Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Problems with: Web browsers, Internet, Search engines, antivirus softw

Started by ciregno , Apr 15 2009 09:52 PM

  • This topic is locked This topic is locked

#1
ciregno
Posted 15 April 2009 - 09:52 PM

ciregno

    Member

  • Member
  • PipPip
  • 48 posts
Hello geeks to go,

So here is my problem. One day I was on tennis.com looking at scoreboards and out of no where I get loads of updates from Sophos saying that my computer has been affected by trojans. Vundo I believe seems to be one of them. I ran non stop scans with multiple antivirus software which include: AdAware, Spybot: Search & Destroy, Sophos, Kaspersky, AVG, and MalwareBytes Anti-Malware. This problem has been on going for quite a while; I'd say around a month now, but it has gotten much worse. I never ran any of these programs at the same time because I was told to never do that. I ran AdAware and it couldn't update itself after my first scan. I deleted it and went with Spybot, and it would pick up trojans and delete them but updates would never be allowed. I deleted Spybot and tried out Kaspersky, AVG, and Sophos, which all picked up trojans and deleted them but wouldn't be able to update after a week or so. I would scan it again using one program each and they'd never pick anything up after the first scans. Then I used Malwarebytes and it picked up 19 different threats even though the other programs didn't pick anything up. Now Malwarebytes can't update and my internet crashes after an hour or 2. Web browsers don't work and my computer ends up running really slowly. Even when I try to shut it down, it would just stop at the "shutting down" blue screen but never actually shut down unless I force it to shut down.

While using google, I'd click on a site but it would direct me to a completely different site. If I press back and click the link again, it would load properly. I got the blue screen of death once too when I tried to shut down my web browser at one point a long time ago.

One major thing though is that this is happening from my schools network. I use an ethernet cable and am plugged in to get internet. Wireless networks are slow. I have no access to a router of any sort since it is on my college's network. I can't even repair my network connection and if I disable it and try to enable it, it won't let me enable it. My university REQUIRES that we use Sophos. It is installed and must be used in order for my computer to be registered into the school network.

I will post a log file of a scan that I ran today with Malwarebytes that picked up 19 different threats which were supposedly removed. My computer still isn't working correctly after I removed it.

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/15/2009 8:38:01 PM
mbam-log-2009-04-15 (20-38-01).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 208418
Time elapsed: 2 hour(s), 1 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c1c6426b-fb16-4123-acbe-74d94fb0e663} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0037d199-2070-4643-860d-e4b471b3f4b1} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctekijovapupi (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Eric Ong\Application Data\nidle (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\ohuhovojamaz.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekaoyojdvjt.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekabakkwodh.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekayendhsva.dat (Trojan.Agent) -> Quarantined and deleted successfully.

After this scan, I was asked to reboot the computer.

I don't have any previous log files since most of my antivirus software were removed. If there is any information that you need, please let me know and I will try to get it.

Any help would be appreciated. Thanks!

Edited by ciregno, 15 April 2009 - 09:58 PM.

  • 0

Advertisements

#2
fenzodahl512
Posted 16 April 2009 - 01:31 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.
Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..
  • 0

#3
ciregno
Posted 16 April 2009 - 10:23 AM

ciregno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
fenzodahl512,

i can't seem to find a way to disable my sophos antivirus software, unless i delete the entire program, which i don't think would allow me onto my schools network anymore. the bleepingcomputer.com link doesn't explain how to disable sophos unless im missing it. thanks.

Edited by ciregno, 16 April 2009 - 10:24 AM.

  • 0

#4
ciregno
Posted 16 April 2009 - 04:54 PM

ciregno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
*delete post.

Edited by ciregno, 16 April 2009 - 04:55 PM.

