Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

backdoor trojan windows XP


  • Please log in to reply

#1
kristinsara

kristinsara

    Member

  • Member
  • PipPip
  • 16 posts
I have recently been infected with a virus. The first problems I encountered were redirection of websites, pop-ups, ads, and fake errors. After downloading some anit-spyware those problems went away. Now I am having problems with my C drive being completely filled with random files and I don't know which ones to delete. My control, alt, delete has been disabled, I have various programs that I can't delete such as bat. I tried the fixiedef but I dont think it did anything. if you can help me in any way that would be greatly appreciated. Thank you for you time,


Kristin
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello kristinsara

Welcome to G2Go. :)
=====================

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
kristinsara

kristinsara

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Deckard's System Scanner v20071014.68
Run by ryan miller on 2008-07-05 18:21:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; disk is full.


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 223 MiB (512 MiB recommended).
System Drive C: has 0 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-05 18:24:54
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Ahead\ODD Toolkit\dvdtray.exe
C:\WINDOWS\CY_BG.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Program Files\Microsoft ActiveSync\rapimgr.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Bat\X_Bat.exe
C:\Program Files\Dantz\Retrospect\wdsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\ryan miller\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_03\bin\ssv.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\CY_BG.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [pzpmktmz] C:\WINDOWS\system32\yfgvqjgr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} () - http://codecs.micros...cs/i386/fhg.CAB
O16 - DPF: {53D40FAA-4E21-459F-AA87-E4D97FC3245A} (InstallShield Setup Player V12) - http://www.respondus...m/LDB/setup.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgemc.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe service
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\wdsvc.exe


--
End of file - 8665 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R1 SrvcEPECioctl - c:\windows\system32\drivers\ecioctl.sys
R1 SrvcEPIOMngr - c:\windows\system32\drivers\epiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 SrvcTPIOMngr - c:\windows\system32\drivers\tpiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R2 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys
R3 dvd43llh - c:\windows\system32\drivers\dvd43llh.sys <Not Verified; RIF; DVD For Free>
R3 EPOWER (Compal E-POWER Driver) - c:\windows\system32\drivers\hkdrv.sys <Not Verified; Compal Electronic Inc.; EPOWER>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 CY_X00 (USB Storage Adapter ISD-X00 (CY)) - c:\windows\system32\drivers\cy_x00.sys <Not Verified; Cypress Semiconductor; Cypress USB Mass Storage Adapter>
S3 tbhsd (Tunebite High-Speed Dubbing) - c:\windows\system32\drivers\tbhsd.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CeEPwrSvc - c:\program files\toshiba\power management\ceepwrsvc.exe <Not Verified; COMPAL ELECTRONIC INC.; CeEPwrSvc Module>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >
R2 RetroLauncher (Retrospect Launcher) - c:\program files\dantz\retrospect\retrorun.exe <Not Verified; Dantz Development Corporation; Retrospect>
R2 RetroWDSvc (Retrospect WD Service) - c:\progra~1\dantz\retros~1\wdsvc.exe <Not Verified; Dantz Development Corporation; Retrospect>

S2 MSSysInterv1 (MSSysInterv) - c:\windows\winself.exe service (file missing)
S2 Retrospect Helper - "c:\program files\dantz\retrospect\rthlpsvc.exe" <Not Verified; Dantz Development Corporation; Retrospect>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_00011179&REV_03\3&61AAA01&0&FE
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_00011179&REV_03\3&61AAA01&0&FE
Service:


-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-04 03:00:31 0 d-------- C:\Program Files\MSXML 4.0
2008-07-02 18:01:51 0 d-------- C:\Documents and Settings\ryan miller\Application Data\DeepBurner
2008-07-02 18:01:10 0 d-------- C:\Program Files\Astonsoft
2008-07-02 17:20:14 348160 --a------ C:\WINDOWS\system32\WMAFile.dll <Not Verified; NCT Company Ltd.; NCTWMAFile2 ActiveX DLL>
2008-07-02 17:20:14 1212416 --a------ C:\WINDOWS\system32\AudioInfos.dll <Not Verified; NCT Company Ltd.; NCTAudioInformation2 ActiveX DLL>
2008-07-02 17:20:13 1986560 --a------ C:\WINDOWS\system32\AudFile.dll <Not Verified; NCT Company Ltd.; NCTAudioFile2 ActiveX DLL>
2008-07-02 17:20:12 40960 --a------ C:\WINDOWS\system32\SSubTmr6.dll <Not Verified; vbAccelerator; SSubTmr6>
2008-07-02 17:20:09 82432 --a------ C:\WINDOWS\system32\msxml4r.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2008-07-02 17:20:08 44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>


-- Find3M Report ---------------------------------------------------------------

2008-07-05 17:25:49 0 d-------- C:\Program Files\Bat
2008-07-05 11:08:21 0 d-------- C:\Program Files\Soulseek
2008-06-23 08:37:14 0 d-------- C:\Documents and Settings\ryan miller\Application Data\AVG7
2008-06-11 20:51:32 0 d-------- C:\Documents and Settings\ryan miller\Application Data\Vso
2008-06-11 20:51:32 34 --a------ C:\Documents and Settings\ryan miller\Application Data\pcouffin.log
2008-06-11 20:51:10 47360 --a------ C:\Documents and Settings\ryan miller\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-06-11 20:51:10 1144 --a------ C:\Documents and Settings\ryan miller\Application Data\pcouffin.inf
2008-06-11 20:51:10 7887 --a------ C:\Documents and Settings\ryan miller\Application Data\pcouffin.cat
2008-06-04 21:33:34 0 d-------- C:\Program Files\mpg123dsf
2008-05-09 19:31:48 0 d-------- C:\Program Files\Lavasoft
2008-05-09 19:29:46 0 d-------- C:\Program Files\Common Files
2008-05-09 19:29:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-07 14:29:25 0 d-------- C:\Program Files\PC-Cleaner
2008-05-07 13:14:36 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-05-07 13:14:36 4096 --a------ C:\WINDOWS\system32\winlogonpc.exe
2008-05-07 13:14:36 4096 --a------ C:\WINDOWS\system32\hoproxy.dll
2008-05-07 13:14:36 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-05-07 13:14:35 4096 --a------ C:\WINDOWS\system32\taack.exe
2008-05-07 13:14:35 4096 --a------ C:\WINDOWS\system32\taack.dat
2008-05-07 13:14:35 4096 --a------ C:\WINDOWS\system32\sncntr.exe
2008-05-07 13:14:35 4096 --a------ C:\WINDOWS\system32\mwin32.exe
2008-05-07 13:14:35 4096 --a------ C:\WINDOWS\system32\hxiwlgpm.exe
2008-05-07 13:14:35 4096 --a------ C:\WINDOWS\system32\hxiwlgpm.dat
2008-05-07 13:14:35 4096 --a------ C:\WINDOWS\a.bat
2008-05-07 13:14:34 4096 --a------ C:\WINDOWS\system32\psoft1.exe
2008-05-07 13:14:34 4096 --a------ C:\WINDOWS\system32\psof1.exe
2008-05-07 13:14:34 4096 --a------ C:\WINDOWS\system32\ps1.exe
2008-05-07 13:14:34 4096 --a------ C:\WINDOWS\system32\msnbho.dll
2008-05-07 13:14:34 4096 --a------ C:\WINDOWS\system32\bsva-egihsg52.exe
2008-05-07 13:14:34 4096 --a------ C:\WINDOWS\iTunesMusic.exe
2008-05-07 13:14:33 4096 --a------ C:\WINDOWS\system32\ssurf022.dll
2008-05-07 13:14:33 4096 --a------ C:\WINDOWS\system32\netode.exe
2008-05-07 13:14:33 4096 --a------ C:\WINDOWS\system32\mtr2.exe
2008-05-07 13:14:33 4096 --a------ C:\WINDOWS\system32\msgp.exe
2008-05-07 13:14:32 4096 --a------ C:\WINDOWS\system32\temp#01.exe
2008-05-07 13:14:32 4096 --a------ C:\WINDOWS\system32\ssvchost.exe
2008-05-07 13:14:32 4096 --a------ C:\WINDOWS\system32\[email protected]@@k.dll
2008-05-07 13:14:32 4096 --a------ C:\WINDOWS\system32\dpcproxy.exe
2008-05-07 13:14:31 4096 --a------ C:\WINDOWS\system32\ssvchost.com
2008-05-07 13:14:31 4096 --a------ C:\WINDOWS\system32\regm64.dll
2008-05-07 13:14:31 4096 --a------ C:\WINDOWS\system32\regc64.dll
2008-05-07 13:14:31 4096 --a------ C:\WINDOWS\system32\msvchost.exe
2008-05-07 13:14:30 4096 --a------ C:\WINDOWS\system32\Rundl1.exe
2008-05-07 13:14:29 4096 --a------ C:\WINDOWS\winsystem.exe
2008-05-07 13:14:29 4096 --a------ C:\WINDOWS\system32\WINWGPX.EXE
2008-05-07 13:14:29 4096 --a------ C:\WINDOWS\system32\winsystem.exe
2008-05-07 13:14:29 4096 --a------ C:\WINDOWS\system32\vcatchpi.dll
2008-05-07 13:14:29 4096 --a------ C:\WINDOWS\system32\sysreq.exe
2008-05-07 13:14:29 4096 --a------ C:\WINDOWS\system32\newsd32.exe
2008-05-07 13:14:29 4096 --a------ C:\WINDOWS\system32\mssecu.exe
2008-05-07 13:14:29 4096 --a------ C:\WINDOWS\system32\bdn.com
2008-05-07 13:14:29 4096 --a------ C:\WINDOWS\system32\anticipator.dll
2008-05-07 13:14:29 4096 --a------ C:\WINDOWS\system32\akttzn.exe
2008-05-07 13:14:29 4096 --a------ C:\WINDOWS\mssecu.exe
2008-05-07 13:14:29 4096 --a------ C:\WINDOWS\bdn.com
2008-05-07 13:14:28 4096 --a------ C:\WINDOWS\system32\awtoolb.dll
2008-05-07 13:14:27 0 d-------- C:\Program Files\akl
2008-04-30 17:04:33 1160 --a------ C:\WINDOWS\mozver.dat
2008-04-06 17:33:36 14848 --a------ C:\Pebr.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
C:\Program Files\Bat\Bat.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [10/30/2003 05:46 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [07/20/2004 02:04 AM]
"EzButton"="C:\Program Files\EzButton\EzButton.EXE" [07/07/2004 05:25 PM]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [08/19/2004 07:14 PM]
"@"="" []
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [02/03/2004 03:47 PM]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [07/28/2004 05:23 PM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [11/18/2003 02:24 AM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [11/18/2003 02:11 AM]
"WD Button Manager"="WDBtnMgr.exe" [01/05/2006 09:57 PM C:\WINDOWS\system32\WDBtnMgr.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [04/15/2008 09:57 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/14/2007 07:05 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [04/13/2005 03:48 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"DVDTray"="C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe" [09/03/2004 04:58 AM]
"CY_BG"="C:\WINDOWS\CY_BG.EXE" [04/20/2003 10:11 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [09/05/2003 04:24 AM]
"AIM"="C:\Program Files\AIM\aim.exe" [08/01/2006 04:35 PM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [06/20/2006 11:36 PM]
"pzpmktmz"="C:\WINDOWS\system32\yfgvqjgr.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeStartMenu"=0 (0x0)
"NoClose"=0 (0x0)
"NoLogOff"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-07-05 18:26:49 ------------

Attached Files


  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Can you tell me where the location is that you see all of the random files getting produced?
==================================================================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    MSSysInterv1 <delete service>
    c:\windows\winself.exe 
    C:\Program Files\PC-Cleaner
    C:\WINDOWS\userconfig9x.dll
    C:\WINDOWS\system32\winlogonpc.exe
    C:\WINDOWS\system32\hoproxy.dll
    C:\WINDOWS\FVProtect.exe
    C:\WINDOWS\system32\taack.exe
    C:\WINDOWS\system32\taack.dat
    C:\WINDOWS\system32\sncntr.exe
    C:\WINDOWS\system32\mwin32.exe
    C:\WINDOWS\system32\hxiwlgpm.exe
    C:\WINDOWS\system32\hxiwlgpm.dat
    C:\WINDOWS\a.bat
    C:\WINDOWS\system32\psoft1.exe
    C:\WINDOWS\system32\psof1.exe
    C:\WINDOWS\system32\ps1.exe
    C:\WINDOWS\system32\msnbho.dll
    C:\WINDOWS\system32\bsva-egihsg52.exe
    C:\WINDOWS\iTunesMusic.exe
    C:\WINDOWS\system32\ssurf022.dll
    C:\WINDOWS\system32\netode.exe
    C:\WINDOWS\system32\mtr2.exe
    C:\WINDOWS\system32\msgp.exe
    C:\WINDOWS\system32\temp#01.exe
    C:\WINDOWS\system32\ssvchost.exe
    C:\WINDOWS\system32\[email protected]@@k.dll
    C:\WINDOWS\system32\dpcproxy.exe
    C:\WINDOWS\system32\ssvchost.com
    C:\WINDOWS\system32\regm64.dll
    C:\WINDOWS\system32\regc64.dll
    C:\WINDOWS\system32\msvchost.exe
    C:\WINDOWS\system32\Rundl1.exe
    C:\WINDOWS\winsystem.exe
    C:\WINDOWS\system32\WINWGPX.EXE
    C:\WINDOWS\system32\winsystem.exe
    C:\WINDOWS\system32\vcatchpi.dll
    C:\WINDOWS\system32\sysreq.exe
    C:\WINDOWS\system32\newsd32.exe
    C:\WINDOWS\system32\mssecu.exe
    C:\WINDOWS\system32\bdn.com
    C:\WINDOWS\system32\anticipator.dll
    C:\WINDOWS\system32\akttzn.exe
    C:\WINDOWS\mssecu.exe
    C:\WINDOWS\bdn.com
    C:\WINDOWS\system32\awtoolb.dll
    C:\Program Files\akl
    C:\Pebr.exe
    C:\Program Files\Bat
    C:\WINDOWS\system32\yfgvqjgr.exe
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=================
After that update your AVG and run a full scan with that and let it delete quarantine anything it finds.

Then post a new dsss log and the OTMove it log.
  • 0

#5
kristinsara

kristinsara

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
there are a ton of files in the system 32 folder that seem sketchy to me, but i really have no idea if they should be there or not. there have also been folders created in the windows folder. this was the only thing i could think of that is taking up all of my space in the c drive and i have no idea which ones to delete.
  • 0

#6
kristinsara

kristinsara

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
MSSysInterv1 service deleted successfully.
File/Folder c:\windows\winself.exe not found.
C:\Program Files\PC-Cleaner moved successfully.
LoadLibrary failed for C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\userconfig9x.dll NOT unregistered.
C:\WINDOWS\userconfig9x.dll moved successfully.
C:\WINDOWS\system32\winlogonpc.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\hoproxy.dll
C:\WINDOWS\system32\hoproxy.dll NOT unregistered.
C:\WINDOWS\system32\hoproxy.dll moved successfully.
C:\WINDOWS\FVProtect.exe moved successfully.
C:\WINDOWS\system32\taack.exe moved successfully.
C:\WINDOWS\system32\taack.dat moved successfully.
C:\WINDOWS\system32\sncntr.exe moved successfully.
C:\WINDOWS\system32\mwin32.exe moved successfully.
C:\WINDOWS\system32\hxiwlgpm.exe moved successfully.
C:\WINDOWS\system32\hxiwlgpm.dat moved successfully.
C:\WINDOWS\a.bat moved successfully.
C:\WINDOWS\system32\psoft1.exe moved successfully.
C:\WINDOWS\system32\psof1.exe moved successfully.
C:\WINDOWS\system32\ps1.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\msnbho.dll
C:\WINDOWS\system32\msnbho.dll NOT unregistered.
C:\WINDOWS\system32\msnbho.dll moved successfully.
C:\WINDOWS\system32\bsva-egihsg52.exe moved successfully.
C:\WINDOWS\iTunesMusic.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\ssurf022.dll
C:\WINDOWS\system32\ssurf022.dll NOT unregistered.
C:\WINDOWS\system32\ssurf022.dll moved successfully.
C:\WINDOWS\system32\netode.exe moved successfully.
C:\WINDOWS\system32\mtr2.exe moved successfully.
C:\WINDOWS\system32\msgp.exe moved successfully.
C:\WINDOWS\system32\temp#01.exe moved successfully.
C:\WINDOWS\system32\ssvchost.exe moved successfully.
< C:\WINDOWS\system32\[email protected]@@k.dll >
LoadLibrary failed for C:\WINDOWS\system32\[email protected]@@k.dll
C:\WINDOWS\system32\[email protected]@@k.dll NOT unregistered.
C:\WINDOWS\system32\[email protected]@@k.dll moved successfully.
C:\WINDOWS\system32\dpcproxy.exe moved successfully.
C:\WINDOWS\system32\ssvchost.com moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\regm64.dll
C:\WINDOWS\system32\regm64.dll NOT unregistered.
C:\WINDOWS\system32\regm64.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\regc64.dll
C:\WINDOWS\system32\regc64.dll NOT unregistered.
C:\WINDOWS\system32\regc64.dll moved successfully.
C:\WINDOWS\system32\msvchost.exe moved successfully.
C:\WINDOWS\system32\Rundl1.exe moved successfully.
C:\WINDOWS\winsystem.exe moved successfully.
C:\WINDOWS\system32\WINWGPX.EXE moved successfully.
C:\WINDOWS\system32\winsystem.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\vcatchpi.dll
C:\WINDOWS\system32\vcatchpi.dll NOT unregistered.
C:\WINDOWS\system32\vcatchpi.dll moved successfully.
C:\WINDOWS\system32\sysreq.exe moved successfully.
C:\WINDOWS\system32\newsd32.exe moved successfully.
C:\WINDOWS\system32\mssecu.exe moved successfully.
C:\WINDOWS\system32\bdn.com moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\anticipator.dll
C:\WINDOWS\system32\anticipator.dll NOT unregistered.
C:\WINDOWS\system32\anticipator.dll moved successfully.
C:\WINDOWS\system32\akttzn.exe moved successfully.
C:\WINDOWS\mssecu.exe moved successfully.
C:\WINDOWS\bdn.com moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\awtoolb.dll
C:\WINDOWS\system32\awtoolb.dll NOT unregistered.
C:\WINDOWS\system32\awtoolb.dll moved successfully.
C:\Program Files\akl moved successfully.
C:\Pebr.exe moved successfully.
Folder move failed. C:\Program Files\Bat scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\yfgvqjgr.exe not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr >
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07052008_191515

Files moved on Reboot...
C:\Program Files\Bat moved successfully.
  • 0

#7
kristinsara

kristinsara

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
when i try to update avg it says an error has occurred and update can not be completed, should i still post the dsss log?
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok just try and run a full scan anyway.
Then let me know if it finds anything.
Also after that post a new dss log.
  • 0

#9
kristinsara

kristinsara

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
i ran the scan and it didn't find anything it only changed kernel32.dll, shell32.dll and ntoskrnl.exe ill post the new dss log now
  • 0

#10
kristinsara

kristinsara

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Deckard's System Scanner v20071014.68
Run by ryan miller on 2008-07-05 20:31:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 223 MiB (512 MiB recommended).
System Drive C: has 0 GiB (less than 15%) free.


-- HijackThis (run as ryan miller.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:38 PM, on 7/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\WINDOWS\CY_BG.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\ryan miller\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\RYANMI~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: BatBHO - {63F7460B-C831-4142-A4AA-5EC303EC4343} - C:\Program Files\Bat\Bat.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_03\bin\ssv.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\CY_BG.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [pzpmktmz] C:\WINDOWS\system32\yfgvqjgr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {53D40FAA-4E21-459F-AA87-E4D97FC3245A} (InstallShield Setup Player V12) - http://www.respondus...m/LDB/setup.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

--
End of file - 7564 bytes

-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-05 20:27:29 0 d-------- C:\Program Files\Trend Micro
2008-07-04 03:00:31 0 d-------- C:\Program Files\MSXML 4.0
2008-07-02 18:01:51 0 d-------- C:\Documents and Settings\ryan miller\Application Data\DeepBurner
2008-07-02 18:01:10 0 d-------- C:\Program Files\Astonsoft
2008-07-02 17:20:14 348160 --a------ C:\WINDOWS\system32\WMAFile.dll <Not Verified; NCT Company Ltd.; NCTWMAFile2 ActiveX DLL>
2008-07-02 17:20:14 1212416 --a------ C:\WINDOWS\system32\AudioInfos.dll <Not Verified; NCT Company Ltd.; NCTAudioInformation2 ActiveX DLL>
2008-07-02 17:20:13 1986560 --a------ C:\WINDOWS\system32\AudFile.dll <Not Verified; NCT Company Ltd.; NCTAudioFile2 ActiveX DLL>
2008-07-02 17:20:12 40960 --a------ C:\WINDOWS\system32\SSubTmr6.dll <Not Verified; vbAccelerator; SSubTmr6>
2008-07-02 17:20:09 82432 --a------ C:\WINDOWS\system32\msxml4r.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>
2008-07-02 17:20:08 44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft® MSXML 4.0 SP1>


-- Find3M Report ---------------------------------------------------------------

2008-07-05 19:46:15 0 d-------- C:\Documents and Settings\ryan miller\Application Data\AVG7
2008-07-05 11:08:21 0 d-------- C:\Program Files\Soulseek
2008-06-11 20:51:32 0 d-------- C:\Documents and Settings\ryan miller\Application Data\Vso
2008-06-11 20:51:32 34 --a------ C:\Documents and Settings\ryan miller\Application Data\pcouffin.log
2008-06-11 20:51:10 47360 --a------ C:\Documents and Settings\ryan miller\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-06-11 20:51:10 1144 --a------ C:\Documents and Settings\ryan miller\Application Data\pcouffin.inf
2008-06-11 20:51:10 7887 --a------ C:\Documents and Settings\ryan miller\Application Data\pcouffin.cat
2008-06-04 21:33:34 0 d-------- C:\Program Files\mpg123dsf
2008-05-09 19:31:48 0 d-------- C:\Program Files\Lavasoft
2008-05-09 19:29:46 0 d-------- C:\Program Files\Common Files
2008-05-09 19:29:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-30 17:04:33 1160 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{63F7460B-C831-4142-A4AA-5EC303EC4343}]
C:\Program Files\Bat\Bat.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [10/30/2003 05:46 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [07/20/2004 02:04 AM]
"EzButton"="C:\Program Files\EzButton\EzButton.EXE" [07/07/2004 05:25 PM]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [08/19/2004 07:14 PM]
"@"="" []
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [02/03/2004 03:47 PM]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [07/28/2004 05:23 PM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [11/18/2003 02:24 AM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [11/18/2003 02:11 AM]
"WD Button Manager"="WDBtnMgr.exe" [01/05/2006 09:57 PM C:\WINDOWS\system32\WDBtnMgr.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [04/15/2008 09:57 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/14/2007 07:05 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [04/13/2005 03:48 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"DVDTray"="C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe" [09/03/2004 04:58 AM]
"CY_BG"="C:\WINDOWS\CY_BG.EXE" [04/20/2003 10:11 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [09/05/2003 04:24 AM]
"AIM"="C:\Program Files\AIM\aim.exe" [08/01/2006 04:35 PM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [06/20/2006 11:36 PM]
"pzpmktmz"="C:\WINDOWS\system32\yfgvqjgr.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeStartMenu"=0 (0x0)
"NoClose"=0 (0x0)
"NoLogOff"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-07-05 20:31:59 ------------
  • 0

Advertisements


#11
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================================
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Step 1: Download the eScan Antivirus Toolkit Here. Save it to the Desktop, it is roughly 10MB in size. Before running the program we need to update the signature files first in Step 2.

Step 2: Updating the eScan Antivirus Toolkit with the latest files:
1.) Double-click on the mwav.exe file saved to the Desktop; it will extract the program files to a new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky.)
2.) Double-click on My Computer, double-click on the Hard Drive (usually the C:\drive), find and double-click on the Kaspersky folder; inside the Kaspersky folder, find and double-click on the kavupd.exe file. Double-clicking on the kavupd.exe file opens the Windows command prompt (DOS screen) and updates the program with all the latest signature files.
3.) After the update is complete, the bottom of the command prompt will read "Press any key to continue", press any key to close the screen. Close eScan for now. You need to also close all Windows Explorer windows (or "My Computer" windows) to allow a refresh.
4.) *Important* : in order to complete the update process, you must now do the following: - Using Windows Explorer (or "My Computer"), go to C:\Downloads and "Copy" all files present in that folder - "Paste" the files in C:\Kaspersky - Allow the overwriting of existing files, when prompted - Close Windows Explorer Please do not run a scan with the eScan Antivirus Toolkit utility yet.

Step 3: Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Step 4: From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:1.) To run the eScan Antivirus Toolkit program, look for a file called mwavscan.com inside the C:\Kaspersky folder.
2.) Double-click on the mwavscan.com file; this will open the eScan program.
3.) With the eScan interface on your Desktop, make sure that these boxes under Scan Option are checked : Memory, Registry, Startup Folders, System Folders, Services.
4.) Check the Drive box, this will enable the All Local Drives radio button below it. Make sure it is activated.
5.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
6.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. When the scan has finished it will read Scan Completed. Do not Exit the tool just yet.
7.) Open a new NotePad file (click on "Start" >> "All Programs" >>"Accessories" >> "NotePad"), then Copy/Paste the content of the Virus Log Information window into that file, and save it. eScan also creates a full log inside the C:\Kaspersky folder (named mwav.log), but it is huge and cannot be posted on a forum. Please post the content of the log you have saved (into NotePad) in your next reply, once all steps are completed. Reboot your computer into normal Windows.

  • 0

#12
kristinsara

kristinsara

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
im sorry but i have to go now, i will get the cleaner and follow your directions tomorrow. hopefully you will be around, thank you for all your help so far.
  • 0

#13
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
That's fine I will be around :)
You are welcome.
  • 0

#14
kristinsara

kristinsara

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
so i am back now, sorry about that, kahdah i hope you are around now! if not that is no problem. i am about to do the escan and after that i will post my results. also after freeing up some space in my C:\ i was able to update AVG. i hope i have enough space to go through with this scan im running out of things to delete! ha thanks again
Kristin
  • 0

#15
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP