View Full Version : Unable to remove ADWARE_BHOT_AZESEARCH and ADWARE_ZTOOLBAR. Help needed, please.
SeemosYantra
2007-07-28, 05:46
The sympthoms are the next:
A fake alert icon (a fake shield with the resemblance of WinXP security center alert icon, flashing intermitently between a red one with an X and a blue one with a ?) appears on the system tray without way of being removed or uninstalled. The fake alert displays a text globe saying "System Warning: The system have detected several spywares running on your computer that may cause great damage. Click here to download the up-to-date AntiVirus software.". Upon clicking, Interner Explorer Browser is inmediatelly launched and a page offering a paid AntiVirus to remove the SpyWare (evidently an scam). However, I must add the fact that the aforementioned icon on the systray does not always shows (I have noticed that on some rebootings after a system change, the icon fails to load apparently, for it doesn't shows up, but it shows up again on the next rebooting).
I followed the step-by-steps instructions you proportioned on the forum (I had some problems with the Trend Micro Online Scan, but it seemed to work well once I unloaded WindowBlinds from the memory while running it). So, as the instructions say, here are the requested logs:
Logfile of HijackThis v1.99.1
Scan saved at 9:40:00 PM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AntiVir PersonalEdition Classic\sched.exe
D:\AntiVir PersonalEdition Classic\avguard.exe
C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
D:\AntiVir PersonalEdition Classic\avgnt.exe
C:\Archivos de programa\Java\jre1.6.0_02\bin\jusched.exe
D:\Spybot - Search & Destroy\TeaTimer.exe
D:\WindowsKEY\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Archivos de programa\DAP\DAPBHO.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARCHIV~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARCHIV~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Archivos de programa\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avgnt] "D:\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [STYLEXP] C:\Archivos de programa\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Pando] "C:\Archivos de programa\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Archivos de programa\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Archivos de programa\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Archivos de programa\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Archivos de programa\DAP\dapextie2.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Archivos de programa\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Archivos de programa\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Archivos de programa\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155115469709
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: WBSrv - C:\ARCHIV~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Archivos de programa\TGTSoft\StyleXP\StyleXPService.exe
eTrust Antivirus Web Scanner result:
Scan Completed. 87468 files scanned. No viruses found.
- No Infections
Trend Micro House Call Scanner result:
Unable to clean ADWARE_BHOT_AZESEARCH in file(s):
C:\WINDOWS\system32\ttu.exe
C:\WINDOWS\ticads.exe
Unable to clean ADWARE_ZTOOLBAR in file(s):
C:\WINDOWS\system32\globobar.ocx
On my first attempt using SpyBot S&D 1.4 to remove these adwares, SpyBot S&D systray resident got stuck on a loop trying to remove the aforementioned icon, displaying a flood of system message popups saying that it was unable to remove the icon from the systray, forcing me to restart the system. Since that, SpyBot has not detected any kind of malware/spyware infection, in contrast to the on-line scan. So, please, if someone can give me instructions of how to clean my system of these both spywares, I would be really thankfull. In advance, thank you.
pskelley
2007-07-28, 13:53
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You HJT log is showing nothing of this junk, good thing we have the scans. You can see what google has to say.
C:\WINDOWS\system32\ttu.exe
http://www.google.com/search?hl=en&q=ttu.exe&btnG=Search
C:\WINDOWS\ticads.exe
http://www.google.com/search?hl=en&q=ticads.exe&btnG=Google+Search
I suggest you give grinlers removal instructions here a try. Please take the time to read any follow the directions carefully.
http://www.bleepingcomputer.com/forums/topic54501.html
Let me know how it goes.
Thanks
SeemosYantra
2007-07-29, 05:04
Sorry for the delay in the reply. My computer is very slow (486 processor) and it took me the whole day to realize the Panda Active Scan (I have Avira AntiVirus as my main antivirus for now, and it kept detecting the ActiveX component of the Panda Active Scan as virulent, so I had to shut it down and retry it several times until I made it to work. This is the scan log of the Panda Active Scan:
Incident Status Location
Dialer:dialer.su Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch
Adware:adware/seekmo Not disinfected Windows Registry
Adware:adware/cramtoolbar Not disinfected Windows Registry
Adware:adware/iebar Not disinfected Windows Registry
Adware:adware/azesearch Not disinfected Windows Registry
Adware:adware/powerstrip Not disinfected Windows Registry
Virus:Generic Malware Disinfected C:\Archivos de programa\Viewpoint\Viewpoint Toolbar\ViewBar.dll
Potentially unwanted tool:Application/ViewPoint Not disinfected C:\Archivos de programa\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
As you can see, it said the scan will NOT delete the Malware (not even that it couldn't), but it destroyed a supposed virus it catched. Regarding the procedures you suggested me to take: as you can see, I was able to go through all the steps without problems. However, I have to say that from the long list of files to delete that were there, I only found 3 or 4 that were merely ICO files and one HTML. Here I list them:
C:\WINDOWS\local.html
C:\WINDOWS\onlineshopping.ico
C:\WINDOWS\removeadware.ico
C:\WINDOWS\sexpersonals.ico
C:\WINDOWS\videoslots.ico
These were the only ones I found. The rest simply weren't there. The main problem persists. In some rebootings, the blasted systray icon appears, in others not. I took the time to copy the exact messages said by the afore mentioned fake alert as well as the URL it redirects, just in case that it may make the search more accurate:
System Alert!
System has detected a number of active spyware applications that may impact the performance of your computer. Click the icon to get rid of unwanted spyware by downloading an up-to-date antispyware solution.
http://www.asafetyproduct.com/
I don't know if this is of any use, but here I post it just to let you know. Hope nobody is enough silly for like clicking on it. So, I am now I am in the wait of further instructions. What should I do now? And, in advance, thank you for taking the time to answer to my plead for help.
pskelley
2007-07-29, 08:54
1) Do not download anything you are being prompted to. That is the malware trying to get you to download useless junk.
2) Did you try to complete the instructions in the link I posted? This appears to be the infection you have.
http://www.bleepingcomputer.com/forums/topic54501.html
3) TeaTimer may block our tools, turn it off until you finish:
http://russelltexas.com/malware/teatimer.htm
4) Let's move on, please read and follow the directions:
http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
5) Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the C:\rapport.txt from the Smitfraudfix scan, the combofix log and a new HJT log.
Thanks
SeemosYantra
2007-07-29, 10:30
Okay, I followed the instructions neatly. Here are the logs you requested in the order you requested them, Pskelley-san:
SmitFraudFix v2.207
Scan done at 2:47:08.46, Sun 07/29/2007
Run from D:\WindowsKEY\SmitfraudFix
OS: Microsoft Windows XP [Versi˘n 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AntiVir PersonalEdition Classic\sched.exe
D:\AntiVir PersonalEdition Classic\avguard.exe
C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Java\jre1.6.0_02\bin\jusched.exe
D:\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jano
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jano\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
C:\DOCUME~1\ALLUSE~1.WIN\MENINI~1\Security Troubleshooting.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Jano\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Archivos de programa
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mi p*gina de inicio actual"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{547aaa89-7e6b-42b4-b112-a64955f86a2a}"="adirondack"
[HKEY_CLASSES_ROOT\CLSID\{547aaa89-7e6b-42b4-b112-a64955f86a2a}\InProcServer32]
@="C:\WINDOWS\system32\zpuwriz.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{547aaa89-7e6b-42b4-b112-a64955f86a2a}\InProcServer32]
@="C:\WINDOWS\system32\zpuwriz.dll"
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wbsys.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
"Jano" - 2007-07-29 2:53:34 [GMT -5:00] - ComboFix 07-07-24 - Service Pack 2 NTFS
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Archivos de programa\winupdates
C:\Archivos de programa\winupdates\a.zip
C:\DOCUME~1\Jano\DATOSD~1.\macromedia\Flash Player\#SharedObjects\R88CF9QB\iforex.com
C:\DOCUME~1\Jano\DATOSD~1.\macromedia\Flash Player\#SharedObjects\R88CF9QB\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\DOCUME~1\Jano\DATOSD~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\DOCUME~1\Jano\DATOSD~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-29 )))))))))))))))))))))))))))))))
2007-07-29 02:51 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-29 02:47 3,186 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-28 16:38 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-26 13:00 <DIR> d-------- C:\DOCUME~1\Jano\.housecall6.6
2007-07-26 03:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\DATOSD~1\Spybot - Search & Destroy
2007-07-09 14:07 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-09 14:07 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-09 14:07 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-09 14:07 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-09 14:05 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-09 14:05 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-09 14:05 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-09 14:05 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-09 14:05 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-09 14:05 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-09 14:05 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-09 14:05 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-09 14:05 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-09 14:05 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-09 14:05 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-09 14:05 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-09 14:05 124,472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-09 14:05 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-30 10:47 0 --a------ C:\DOCUME~1\Jano\.EXE
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-28 23:04:38 -------- d-----w C:\Archivos de programa\MegauploadToolbar
2007-07-28 22:25:56 -------- d-----w C:\Archivos de programa\DAP
2007-07-23 15:11:37 9,216 --s-a-w C:\WINDOWS\system32\zpuwriz.dll
2007-07-23 04:09:30 -------- d-----w C:\Archivos de programa\DivX
2007-06-28 05:52:06 -------- d-----w C:\Archivos de programa\Magic Set Editor 2
2007-06-28 05:38:18 -------- d-----w C:\DOCUME~1\Jano\DATOSD~1\Magic Set Editor
2007-06-11 05:03:13 -------- d-----w C:\DOCUME~1\Jano\DATOSD~1\Viewpoint
2007-06-09 07:10:21 -------- d-----w C:\Archivos de programa\AIM6
2007-06-03 22:42:47 -------- d-----w C:\DOCUME~1\Jano\DATOSD~1\Media Player Classic
2007-05-16 15:12:01 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-03-26 02:42:55 254,272 ----a-w C:\DOCUME~1\Jano\DATOSD~1\GDIPFONTCACHEV1.DAT
2005-09-17 22:59:20 560 ----a-w C:\Archivos de programa\Global.sw
2004-11-26 22:04:18 266 --sh--w C:\Archivos de programa\desktop.ini
2004-11-26 22:04:18 11,274 ---ha-w C:\Archivos de programa\folder.htt
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Archivos de programa\Thomson\SpeedTouch USB\Dragdiag.exe" [2003-09-05 06:59]
"avgnt"="D:\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-19 21:47]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"CloneCDElbyCDFL"="C:\CloneCD\ElbyCheck.exe" [2002-11-02 01:33]
"@"="" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="C:\Archivos de programa\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 13:31]
"Aim6"="" []
"Pando"="C:\Archivos de programa\Pando Networks\Pando\Pando.exe" [2007-07-11 20:59]
"SpybotSD TeaTimer"="D:\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"@"="" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Archivos de programa\MySpace\IM\MySpaceIM.exe
C:\Documents and Settings\All Users.WINDOWS\MenŁ Inicio\Programas\Inicio\
Adobe Gamma Loader.lnk - C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe [2002-03-15 07:28:14]
Adobe Reader Speed Launch.lnk - C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 19:05:26]
InterVideo WinCinema Manager.lnk - C:\Archivos de programa\InterVideo\Common\Bin\WinCinemaMgr.exe [2005-02-19 12:01:11]
Microsoft Office.lnk - C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{547aaa89-7e6b-42b4-b112-a64955f86a2a}"= C:\WINDOWS\system32\zpuwriz.dll [2007-07-23 10:11 9216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
WgaLogon.dll 2006-06-19 16:20 702768 C:\WINDOWS\system32\WgaLogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\ARCHIV~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-03-20 04:32 176128 C:\ARCHIV~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli scecli
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
R0 a347bus;a347bus;C:\WINDOWS\system32\DRIVERS\a347bus.sys
R0 a347scsi;a347scsi;C:\WINDOWS\system32\Drivers\a347scsi.sys
R1 avgio;avgio;\??\D:\AntiVir PersonalEdition Classic\avgio.sys
R1 avipbb;avipbb;C:\WINDOWS\system32\DRIVERS\avipbb.sys
R1 StyleXPHelper;StyleXPHelper;\??\C:\Archivos de programa\TGTSoft\StyleXP\StyleXPHelper.exe
R2 ElbyCDIO;ElbyCDIO Driver;C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
R2 ScFBPNT3;CanoScan FBP3 Port Driver;\??\C:\WINDOWS\system32\drivers\ScFBPNT3.SYS
R3 alcan5wn;SpeedTouch USB ADSL PPP Networking Driver (NDISWAN);C:\WINDOWS\system32\DRIVERS\alcan5wn.sys
R3 alcaudsl;SpeedTouch ADSL Modem ATM Transport;C:\WINDOWS\system32\DRIVERS\alcaudsl.sys
R3 avgntflt;avgntflt;\??\D:\AntiVir PersonalEdition Classic\avgntflt.sys
R3 ElbyCDFL;ElbyCDFL;C:\WINDOWS\system32\Drivers\ElbyCDFL.sys
R3 ms_mpu401;Controlador UART MIDI Microsoft MPU-401;C:\WINDOWS\system32\drivers\msmpu401.sys
R3 P1120VID;Creative WebCam NX Ultra;C:\WINDOWS\system32\DRIVERS\P1120Vid.sys
R3 SiS300i;SiS300i;C:\WINDOWS\system32\DRIVERS\sis300ip.sys
R3 SiS7018;Servicio para el controlador de muestra (WDM) AC'97;C:\WINDOWS\system32\drivers\ac97sis.sys
S3 k750bus;Sony Ericsson 750 driver (WDM);C:\WINDOWS\system32\DRIVERS\k750bus.sys
S3 k750mdfl;Sony Ericsson 750 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k750mdfl.sys
S3 k750mdm;Sony Ericsson 750 USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k750mdm.sys
S3 k750mgmt;Sony Ericsson 750 USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k750mgmt.sys
S3 k750obex;Sony Ericsson 750 USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k750obex.sys
S3 NtApm;Controlador de interfaz Apm/Legacy de Windows NT;C:\WINDOWS\system32\DRIVERS\NtApm.sys
S3 RT25USBAP;Nintendo Wi-Fi USB Connector Service;C:\WINDOWS\system32\DRIVERS\rt25usbap.sys
S3 ssmdrv;ssmdrv;C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
Contents of the 'Scheduled Tasks' folder
2007-07-26 10:42:35 C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-29 03:03:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120"
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-29 3:06:17
C:\ComboFix-quarantined-files.txt ... 2007-07-29 03:05
--- E O F ---
2007-05-22 21:00 80 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\Jano\DATOSD~1\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol.vir
2007-05-22 21:01 184 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\Jano\DATOSD~1\Macromedia\Flash Player\#SharedObjects\R88CF9QB\iforex.com\Emerp\Events\flash_object.swf\user_data.sol.vir
2007-07-27 02:19 22 --a------ C:\Qoobox\Quarantine\C\Archivos de programa\winupdates\a.zip.vir
Listado de rutas de carpetas para el volumen COREDRIVE
El nŁmero de serie del volumen es 804B-FFA2
C:\QOOBOX
\---Quarantine
+---C
| +---Archivos de programa
| | \---winupdates
| | a.zip.vir
| |
| \---DOCUME~1
| \---Jano
| \---DATOSD~1
| \---Macromedia
| \---Flash Player
| +---#SharedObjects
| | \---R88CF9QB
| | \---iforex.com
| | \---Emerp
| | \---Events
| | \---flash_object.swf
| | user_data.sol.vir
| |
| \---macromedia.com
| \---support
| \---flashplayer
| \---sys
| \---#iforex.com
| settings.sol.vir
|
\---Registry_backups
Logfile of HijackThis v1.99.1
Scan saved at 3:12:38 AM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AntiVir PersonalEdition Classic\sched.exe
D:\AntiVir PersonalEdition Classic\avguard.exe
C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\Java\jre1.6.0_02\bin\jusched.exe
D:\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
D:\WindowsKEY\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Archivos de programa\DAP\DAPBHO.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARCHIV~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARCHIV~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Archivos de programa\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avgnt] "D:\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKCU\..\Run: [STYLEXP] C:\Archivos de programa\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Pando] "C:\Archivos de programa\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Archivos de programa\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Archivos de programa\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Archivos de programa\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Archivos de programa\DAP\dapextie2.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Archivos de programa\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155115469709
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: WBSrv - C:\ARCHIV~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Archivos de programa\TGTSoft\StyleXP\StyleXPService.exe
I have included the Combofix Quarentine report just-in-case you need it as well. As you can see, I followed all the steps without problems. No evident changes so far. Again, I am in wait for further instructions, my dear helper. Once again, thank you for helping me so far.
pskelley
2007-07-29, 10:44
Thanks for returning the information. Post only the information I request. Smitfraudfix has detected that infection. Follow these instructions:
Follow the directions to turn off TeaTimer I provided and leave it off until we finish.
http://siri.geekstogo.com/SmitfraudFix.php <<< tutorial if needed
Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
Post the C:\rapport.txt and a new HJT log, keep me posted about the computers performance.
Thanks
SeemosYantra
2007-07-29, 12:09
It seems we finally succeeded into defeating that blasted adware. Here, the reports you specifically requested:
SmitFraudFix v2.207
Scan done at 4:10:02.03, Sun 07/29/2007
Run from D:\WindowsKEY\SmitfraudFix
OS: Microsoft Windows XP [Versi˘n 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{547aaa89-7e6b-42b4-b112-a64955f86a2a}"="adirondack"
[HKEY_CLASSES_ROOT\CLSID\{547aaa89-7e6b-42b4-b112-a64955f86a2a}\InProcServer32]
@="C:\WINDOWS\system32\zpuwriz.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{547aaa89-7e6b-42b4-b112-a64955f86a2a}\InProcServer32]
@="C:\WINDOWS\system32\zpuwriz.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
C:\WINDOWS\system32\zpuwriz.dll -> Hoax.Win32.Renos.gen.o
C:\WINDOWS\system32\zpuwriz.dll -> Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\DOCUME~1\ALLUSE~1.WIN\MENINI~1\Security Troubleshooting.url Deleted
»»»»»»»»»»»»»»»»»»»»»»»» DNS
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Logfile of HijackThis v1.99.1
Scan saved at 4:26:40 AM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AntiVir PersonalEdition Classic\sched.exe
D:\AntiVir PersonalEdition Classic\avguard.exe
C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
D:\AntiVir PersonalEdition Classic\avgnt.exe
C:\Archivos de programa\Java\jre1.6.0_02\bin\jusched.exe
D:\WindowsKEY\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Archivos de programa\DAP\DAPBHO.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARCHIV~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARCHIV~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Archivos de programa\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avgnt] "D:\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKCU\..\Run: [STYLEXP] C:\Archivos de programa\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Pando] "C:\Archivos de programa\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Archivos de programa\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Archivos de programa\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Archivos de programa\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Archivos de programa\DAP\dapextie2.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Archivos de programa\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155115469709
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: WBSrv - C:\ARCHIV~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Archivos de programa\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Archivos de programa\TGTSoft\StyleXP\StyleXPService.exe
My thanks to you are unending, Pskelley-san. You have not only helped me clean my computer from a very troublesome program, you also helped me liberate around 1.4 GB of HD space, and you have taught me a lot in the process, and that last thing is the most worthy. So, once again, thank you for everything.
pskelley
2007-07-29, 12:25
Thanks for the reports and the feedback, stick with me a bit longer.
For your information: http://www.castlecops.com/clsid-41.html
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Archivos de programa\DAP\DAPBHO.dll
http://www.greatis.com/appdata/u/d/dap.exe.htm
http://process.networktechs.com/DAP.EXE.php
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARCHIV~1\MEGAUP~1\MEGAUP~1.DLL
http://www.castlecops.com/clsid-30914.html
See the description
Since you had a nasty malware infection,I believe we should run a good scan for hidden malware, if you think so too, then do this:
If you run the scan, before you run it, delete all Smitfraudfix and combofix from your computer, especially backups and quarantines. This scan will find those as infections.
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
If you do not feel the scan is necessary, then do this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
SeemosYantra
2007-07-30, 12:08
Thanks for being so mindfull to me, Pskelley-san. I almost feel like I was in a hospital with a really caring doctor. *giggle* Anyway, here is the report you asked for. I am sorry about the delay: even putting my system to minimal load, it delayed around 5 hours. Here is the report:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 30, 2007 4:47:09 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 30/07/2007
Kaspersky Anti-Virus database records: 346673
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 120809
Number of viruses found: 4
Number of infected objects: 4 / 0
Number of suspicious objects: 7
Duration of the scan process: 05:27:56
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Jano\.housecall6.6\Quarantine\a.zip.bac_a03080/Setup.exe Infected: Worm.Win32.VB.an skipped
C:\Documents and Settings\Jano\.housecall6.6\Quarantine\a.zip.bac_a03080 ZIP: infected - 1 skipped
C:\Documents and Settings\Jano\.housecall6.6\Quarantine\a.zip.bac_a03080 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Jano\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jano\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jano\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jano\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jano\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jano\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jano\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.001\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.001\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.001\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.001\ntuser.dat.LOG Object is locked skipped
C:\INSTALAR.BIN/PERTSK.EXE Suspicious: Password-protected-EXE skipped
C:\INSTALAR.BIN ZIP: suspicious - 1 skipped
C:\System Volume Information\_restore{4B374010-197F-44C3-A3EF-71DBA0EC5972}\RP396\A0076956.dll Infected: Trojan-Downloader.Win32.Agent.bkd skipped
C:\System Volume Information\_restore{4B374010-197F-44C3-A3EF-71DBA0EC5972}\RP397\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Almacen1\Zipfiles\All to All ( MP3, OGG, WMA 8, WAV) converter+crack.zip/Audio_Conversion_Wizard_Crack.zip/acw.exe Suspicious: Packed.Win32.PePatch.dk skipped
D:\Almacen1\Zipfiles\All to All ( MP3, OGG, WMA 8, WAV) converter+crack.zip/Audio_Conversion_Wizard_Crack.zip Suspicious: Packed.Win32.PePatch.dk skipped
D:\Almacen1\Zipfiles\All to All ( MP3, OGG, WMA 8, WAV) converter+crack.zip ZIP: suspicious - 2 skipped
D:\Almacen1\alltoall\Audio_Conversion_Wizard_Crack.zip/acw.exe Suspicious: Packed.Win32.PePatch.dk skipped
D:\Almacen1\alltoall\Audio_Conversion_Wizard_Crack.zip ZIP: suspicious - 1 skipped
D:\System Volume Information\_restore{4B374010-197F-44C3-A3EF-71DBA0EC5972}\RP397\change.log Object is locked skipped
Scan process completed.
Thanks for all the hints. Now that I am thinking on getting a new computer with much better stats I will make sure to be extra-mindfull about all the things-to-considerate you are giving me. ^_^ Once again, I am in wait of further instructions.
pskelley
2007-07-30, 14:09
Thanks for returning the scan report, let's see what Kasperky found:
KASPERSKY ONLINE SCANNER REPORT Monday, July 30, 2007 4:47:09 AM
Number of infected objects: 4 / 0
Number of suspicious objects: 7
C:\Documents and Settings\Jano\.housecall6.6\Quarantine\ <<< delete the contents of that quarantine folder
C:\INSTALAR.BIN ZIP: suspicious <<< I would delete that file
D:\Almacen1\Zipfiles\All to All ( MP3, OGG, WMA 8, WAV) converter+crack.zip/Audio_Conversion_Wizard_Crack.zip/acw.exe Suspicious: Packed.Win32.PePatch.dk skipped
D:\Almacen1\Zipfiles\All to All ( MP3, OGG, WMA 8, WAV) converter+crack.zip/Audio_Conversion_Wizard_Crack.zip Suspicious: Packed.Win32.PePatch.dk skipped
D:\Almacen1\Zipfiles\All to All ( MP3, OGG, WMA 8, WAV) converter+crack.zip ZIP: suspicious - 2 skipped
D:\Almacen1\alltoall\Audio_Conversion_Wizard_Crack.zip/acw.exe Suspicious: Packed.Win32.PePatch.dk skipped
D:\Almacen1\alltoall\Audio_Conversion_Wizard_Crack.zip ZIP: suspicious - 1 skipped
illegal and dangerous, this is probably how you got infected. Delete that junk and I suggest you purchase your software from now on.
When you are sure all of the above have been deleted, then clean system retore files again. At the point you should have a clean Kaspersky scan.
C:\System Volume Information\_restore <<< Infected
Thanks
SeemosYantra
2007-07-31, 04:15
As promised, here is the new report of Kaspersky. It should say the system is completely clean, but is not because of a mistake of my own. I deleted the files from one directory, but forgot about the ones on the other, so it kept detecting those, but I have already deleted those ones by now. Here is the report:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 30, 2007 8:55:22 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 30/07/2007
Kaspersky Anti-Virus database records: 346997
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 116524
Number of viruses found: 1
Number of infected objects: 0 / 0
Number of suspicious objects: 2
Duration of the scan process: 05:10:51
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Jano\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jano\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jano\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jano\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jano\Configuración local\Historial\History.IE5\MSHist012007073020070731\index.dat Object is locked skipped
C:\Documents and Settings\Jano\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jano\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jano\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Jano\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.001\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.001\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.001\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.001\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{4B374010-197F-44C3-A3EF-71DBA0EC5972}\RP400\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Almacen1\alltoall\Audio_Conversion_Wizard_Crack.zip/acw.exe Suspicious: Packed.Win32.PePatch.dk skipped
D:\Almacen1\alltoall\Audio_Conversion_Wizard_Crack.zip ZIP: suspicious - 1 skipped
Scan process completed.
I am in wait for any further instructions, my helper. In advance, as usual, thanks for everything. ^-^
pskelley
2007-07-31, 12:16
D:\Almacen1\alltoall\Audio_Conversion_Wizard_Crack.zip/acw.exe Suspicious: Packed.Win32.PePatch.dk skipped
D:\Almacen1\alltoall\Audio_Conversion_Wizard_Crack.zip ZIP: suspicious - 1 skipped
http://www.webopedia.com/TERM/C/crack.html
Once you delete these infected files, return to my post number 8 and follow the instructions to clean the system restores files again. I suggest you read the information I posted from experts, the information will go a long way towards helping you stay clean and safe.
Thanks
SeemosYantra
2007-08-02, 17:38
Sorry for the delay, Pskelley-san. I needed to search the momento to do the test since it delays so much. This time it came absolutely clean. Here it is:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, August 02, 2007 5:42:50 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/08/2007
Kaspersky Anti-Virus database records: 347883
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 116512
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 05:21:53
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Jano\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jano\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jano\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jano\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jano\Configuración local\Historial\History.IE5\MSHist012007080220070803\index.dat Object is locked skipped
C:\Documents and Settings\Jano\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jano\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jano\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Jano\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Configuración local\Archivos temporales de Internet\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Configuración local\Historial\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.001\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.001\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.001\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.001\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.001\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{4B374010-197F-44C3-A3EF-71DBA0EC5972}\RP404\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Once again, thanks for everything. My computer is working pretty fast right now. I temporaly disabled WindowBlinds so the boot is faster. Thanks so much for all the help, sincerely.
pskelley
2007-08-02, 17:52
Looks good, safy surfing. Here are a couple of links that might be handy:
http://www.castlecops.com/postitle175256-0-0-.html
http://www.microsoft.com/atwork/getstarted/speed.mspx?wt_svl=20292a&mg_id=20292b
Thanks
pskelley
2007-08-10, 13:34
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks...pskelley