  • 0

#5
ciregno
Posted 16 April 2009 - 05:31 PM

ciregno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
ComboFix 09-04-17.01 - Eric Ong 04/16/2009 19:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.991.410 [GMT -4:00]
Running from: c:\documents and settings\Eric Ong\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Eric Ong\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\bsnzafqa.bin
c:\windows\system32\cfg.dat
c:\windows\wiaserviv.log
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-16 22:59 . 2009-04-16 22:59 -------- d-----w c:\program files\Trend Micro
2009-04-15 20:35 . 2009-04-15 20:35 -------- d-----w c:\documents and settings\Eric Ong\Application Data\Malwarebytes
2009-04-15 20:35 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-15 20:35 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-15 20:35 . 2009-04-15 20:35 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-15 20:35 . 2009-04-15 20:35 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-15 15:42 . 2009-04-15 15:42 -------- d-----w C:\ERDNT
2009-03-30 00:18 . 2009-03-30 00:19 -------- d-----w c:\program files\Windows Live Safety Center
2009-03-23 21:22 . 2009-04-16 20:17 -------- d--h--w C:\$AVG8.VAULT$
2009-03-23 21:01 . 2009-03-23 21:01 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-03-23 21:01 . 2009-03-27 15:19 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-23 21:01 . 2009-03-23 21:01 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-23 21:01 . 2009-04-16 19:30 -------- d-----w c:\windows\system32\drivers\Avg
2009-03-23 21:01 . 2009-03-23 21:01 -------- d-----w c:\program files\AVG
2009-03-23 21:01 . 2009-03-27 22:53 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-22 19:18 . 2009-03-22 19:18 -------- d-----w c:\documents and settings\Eric Ong\Local Settings\Application Data\{B73B15CD-1431-4F36-AB86-61F5DCC7604A}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 23:15 . 2006-09-19 22:36 2021 ----a-w C:\hpqp.ini
2009-04-16 23:12 . 2006-09-19 22:36 39 ----a-w C:\XP_TV.ini
2009-04-16 22:59 . 2006-11-25 05:11 -------- d-----w c:\documents and settings\Eric Ong\Application Data\U3
2009-04-16 22:58 . 2007-02-12 04:26 -------- d-----w c:\documents and settings\Eric Ong\Application Data\tunebite
2009-04-13 21:58 . 2009-01-26 00:14 93420 ----a-w c:\windows\system32\drivers\d5461be5.sys
2009-04-03 07:05 . 2006-11-25 05:22 -------- d-----w c:\documents and settings\Eric Ong\Application Data\uTorrent
2009-03-28 14:52 . 2009-03-07 03:39 -------- d-----w c:\documents and settings\Eric Ong\Application Data\dvdcss
2009-03-24 01:26 . 2006-12-04 20:15 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-23 21:04 . 2006-12-04 20:15 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-08 03:00 . 2009-03-08 03:00 -------- d-----w c:\documents and settings\All Users\Application Data\TVU Networks
2009-03-02 16:39 . 2009-03-02 16:28 -------- d-----w c:\documents and settings\Eric Ong\Application Data\vlc
2009-03-02 16:27 . 2009-03-02 16:27 -------- d-----w c:\program files\VideoLAN
2009-02-27 12:07 . 2008-02-18 20:47 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-27 00:21 . 2008-03-23 21:55 -------- d-----w c:\documents and settings\Eric Ong\Application Data\Move Networks
2009-02-26 18:55 . 2007-08-27 23:22 38528 ----a-w c:\windows\system32\drivers\savonaccessfilter.sys
2009-02-26 18:55 . 2007-08-27 23:22 110848 ----a-w c:\windows\system32\drivers\savonaccesscontrol.sys
2009-02-18 22:38 . 2009-02-18 22:38 157062 ----a-w c:\program files\12639-utorrent.a5ee.dmp
2009-02-16 07:34 . 2009-02-16 07:34 -------- d-----w c:\documents and settings\Eric Ong\Application Data\InstallShield
2009-02-09 11:13 . 2008-10-14 20:28 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2006-03-16 04:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 05:13 . 2006-11-25 05:20 270128 -c--a-w c:\program files\utorrent.exe
2009-01-26 00:55 . 2009-01-26 00:56 410984 ----a-w c:\windows\system32\deploytk.dll
2009-01-17 02:35 . 2006-09-14 08:31 3594752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-03-01 21:19 . 2006-11-25 13:18 8224 -c--a-w c:\documents and settings\Eric Ong\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-11-25 13:18 . 2006-11-25 13:18 131 ----a-w c:\documents and settings\Eric Ong\Local Settings\Application Data\fusioncache.dat
2006-09-19 23:16 . 2006-09-19 22:05 51192 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-09-19 22:05 . 2006-09-19 22:05 136 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2008-08-24 12:16 . 2008-08-24 12:16 32768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082420080825\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"tunebite.exe"="c:\program files\Tunebite\tunebite.exe" [2007-02-12 2695168]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-06-19 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-12 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-05-30 40960]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-26 136600]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-23 1932568]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-18 7585792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-12 185784]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [2006-5-9 73728]

c:\documents and settings\Eric Ong\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2007-10-16 3450608]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-1-28 245760]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-23 21:01 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\utorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7524:TCP"= 7524:TCP:BitComet 7524 TCP
"7524:UDP"= 7524:UDP:BitComet 7524 UDP
"27364:TCP"= 27364:TCP:BitComet 27364 TCP
"27364:UDP"= 27364:UDP:BitComet 27364 UDP

R1 d5461be5;d5461be5;c:\windows\System32\drivers\d5461be5.sys [2009-04-13 93420]
R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\Drivers\5U870CAP.sys [2006-06-06 61952]
R3 w600bus;Sony Ericsson W600 driver (WDM);c:\windows\system32\DRIVERS\w600bus.sys [2005-08-15 60928]
R3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;c:\windows\system32\DRIVERS\w600mdfl.sys [2005-08-15 8336]
R3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;c:\windows\system32\DRIVERS\w600mdm.sys [2005-08-15 96672]
R3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;c:\windows\system32\DRIVERS\w600mgmt.sys [2005-08-15 88080]
R3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\w600obex.sys [2005-08-15 85952]
R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2008-09-30 14976]
S1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-03-23 325640]
S1 avgtdix;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-03-27 108552]
S1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\DRIVERS\savonaccesscontrol.sys [2009-02-26 110848]
S1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\DRIVERS\savonaccessfilter.sys [2009-02-26 38528]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-23 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-23 298264]
S2 savadminservice;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2008-10-27 69632]
S2 savservice;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2008-09-30 98304]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5553175-ee43-11dc-8bfe-0016369fcbdc}]
\Shell\AutoRun\command - "G:\Install FreeAgent Tools.exe" /run
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
- - - - ORPHANS REMOVED - - - -

Notify-cbxndwxo - cbXNDwXo.dll
Notify-gebqnkhw - geBqnkHw.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 19:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????<?@? ????O??????Y?@?????<?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•Ôw*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1160)
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\LVCOMSX.EXE
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Vongo\VongoService.exe
c:\windows\system32\searchindexer.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-04-16 19:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-16 23:22

Pre-Run: 3,782,033,408 bytes free
Post-Run: 9,523,064,832 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

241 --- E O F --- 2009-03-21 18:44

Attached Files


Edited by ciregno, 16 April 2009 - 05:33 PM.

  • 0

#6
ciregno
Posted 16 April 2009 - 05:35 PM

ciregno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:07 PM, on 4/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tunebite\tunebite.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Vongo\VongoService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Sophos Web Content Scanner - {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\Tunebite\tunebite.exe -hidden
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [java_sun] Java (Sun)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1188254865197
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1188254842197
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sophos Anti-Virus status reporter (savadminservice) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (savservice) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service (sophos autoupdate service) - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

--
End of file - 11715 bytes

Attached Files


  • 0

#7
fenzodahl512
Posted 16 April 2009 - 08:03 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
You have two antivirus, Sophos and AVG Free.. Uninstall one of them..

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
d5461be5

File::
C:\hpqp.ini
C:\XP_TV.ini
c:\windows\system32\drivers\d5461be5.sys

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#8
ciregno
Posted 16 April 2009 - 11:31 PM

ciregno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
i dragged the notepad file in and it would load combofix. it asked for me to update it so i did. afterward, nothing happened. it would just stay at the blue screen for a long time. i could type things into the blue screen too. i dragged the notepad file in again and still the same thing happens. was i not supposed to update combofix since nothing happens after i drag the notepad file onto the icon?
  • 0

#9
fenzodahl512
Posted 17 April 2009 - 12:16 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
exit and delete ComboFix from your Desktop and download a fresh one from below.. Run it and post the fresh log here..

Link 1
  • 0

#10
ciregno
Posted 17 April 2009 - 12:31 AM

ciregno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
i tried that already and still no luck. i deleted it twice and reinstalled a new one twice and it still just took me to a blue screen with nothing in it that i could type in. the header has a period and that's it.
  • 0

Advertisements

#11
ciregno
Posted 17 April 2009 - 12:45 AM

ciregno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
attached to this post is a screenshot of my desktop of what i'm getting when i open combofix once i open the .exe file from my desktop.

Attached Thumbnails

  • blue_screen.JPG

Edited by ciregno, 17 April 2009 - 12:51 AM.

  • 0

#12
fenzodahl512
Posted 17 April 2009 - 12:58 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished

STOP if you can't complete "The Comedian" step. Tell me about it



NEXT


Please download the OTMoveIt3 by OldTimer
  • Save it to your Desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
explorer.exe

:services
d5461be5

:files
C:\hpqp.ini
C:\XP_TV.ini
c:\windows\system32\drivers\d5461be5.sys

:reg

:commands
[purity]
[emptytemp]
[start explorer]
[reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



NEXT


Download avz4.zip from HERE
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again



1. Start AVZ.
2. Choose from the menu File => Standard scripts and mark the 3. Healing/Quarantine and Advanced System Investigation check box.
3. Click on the Execute selected scripts.
4. Automatic scanning, healing and system check will be executed.
5. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
6. It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
7. All applications will work properly after the system restart.



  • After that, please restart AVZ again,
  • From the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach virusinfo_syscheck.htm to your next reply


Post me these logs in your next reply..

1. OTMoveIt3
2. Attach virusinfo_syscheck.htm
  • 0

#13
ciregno
Posted 17 April 2009 - 09:14 AM

ciregno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========

Service\Driver d5461be5 deleted successfully.
========== FILES ==========
C:\hpqp.ini moved successfully.
C:\XP_TV.ini moved successfully.
c:\windows\system32\drivers\d5461be5.sys moved successfully.
========== REGISTRY ==========
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\ERICON~1\LOCALS~1\Temp\etilqs_troZcl4th6Q9vr10iBSV scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ERICON~1\LOCALS~1\Temp\~DFB753.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_77c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_LANfpVISroSLmuE scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04172009_111141

Attached Files


  • 0

#14
ciregno
Posted 17 April 2009 - 09:25 AM

ciregno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
AFTER REBOOT!

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========

Service\Driver d5461be5 deleted successfully.
========== FILES ==========
C:\hpqp.ini moved successfully.
C:\XP_TV.ini moved successfully.
c:\windows\system32\drivers\d5461be5.sys moved successfully.
========== REGISTRY ==========
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\ERICON~1\LOCALS~1\Temp\etilqs_troZcl4th6Q9vr10iBSV scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ERICON~1\LOCALS~1\Temp\~DFB753.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_77c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_LANfpVISroSLmuE scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04172009_111141

Files moved on Reboot...
File C:\DOCUME~1\ERICON~1\LOCALS~1\Temp\etilqs_troZcl4th6Q9vr10iBSV not found!
File C:\DOCUME~1\ERICON~1\LOCALS~1\Temp\~DFB753.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_77c.dat not found!
C:\WINDOWS\temp\sqlite_LANfpVISroSLmuE moved successfully.
C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\XUL.mfl moved successfully.

Attached Files


  • 0

#15
ciregno
Posted 17 April 2009 - 10:42 AM

ciregno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========

Service\Driver d5461be5 deleted successfully.
========== FILES ==========
C:\hpqp.ini moved successfully.
C:\XP_TV.ini moved successfully.
c:\windows\system32\drivers\d5461be5.sys moved successfully.
========== REGISTRY ==========
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\ERICON~1\LOCALS~1\Temp\etilqs_troZcl4th6Q9vr10iBSV scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ERICON~1\LOCALS~1\Temp\~DFB753.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_77c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_LANfpVISroSLmuE scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04172009_111141

Files moved on Reboot...
File C:\DOCUME~1\ERICON~1\LOCALS~1\Temp\etilqs_troZcl4th6Q9vr10iBSV not found!
File C:\DOCUME~1\ERICON~1\LOCALS~1\Temp\~DFB753.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_77c.dat not found!
C:\WINDOWS\temp\sqlite_LANfpVISroSLmuE moved successfully.
C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Eric Ong\Local Settings\Application Data\Mozilla\Firefox\Profiles\mzga5m19.default\XUL.mfl moved successfully.

Attached Files


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP