avail): 510 MiB / 214.73 MiB
Pagefile Memory (total/avail): 1246.68 MiB / 942.46 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1948.46 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.47 GiB total, 22.31 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6Y080L0 - 74.5 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 74.47 GiB - C:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is disabled.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINNT
APPDATA=C:\Documents and Settings\Uzi.USMAN\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=USMAN
ComSpec=C:\WINNT\system32\cmd.exe
DEFAULT_CA_NR=CA6
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Uzi.USMAN
LOGONSERVER=\\USMAN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\wbem;C:\Program Files\PC Connectivity Solution;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\UZI~1.USM\LOCALS~1\Temp
TMP=C:\DOCUME~1\UZI~1.USM\LOCALS~1\Temp
USERDOMAIN=USMAN
USERNAME=Uzi
USERPROFILE=C:\Documents and Settings\Uzi.USMAN
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Uzi.USMAN (admin)
Yusuf.USMAN.000 (admin)
Administrator.USMAN.001 (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINNT\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINNT\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Athan Basic 3.3 --> C:\WINNT\iun6002.exe "C:\Program Files\Athan\irunin.ini"
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Before You Know It 3.6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6F002D8A-57C5-4DB6-B8A4-7A27E46B014E}\Setup.exe" -l0x9
BitLord 1.1 --> C:\Program Files\BitLord\uninst.exe
Broadcom 440x 10/100 Integrated Controller --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{52504CE6-E909-4113-B232-4AFEC6543A61} /l1033
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
ContextEnhancer --> C:\Program Files\ContextEnhancer\uninstall.exe
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
FBrowsingAdvisor --> "C:\Program Files\FBrowsingAdvisor\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINNT\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LimeWire 4.14.12 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINNT\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Excel 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall EXCEL /dll OSETUP.DLL
Microsoft Office Excel 2007 --> MsiExec.exe /X{90120000-0016-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall POWERPOINT /dll OSETUP.DLL
Microsoft Office PowerPoint 2007 --> MsiExec.exe /X{90120000-0018-0000-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall WORD /dll OSETUP.DLL
Microsoft Office Word 2007 --> MsiExec.exe /X{90120000-001B-0000-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.5 --> "C:\WINNT\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Microsoft Virtual PC 2007 --> MsiExec.exe /X{8A7CAA24-7B23-410B-A7C3-F994B0944160}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVC80_x86 --> MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
MSXML 6.0 Parser (KB927977) --> MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
Network Stumbler 0.4.0 (remove only) --> "C:\Program Files\Network Stumbler\uninst.exe"
Nokia Connectivity Cable Driver --> MsiExec.exe /X{0A3D3C54-2EC0-4D67-B265-FF17926E6D67}
Nokia PC Suite --> C:\Documents and Settings\All Users.WINNT\Application Data\Installations\{29466F9C-7C6A-419C-B301-F440FAF78760}\Nokia_PC_Suite_rel_6_85_14_1_eng_web.exe
Nokia PC Suite --> MsiExec.exe /I{29466F9C-7C6A-419C-B301-F440FAF78760}
PC Connectivity Solution --> MsiExec.exe /I{BA084E7C-8ABA-4670-BDE8-B85E689A5C1B}
PPMate Network TV 2.1.0.42 --> C:\Program Files\PPMate\uninst.exe
PPStream --> "C:\Program Files\PPStream\unins000.exe"
QuickTime --> MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121}
Sony Ericsson PC Suite 1.20.224 --> MsiExec.exe /I{7689CA7A-1270-425A-9959-EB4CB25EA29A}
SopCast 1.1.2 --> C:\Program Files\SopCast\uninst.exe
SopCore 1.1.2 --> C:\Program Files\SopCast\uninst.exe
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINNT\unins000.exe"
Transcender Test Engine --> C:\PROGRA~1\TRANSC~1\UNWISE.EXE C:\PROGRA~1\TRANSC~1\INSTALL.LOG
Transcender: Exam Cert-220-601 --> C:\PROGRA~1\TRANSC~1\EXAMFI~1\EXAMID~2\UNWISE.EXE C:\PROGRA~1\TRANSC~1\EXAMFI~1\EXAMID~2\INSTALL.LOG
Transcender: Exam Cert-220-602 --> C:\PROGRA~1\TRANSC~1\EXAMFI~1\EXAMID~1\UNWISE.EXE C:\PROGRA~1\TRANSC~1\EXAMFI~1\EXAMID~1\INSTALL.LOG
TVAnts 1.0 --> C:\PROGRA~1\TVAnts\UNWISE.EXE C:\PROGRA~1\TVAnts\INSTALL.LOG
TVUPlayer 2.3.2.52 --> C:\Program Files\TVUPlayer\uninst.exe
WG121 Smart Wizard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{410A2688-05B2-4B98-9A0D-44961FE78264}\Setup.exe"
Windows Driver Package - Nokia Modem (08/03/2007 6.84.0.2) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINNT\system32\DRVSTORE\nokbtmdm_1EB5F2E6F54A6BEDE9F436D1BA5D830FC71739BE\nokbtmdm.inf
Windows Driver Package - Nokia Modem (10/12/2007 3.6) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINNT\system32\DRVSTORE\nokia_blue_0A5D98F754C6588B2E3DDE89DDEF097075ADFFB7\nokia_bluetooth.inf
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Media Format 11 runtime --> "C:\WINNT\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type6195 / Error
Event Submitted/Written: 06/29/2008 02:33:11 PM
Event ID/Source: 3011 / LoadPerf
Event Description:
Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The
Error code is the first DWORD in Data section.

Event Record #/Type6194 / Error
Event Submitted/Written: 06/29/2008 02:33:11 PM
Event ID/Source: 3012 / LoadPerf
Event Description:
The performance strings in the Performance registry value is corrupted when
process Performance extension counter provider. BaseIndex value from Performance
registry is the first DWORD in Data section, LastCounter value is the second
DWORD in Data section, and LastHelp value is the third DWORD in Data section.

Event Record #/Type6191 / Error
Event Submitted/Written: 06/29/2008 11:18:19 AM
Event ID/Source: 3011 / LoadPerf
Event Description:
Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The
Error code is the first DWORD in Data section.

Event Record #/Type6190 / Error
Event Submitted/Written: 06/29/2008 11:18:19 AM
Event ID/Source: 3012 / LoadPerf
Event Description:
The performance strings in the Performance registry value is corrupted when
process Performance extension counter provider. BaseIndex value from Performance
registry is the first DWORD in Data section, LastCounter value is the second
DWORD in Data section, and LastHelp value is the third DWORD in Data section.

Event Record #/Type6186 / Error
Event Submitted/Written: 06/29/2008 10:36:12 AM
Event ID/Source: 3011 / LoadPerf
Event Description:
Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The
Error code is the first DWORD in Data section.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type40477 / Error
Event Submitted/Written: 06/29/2008 02:08:37 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type40476 / Error
Event Submitted/Written: 06/29/2008 02:08:26 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type40475 / Error
Event Submitted/Written: 06/29/2008 02:08:22 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
AVG Anti-Spyware Driver
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
OMCI
RasAcd
Rdbss
Tcpip
vmm

Event Record #/Type40474 / Error
Event Submitted/Written: 06/29/2008 02:08:22 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type40473 / Error
Event Submitted/Written: 06/29/2008 02:08:22 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-06-29 14:44:58 ------------
  • 0

#6
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Tell me about this folder/program.. C:\Program Files\Save



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
    C:\pgvumt.exe
    C:\Program Files\Dot1XCfg
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7230d438-48bd-11dc-91d7-806d6172696f}
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7230d438-48bd-11dc-91d7-806d6172696f}\shellAutocommand- MicroSofts.pif
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Dot1XCfg
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C6C4BA2-1646-0F3A-1FAE-B393C162C92E}
    EmptyTemp
    purity
    [start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.




Please post the following logs in your next reply.. Please post each log in separate post..

1. OTMoveIt2
2. Malwarebytes'
3. A fresh Deckard System Scanner (after Malwarebytes' step)
4. Tell me about your computer behaviour..


Regards
fenzodahl512
  • 0

#7
uzi9mm

uzi9mm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Explorer killed successfully
C:\pgvumt.exe moved successfully.
File/Folder C:\Program Files\Dot1XCfg not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7230d438-48bd-11dc-91d7-806d6172696f} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7230d438-48bd-11dc-91d7-806d6172696f}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7230d438-48bd-11dc-91d7-806d6172696f}\shellAutocommand- MicroSofts.pif >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7230d438-48bd-11dc-91d7-806d6172696f}\shellAutocommand- MicroSofts.pif\\ not found.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Dot1XCfg >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Dot1XCfg deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C6C4BA2-1646-0F3A-1FAE-B393C162C92E} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C6C4BA2-1646-0F3A-1FAE-B393C162C92E}\\ deleted successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\UZI~1.USM\LOCALS~1\Temp\~DFA629.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\UZI~1.USM\LOCALS~1\Temp\~DFCEAB.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 06292008_155821

Files moved on Reboot...
C:\DOCUME~1\UZI~1.USM\LOCALS~1\Temp\~DFA629.tmp moved successfully.
C:\DOCUME~1\UZI~1.USM\LOCALS~1\Temp\~DFCEAB.tmp moved successfully.
  • 0

#8
uzi9mm

uzi9mm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Malwarebytes' Anti-Malware 1.19
Database version: 899
Windows 5.1.2600 Service Pack 2

17:17:19 29/06/2008
mbam-log-6-29-2008 (17-17-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 202106
Time elapsed: 1 hour(s), 11 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 9
Files Infected: 36

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{127df9b4-d75d-44a6-af78-8c3a8ceb03db} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\acm.acmfactory (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{df901432-1b9f-4f5b-9e56-301c553f9095} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\acm.acmfactory.1 (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{43382522-a846-46f4-ac57-1f71ae6e1086} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{572fb162-c0ba-4edf-8cff-e3846153b9b0} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72a836d1-bc00-43c0-a941-17960e4fb842} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Mirar (AdWare.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\fbrowsingadvisor_is1 (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\ACM.DLL (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenUSave) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\Save (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\Program Files\Dynamic Toolbar\REALBAR (Adware.2020Search) -> Quarantined and deleted successfully.
C:\Program Files\Dynamic Toolbar\REALBAR\Cache (Adware.2020Search) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\WhenU (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Application Data\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Save\ACM.dll (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\XPCOMEvents.dll (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\Save\Save.exe (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\service.exe.vir (Adware.Mirar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1F6316EB-6B0A-4F9C-9E5E-B83031FE7012}\RP399\A0013085.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\Save\ffext.mod (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\Program Files\Save\save.db (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\Program Files\Save\save.htm (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\Program Files\Save\SaveUninst.exe (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\Program Files\Save\store.db (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\bubble.bmp (Adware.2020Search) -> Quarantined and deleted successfully.
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\bubble16.bmp (Adware.2020Search) -> Quarantined and deleted successfully.
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\celebs.bmp (Adware.2020Search) -> Quarantined and deleted successfully.
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\ErrorLog.txt (Adware.2020Search) -> Quarantined and deleted successfully.
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\gotb.bmp (Adware.2020Search) -> Quarantined and deleted successfully.
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\highlight.bmp (Adware.2020Search) -> Quarantined and deleted successfully.
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\hotstuff.bmp (Adware.2020Search) -> Quarantined and deleted successfully.
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\hotstuffsm.bmp (Adware.2020Search) -> Quarantined and deleted successfully.
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\movies.bmp (Adware.2020Search) -> Quarantined and deleted successfully.
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\music.bmp (Adware.2020Search) -> Quarantined and deleted successfully.
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\news.bmp (Adware.2020Search) -> Quarantined and deleted successfully.
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\ngames.bmp (Adware.2020Search) -> Quarantined and deleted successfully.
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\radio.bmp (Adware.2020Search) -> Quarantined and deleted successfully.
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\REALBARTB0115.cfg (Adware.2020Search) -> Quarantined and deleted successfully.
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\REALBARTB1115.cfg (Adware.2020Search) -> Quarantined and deleted successfully.
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\rollingstone.bmp (Adware.2020Search) -> Quarantined and deleted successfully.
C:\Program Files\Dynamic Toolbar\REALBAR\Cache\sports.bmp (Adware.2020Search) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\IXPCOMEvents.xpt (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\Logo.png (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\main.db (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.dat (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\WhenU\Learn More About Save!.url (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\WhenU\Learn More About SaveNow.url (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\WhenU\WhenU.com Website.url (Adware.WhenUSave) -> Quarantined and deleted successfully.
  • 0

#9
uzi9mm

uzi9mm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Deckard's System Scanner v20071014.68
Run by Uzi on 2008-06-29 17:22:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Uzi.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:22:31, on 29/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Uzi.USMAN\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Uzi.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4C6C4BA2-1646-0F3A-1FAE-B393C162C92E} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft....ayx_vp3_mp3.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5232 bytes

-- Files created between 2008-05-29 and 2008-06-29 -----------------------------

2008-06-29 16:02:21 0 d-------- C:\Documents and Settings\Uzi.USMAN\Application Data\Malwarebytes
2008-06-29 16:02:18 0 d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Malwarebytes
2008-06-29 16:02:17 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-29 14:09:13 0 d-------- C:\WINNT\ERUNT
2008-06-28 19:38:47 0 d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Desktop


-- Find3M Report ---------------------------------------------------------------

2008-06-28 23:31:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-17 22:18:59 0 d-------- C:\Program Files\Common Files
2008-05-04 19:15:19 0 d-------- C:\Program Files\Microsoft AntiSpyware
2008-05-04 19:13:24 0 d-------- C:\Program Files\CCleaner
2008-05-04 12:25:50 0 d-------- C:\Documents and Settings\Uzi.USMAN\Application Data\vlc


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4C6C4BA2-1646-0F3A-1FAE-B393C162C92E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINNT\System32\igfxtray.exe" [10/01/2008 21:41]
"HotKeysCmds"="C:\WINNT\System32\hkcmd.exe" [10/01/2008 21:41]
"Athan"="C:\Program Files\Athan\Athan.exe" [10/01/2008 21:17]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 02:11]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 10:25]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 18:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINNT\system32\ctfmon.exe" [04/08/2004 00:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [10/01/2008 21:42]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 12:43]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/01/2008 21:41]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" []
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [10/12/2007 11:12]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Smart Wizard Wireless Settings.lnk - C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [27/02/2004 16:41:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-06-29 17:23:10 ------------
  • 0

#10
uzi9mm

uzi9mm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
c:\Program Files\Save - I went into the folder and it had some WhenUSave application in there, but that folder and contents seems to have been deleted by MBAM.

PC behaviour seems fine, but still can't get onto the home network or the Internet.

Thanks,

uzi9mm
  • 0

Advertisements


#11
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Erm.. some of the bad entries are back..

This is IMPORTANT!! Please temporarily disable these programs prior to our fix.. Please re-enable them back after completed all steps given..

1. AVG Anti-Spyware 7.5
2. Spybot - Search & Destroy

Please navigate below website for further instructions..
http://wiki.castleco...toring_Programs




NEXT



Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[kill explorer]
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7230d438-48bd-11dc-91d7-806d6172696f}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7230d438-48bd-11dc-91d7-806d6172696f}\shellAutocommand- MicroSofts.pif
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Dot1XCfg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C6C4BA2-1646-0F3A-1FAE-B393C162C92E}
[start explorer]

[*] Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
[*]Click the red Moveit! button.
[*]A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
[*]Close OTMoveIt2
[/list]If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




NEXT


Please download Dr.Web CureIt to the Desktop:
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Move incurable
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.




NEXT


Please download WinsockXPFix from HERE.
  • Double-click on WinsockXPFix and click on Fix
It will ask you to restart your computer in attempt to fix the internet connection. Please do so..


Please post the following logs in your next reply.. Post each log on separate post..

1. OTMoveIt
2. Dr.Web
3. A fresh Deckard System Scanner (after DrWeb step)
4. Tell me about the internet/networking connections...


Regards
fenzodahl512
  • 0

#12
uzi9mm

uzi9mm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Explorer killed successfully
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7230d438-48bd-11dc-91d7-806d6172696f} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7230d438-48bd-11dc-91d7-806d6172696f}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7230d438-48bd-11dc-91d7-806d6172696f}\shellAutocommand- MicroSofts.pif >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7230d438-48bd-11dc-91d7-806d6172696f}\shellAutocommand- MicroSofts.pif\\ not found.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Dot1XCfg >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Dot1XCfg deleted successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C6C4BA2-1646-0F3A-1FAE-B393C162C92E} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C6C4BA2-1646-0F3A-1FAE-B393C162C92E}\\ deleted successfully.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 06292008_220248
  • 0

#13
uzi9mm

uzi9mm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
I did the Dr.Web CureIt short scan and that seemed to fix the Internet connection. I can now surf the net and see our home network.

I'm in the middle of doing the complete scan and once that is done I will post the results here.

Now that the net connection seems to be working, do I still have to run WinsockXPFix?

Edited by uzi9mm, 29 June 2008 - 03:35 PM.

  • 0

#14
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

Now that the net connection seems to be working, do I still have to run WinsockXPFix?



Nope.. Just post the Dr Web log along with fresh DSS log and then tell me about your computer condition :)
  • 0

#15
uzi9mm

uzi9mm

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
I left it to run overnight, but didn't realise that there would be prompts during the scan that I would have to click on.

Was at the office the whole day so couldn't get it sorted during the day, so I have continued with it now.

How long does this scan take? Seems like its going on forever.

Once its done I will post the results along with DSS.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP