View Full Version : zlob.downloader.rid and other...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17, on 2008-08-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Nuclear Coffee\VideoGet\VideoGet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60111
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
O2 - BHO: CodecPlugin Class - {098716A9-0310-4CBE-BD64-B790A9761158} - C:\WINDOWS\system32\RichVideoCodec.dll
O2 - BHO: IEConnect Class - {274F5E23-9386-4F84-A02F-B7808084AC30} - C:\Program Files\Intein Fjalor 2005\System\Word Addin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {F53BAFE5-CE7A-4E95-95AC-A3912EFD3739} - (no file)
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [lphccrej0ene1] C:\WINDOWS\system32\lphccrej0ene1.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [pb_scheduler_agent] C:\Program Files\Premium Booster\scheduler.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3D1C723-9027-4D44-882C-E2FE897775E7}: NameServer = 80.80.160.8 80.80.160.9
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmnMGxvv - C:\WINDOWS\
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 5148 bytes
Hi tetari7
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
here is it
Active Desktop Calendar 7.53
Adobe Flash Player ActiveX
Arkivuesi WinRAR
Error Repair Professional 3.6
ESET NOD32 Antivirus
Fjalor i Integruar 5 Gjuhesh 2005
Foxit Reader
GOM Player
HD Tune Pro 3.10
HijackThis 2.0.2
Lock Folder XP 3.6
M Turbo Restart 1.0
Mozilla Firefox (3.0.1)
MSN Messenger 7.5
Nero 6 Ultra Edition
Nuclear Coffee - VideoGet 2.0.2.28
NVIDIA Drivers
O&O DiskRecovery
Premium Booster
Real Alternative 1.8.0
Registry Mechanic 7.0
RegistryFix v6.4
Spybot - Search & Destroy
Spyware Doctor 5.0
SUPERAntiSpyware Professional
Unlocker 1.8.7
Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
IMPORTANT: Do NOT run any other options until you are asked to do so!
**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
tool fails to launch from the Desktop,i also try from system drive (c)
http://img228.imageshack.us/img228/8992/00gg6.jpg
That might be a sign of much serious infection.
Let's then do these:
Please download Malwarebytes' Anti-Malware (http://www.malwaresupport.com/mbam/program/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Alternative download link (http://www.geekstogo.com/forum/index.php?autocom=downloads&showfile=19)
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
Post:
- mbam report
- dss logs (taken after mbam run)
here is Results of Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware 1.24
Database version: 1048
Windows 5.1.2600 Service Pack 2
5:11:44 MD 2008-08-13
mbam-log-8-13-2008 (17-11-44).txt
Scan type: Quick Scan
Objects scanned: 41535
Time elapsed: 14 minute(s), 34 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 32
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{f53bafe5-ce7a-4e95-95ac-a3912efd3739} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f53bafe5-ce7a-4e95-95ac-a3912efd3739} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\codecbho.codecplugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{84562fca-ee8b-4585-a1d1-eae97b23370e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{48e92754-2daf-4de4-8385-34f631580e9b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a1c23ba2-8f20-4c01-b663-7ff2b3421194} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{098716a9-0310-4cbe-bd64-b790a9761158} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{098716a9-0310-4cbe-bd64-b790a9761158} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d37d6c1a-7ba4-47f4-9bf2-75031e257df6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\codecbho.codecplugin.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f4406238-983a-4845-9053-f1d0007fd135} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\codecbho.xmldomdocumenteventssink (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\codecbho.xmldomdocumenteventssink.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\CodecBHO.DLL (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RichVideoCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\xprepairpro2007 (Rogue.XPRepairPro2007) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVwsc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmonD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSTAT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WEBSCANX.EXE (Security.Hijack) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f53bafe5-ce7a-4e95-95ac-a3912efd3739} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphccrej0ene1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\RichVideoCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\RichVideoCodec.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ngxmsqfb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM83d8ae94.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM83d8ae94.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphccrej0ene1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
dss logs
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-08-13 21:56:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
9: 2008-08-13 19:56:31 UTC - RP9 - Deckard's System Scanner Restore Point
8: 2008-08-13 08:02:44 UTC - RP8 - Software Distribution Service 3.0
7: 2008-08-12 09:43:32 UTC - RP7 - Software Distribution Service 3.0
6: 2008-08-11 14:59:28 UTC - RP6 - Software Distribution Service 3.0
5: 2008-08-10 07:59:05 UTC - RP5 - Software Distribution Service 3.0
-- First Restore Point --
1: 2008-08-08 18:06:59 UTC - RP1 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Administrator.exe) ---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:57, on 2008-08-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60111
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
O2 - BHO: IEConnect Class - {274F5E23-9386-4F84-A02F-B7808084AC30} - C:\Program Files\Intein Fjalor 2005\System\Word Addin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [pb_scheduler_agent] C:\Program Files\Premium Booster\scheduler.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmnMGxvv - C:\WINDOWS\
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 4932 bytes
-- File Associations -----------------------------------------------------------
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 NDISAH - c:\windows\system32\drivers\ndisah.sys <Not Verified; Antamedia mdoo; Antamedia HotSpot Software (TM)>
R2 LF30FS - c:\program files\everstrike software\lock folder xp 3.6\lf30xp.sys
R2 SetupNT - c:\windows\system32\setupnt.sys
S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
All services whitelisted.
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E969-E325-11CE-BFC1-08002BE10318}
Description: Standard floppy disk controller
Device ID: ACPI\PNP0700\4&26DD0F47&0
Manufacturer: (Standard floppy disk controllers)
Name: Standard floppy disk controller
PNP Device ID: ACPI\PNP0700\4&26DD0F47&0
Service: fdc
-- Files created between 2008-07-13 and 2008-08-13 -----------------------------
2008-08-13 16:54:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-13 16:54:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-13 16:54:31 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-12 21:31:03 0 d-------- C:\Program Files\WinRar2008
2008-08-12 15:40:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Xi
2008-08-12 15:39:52 0 d-------- C:\Program Files\Xi
2008-08-12 14:48:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\WinRAR
2008-08-11 22:47:24 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-08-11 16:54:02 0 d-------- C:\Program Files\microsoft frontpage
2008-08-09 20:17:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-09 15:06:20 0 d-------- C:\Program Files\Trend Micro
2008-08-08 17:55:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-08-08 17:36:18 0 d-------- C:\Program Files\Spyware Doctor
2008-08-07 15:25:12 0 d-------- C:\Documents and Settings\Administrator\Application Data\Hide IP NG
2008-08-07 13:03:34 0 d-------- C:\Program Files\HD Tune Pro
2008-08-07 12:29:20 671744 -ra------ C:\WINDOWS\system32\DolbyHph.dll <Not Verified; Lake Technology Limited, http://www.lake.com.au; Dolby Headphone>
2008-08-06 15:47:05 0 d-------- C:\Program Files\Premium Booster
2008-08-06 15:40:30 0 d-------- C:\Program Files\Common Files\Pointstone
2008-08-03 15:15:17 0 d-------- C:\Program Files\RegistryFix6
2008-08-03 12:17:53 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-03 12:16:57 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-03 12:16:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-08-01 15:20:36 0 d-------- C:\Documents and Settings\All Users\Application Data\XemiComputers
2008-08-01 15:20:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\XemiComputers
2008-08-01 15:20:06 0 d-------- C:\Program Files\XemiComputers
2008-08-01 01:51:30 0 d-------- C:\Program Files\Everstrike Software
2008-08-01 01:48:25 0 d-------- C:\WINDOWS\'Full Speed' Internet Booster + Performance Tests
2008-07-31 15:21:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\MetaProducts
2008-07-28 23:18:05 0 d-------- C:\WINDOWS\Prefetch
2008-07-28 23:07:07 0 d-------- C:\Program Files\msn gaming zone
2008-07-28 20:14:39 0 d-------- C:\Program Files\Common Files\ODBC
2008-07-28 19:28:08 0 d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-07-28 19:18:56 74703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-07-28 19:18:24 0 d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-07-28 19:18:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\iolo
2008-07-27 13:47:13 19584 --a------ C:\WINDOWS\system32\drivers\ndisah.sys <Not Verified; Antamedia mdoo; Antamedia HotSpot Software (TM)>
2008-07-26 23:54:00 0 d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2008-07-26 23:53:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\GRETECH
2008-07-26 00:46:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-25 21:54:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-25 19:49:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-07-25 19:38:32 0 d-------- C:\Documents and Settings\start\Application Data\TrojanHunter
2008-07-24 23:06:26 0 d-------- C:\Documents and Settings\LocalService\Application Data\PCToolsSpamMonitorPlus
2008-07-24 23:06:26 0 d-------- C:\Documents and Settings\LocalService\Application Data\PCToolsFirewallPlus
2008-07-24 22:22:59 0 d-------- C:\Documents and Settings\start\Application Data\PCToolsFirewallPlus
2008-07-24 22:22:58 0 d-------- C:\Documents and Settings\start\Application Data\PCToolsSpamMonitorPlus
2008-07-24 19:08:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\PCToolsFirewallPlus
2008-07-24 19:08:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\PCToolsSpamMonitorPlus
2008-07-24 17:35:30 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-24 14:26:11 0 d-------- C:\Documents and Settings\Administrator\Application Data\Smart PC Solutions
2008-07-24 00:02:07 0 d-------- C:\WINDOWS\pss
2008-07-23 23:19:10 0 d-------- C:\Documents and Settings\start\Application Data\BitTorrent
2008-07-22 15:08:30 0 d-------- C:\Program Files\OO Software
2008-07-22 14:41:54 0 dr-h----- C:\Documents and Settings\start\Recent
2008-07-22 12:55:37 0 d-------- C:\Program Files\Error Repair Professional
2008-07-20 19:16:42 0 d-------- C:\Documents and Settings\LocalService\Application Data\Mozilla
2008-07-20 17:19:12 0 d-------- C:\Program Files\M Turbo Restart
2008-07-20 13:19:35 0 d-------- C:\Documents and Settings\start\Application Data\SUPERAntiSpyware.com
2008-07-19 23:33:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\BitTorrent
2008-07-19 23:33:16 0 d-------- C:\Program Files\BitTorrent
2008-07-19 23:11:31 0 d-------- C:\Program Files\DNA
2008-07-19 23:11:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\DNA
2008-07-19 02:17:11 0 d-------- C:\Program Files\Nuclear Coffee
2008-07-19 00:13:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Antispyware
2008-07-18 22:28:50 4212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-07-18 22:26:44 0 d-------- C:\WINDOWS\Internet Logs
2008-07-18 20:19:50 2380 --a------ C:\WINDOWS\system32\BlockedCookies
2008-07-18 20:19:07 86016 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-07-18 17:34:10 0 d---s---- C:\Documents and Settings\Administrator\UserData
2008-07-18 12:25:14 2148 --ahs---- C:\WINDOWS\system32\bHhkSvut.ini2
2008-07-14 09:33:57 0 d-------- C:\Program Files\Intein Fjalor 2005
2008-07-14 09:32:32 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
-- Find3M Report ---------------------------------------------------------------
2008-08-08 17:53:26 0 d-------- C:\Program Files\Common Files
2008-08-08 11:46:54 0 d-------- C:\Program Files\MSN Messenger
2008-08-07 12:49:15 0 d-------- C:\Program Files\Common Files\InstallShield
2008-08-07 12:49:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-07 12:48:46 1056 --ahs---- C:\vvmjovma.sys
2008-08-03 12:16:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Thinstall
2008-07-31 17:50:17 0 d--hs---- C:\Documents and Settings\Administrator\Application Data\.#
2008-07-28 23:01:35 22748 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-07-26 23:46:48 0 d-------- C:\Program Files\GRETECH
2008-07-19 02:31:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-07-08 16:24:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-07-08 16:18:48 0 d-------- C:\Program Files\CyberLink
2008-06-28 19:43:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\HideIP
2008-06-21 14:10:54 8813777 --a------ C:\WINDOWS\system32\SRPRSig.dll
2008-06-21 14:09:36 6538067 --a------ C:\WINDOWS\system32\SRPFSig.dll
2008-06-21 14:08:30 623157 --a------ C:\WINDOWS\system32\SRPESig.dll
2008-05-24 21:15:56 33 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.log
2008-05-24 21:15:50 1074 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.cat
2008-05-24 21:15:49 47360 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-05-24 21:15:49 1144 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.inf
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{274F5E23-9386-4F84-A02F-B7808084AC30}]
2006-10-30 04:49 191792 --a------ C:\Program Files\Intein Fjalor 2005\System\Word Addin.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-10 01:06]
"nwiz"="nwiz.exe" [2005-12-10 01:06 C:\WINDOWS\system32\nwiz.exe]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-08-14 05:02]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2008-06-30 12:35]
"pb_scheduler_agent"="C:\Program Files\Premium Booster\scheduler.exe" [2007-04-19 12:37]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
"MaxRecentDocs"=0 (0x0)
"NoResolveTrack"=1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NosecurityTab"=1 (0x1)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 01:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnMGxvv]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE
-- Hosts -----------------------------------------------------------------------
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
8972 more entries in hosts file.
-- End of Deckard's System Scanner: finished at 2008-08-13 21:58:19 ------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel(R) Pentium(R) 4 CPU 3.00GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 3.00GHz
Percentage of Memory in Use: 57%
Physical Memory (total/avail): 511.48 MiB / 219.34 MiB
Pagefile Memory (total/avail): 1250.71 MiB / 803.97 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1949.13 MiB
C: is Fixed (NTFS) - 9.54 GiB total, 4.42 GiB free.
D: is Fixed (NTFS) - 74.52 GiB total, 68.91 GiB free.
E: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - QUANTUM FIREBALLlct20 10 - 9.55 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 9.54 GiB - C:
\\.\PHYSICALDRIVE1 - SAMSUNG SP0842N - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - D:
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.
FirstRunDisabled is set.
AV: ESET NOD32 Antivirus 3.0 v3.0 (ESET, spol. s r. o.)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=USER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\USER
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0409
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=USER
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
start (admin)
Administrator (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Active Desktop Calendar 7.53 --> "C:\Program Files\XemiComputers\Active Desktop Calendar\unins000.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
BitTorrent --> "C:\Program Files\BitTorrent\BitTorrent.exe" /UNINSTALL
DNA --> "C:\Program Files\DNA\btdna.exe" /UNINSTALL
Error Repair Professional 3.6 --> "C:\Program Files\Error Repair Professional\unins000.exe"
ESET NOD32 Antivirus --> MsiExec.exe /I{7D974ACA-4EE5-412C-8E6A-A5B57B305727}
Fjalor i Integruar 5 Gjuhesh 2005 --> MsiExec.exe /I{6DE8138F-FC45-4531-8255-A7F3283B5A30}
Foxit Reader --> C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
GOM Player --> "C:\Program Files\GRETECH\GomPlayer\Uninstall.exe"
HD Tune Pro 3.10 --> "C:\Program Files\HD Tune Pro\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Lock Folder XP 3.6 --> "C:\Program Files\Everstrike Software\Lock Folder XP 3.6\Uninstall.exe" "C:\Program Files\Common Files\Everstrike Software\Lock Folder XP 3.6\install.log"
M Turbo Restart 1.0 --> C:\Program Files\M Turbo Restart\Uninstall.exe
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NetXfer 2.54.390 --> "C:\Program Files\Xi\NetXfer\unins000.exe"
Nuclear Coffee - VideoGet 2.0.2.28 --> "C:\Program Files\Nuclear Coffee\VideoGet\uninstall.exe"
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
O&O DiskRecovery --> MsiExec.exe /X{53480880-18E0-4097-A460-F22DD3AC6D70}
Premium Booster --> C:\Program Files\Premium Booster\Uninstall Premium Booster.exe
Real Alternative 1.8.0 --> "C:\Program Files\Real Alternative\unins000.exe"
Registry Mechanic 7.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
RegistryFix v6.4 --> "C:\Program Files\RegistryFix6\unins000.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.0 --> C:\Program Files\Spyware Doctor\unins000.exe
SUPERAntiSpyware Professional --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Unlocker 1.8.7 --> C:\Program Files\Unlocker\uninst.exe
WinRAR archiver --> C:\Program Files\WinRar2008\uninstall.exe
-- Application Event Log -------------------------------------------------------
Event Record #/Type473 / Error
Event Submitted/Written: 08/13/2008 09:50:49 PM
Event ID/Source: 4126 / Ci
Event Description:
Cleaning up corrupt content index metadata on d:\system volume information\catalog.wci. Index will
be automatically restored by refiltering all documents.
Event Record #/Type466 / Error
Event Submitted/Written: 08/13/2008 03:25:52 PM
Event ID/Source: 4126 / Ci
Event Description:
Cleaning up corrupt content index metadata on d:\system volume information\catalog.wci. Index will
be automatically restored by refiltering all documents.
Event Record #/Type459 / Error
Event Submitted/Written: 08/13/2008 09:58:13 AM
Event ID/Source: 4126 / Ci
Event Description:
Cleaning up corrupt content index metadata on d:\system volume information\catalog.wci. Index will
be automatically restored by refiltering all documents.
Event Record #/Type456 / Error
Event Submitted/Written: 08/12/2008 09:19:20 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module richvideocodec.dll, version 1.0.0.1, fault address 0x0000ba66.
Processing media-specific event for [iexplore.exe!ws!]
Event Record #/Type450 / Error
Event Submitted/Written: 08/12/2008 08:16:22 PM
Event ID/Source: 4126 / Ci
Event Description:
Cleaning up corrupt content index metadata on d:\system volume information\catalog.wci. Index will
be automatically restored by refiltering all documents.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type3222 / Error
Event Submitted/Written: 08/13/2008 09:55:45 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.
Event Record #/Type3221 / Error
Event Submitted/Written: 08/13/2008 09:55:45 PM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)
Event Record #/Type3220 / Error
Event Submitted/Written: 08/13/2008 09:55:41 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.
Event Record #/Type3219 / Error
Event Submitted/Written: 08/13/2008 09:55:41 PM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)
Event Record #/Type3216 / Error
Event Submitted/Written: 08/13/2008 09:54:31 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.
-- End of Deckard's System Scanner: finished at 2008-08-13 21:58:19 ------------
Please click this link-->Jotti (http://virusscan.jotti.org/)
Copy/paste file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).
C:\vvmjovma.sys
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
MD5: d778602f1450285937af1b427dd32724
First received: -
Date: 08.14.2008 14:22:03 (CET) [<1D]
Results: 0/36
Permalink: analisis/185f6a6799b4ae66802b7f611334e7db
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
BitTorrent
DNA
I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Delete these afterwards:
C:\Documents and Settings\start\Application Data\BitTorrent
C:\Documents and Settings\Administrator\Application Data\BitTorrent
C:\Program Files\BitTorrent
C:\Program Files\DNA
Click Start and then Run to bring up the Run box.
Copy and paste the contents of this quote box into the run box:
"%userprofile%\desktop\dss.exe" /config
Close all other open windows.
Click OK.
A window will now open. Click Check All and then click Scan!.
When the scan is complete, two text files will open in Notepad: main.txt <- this one will be maximized
extra.txt <- this one will be minimized
If not, they both can be found in the C:\Deckard\System Scanner folder.
Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
the contents of this qoute { "%userprofile%\desktop\dss.exe" /config } is not working at run box
OK, then run DSS normally and do this:
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
Post:
- dss log
- uninstall list
only this is open main.txt ,i can't find extra.txt,even at Deckard's C:\Deckard\System Scanner folder
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-08-15 00:07:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Administrator.exe) ---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07, on 2008-08-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchobst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\update.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\-DESKTOP- mos prek --antispyware-adware\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60111
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
O2 - BHO: IEConnect Class - {274F5E23-9386-4F84-A02F-B7808084AC30} - C:\Program Files\Intein Fjalor 2005\System\Word Addin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [pb_scheduler_agent] C:\Program Files\Premium Booster\scheduler.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmnMGxvv - C:\WINDOWS\
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 5126 bytes
-- Files created between 2008-07-15 and 2008-08-15 -----------------------------
2008-08-14 22:09:26 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-08-14 22:07:15 0 d-------- C:\WINDOWS\SHELLNEW
2008-08-14 16:57:29 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-08-13 16:54:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-13 16:54:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-13 16:54:31 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-12 21:31:03 0 d-------- C:\Program Files\WinRar2008
2008-08-12 15:40:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Xi
2008-08-12 15:39:52 0 d-------- C:\Program Files\Xi
2008-08-12 14:48:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\WinRAR
2008-08-11 16:54:02 0 d-------- C:\Program Files\microsoft frontpage
2008-08-09 20:17:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-09 15:06:20 0 d-------- C:\Program Files\Trend Micro
2008-08-08 17:36:18 0 d-------- C:\Program Files\Spyware Doctor
2008-08-07 13:03:34 0 d-------- C:\Program Files\HD Tune Pro
2008-08-07 12:29:20 671744 -ra------ C:\WINDOWS\system32\DolbyHph.dll <Not Verified; Lake Technology Limited, http://www.lake.com.au; Dolby Headphone>
2008-08-06 15:47:05 0 d-------- C:\Program Files\Premium Booster
2008-08-06 15:40:30 0 d-------- C:\Program Files\Common Files\Pointstone
2008-08-03 15:15:17 0 d-------- C:\Program Files\RegistryFix6
2008-08-03 12:17:53 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-03 12:16:57 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-03 12:16:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-08-01 15:20:36 0 d-------- C:\Documents and Settings\All Users\Application Data\XemiComputers
2008-08-01 15:20:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\XemiComputers
2008-08-01 15:20:06 0 d-------- C:\Program Files\XemiComputers
2008-08-01 01:51:30 0 d-------- C:\Program Files\Everstrike Software
2008-08-01 01:48:25 0 d-------- C:\WINDOWS\'Full Speed' Internet Booster + Performance Tests
2008-07-28 23:18:05 0 d-------- C:\WINDOWS\Prefetch
2008-07-28 23:07:07 0 d-------- C:\Program Files\msn gaming zone
2008-07-28 20:14:39 0 d-------- C:\Program Files\Common Files\ODBC
2008-07-28 19:28:08 0 d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-07-28 19:18:56 74703 --a------ C:\WINDOWS\system32\mfc45.dll
2008-07-28 19:18:24 0 d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-07-27 13:47:13 19584 --a------ C:\WINDOWS\system32\drivers\ndisah.sys <Not Verified; Antamedia mdoo; Antamedia HotSpot Software (TM)>
2008-07-26 23:54:00 0 d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2008-07-26 23:53:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\GRETECH
2008-07-26 00:46:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-25 21:54:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-25 19:38:32 0 d-------- C:\Documents and Settings\start\Application Data\TrojanHunter
2008-07-24 23:06:26 0 d-------- C:\Documents and Settings\LocalService\Application Data\PCToolsSpamMonitorPlus
2008-07-24 23:06:26 0 d-------- C:\Documents and Settings\LocalService\Application Data\PCToolsFirewallPlus
2008-07-24 22:22:59 0 d-------- C:\Documents and Settings\start\Application Data\PCToolsFirewallPlus
2008-07-24 22:22:58 0 d-------- C:\Documents and Settings\start\Application Data\PCToolsSpamMonitorPlus
2008-07-24 17:35:30 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-24 00:02:07 0 d-------- C:\WINDOWS\pss
2008-07-23 23:19:10 0 d-------- C:\Documents and Settings\start\Application Data\BitTorrent
2008-07-22 15:08:30 0 d-------- C:\Program Files\OO Software
2008-07-22 14:41:54 0 dr-h----- C:\Documents and Settings\start\Recent
2008-07-22 12:55:37 0 d-------- C:\Program Files\Error Repair Professional
2008-07-20 19:16:42 0 d-------- C:\Documents and Settings\LocalService\Application Data\Mozilla
2008-07-20 17:19:12 0 d-------- C:\Program Files\M Turbo Restart
2008-07-20 13:19:35 0 d-------- C:\Documents and Settings\start\Application Data\SUPERAntiSpyware.com
2008-07-19 02:17:11 0 d-------- C:\Program Files\Nuclear Coffee
2008-07-19 00:13:24 0 d-------- C:\Documents and Settings\Administrator\Application Data\Antispyware
2008-07-18 22:28:50 4212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-07-18 22:26:44 0 d-------- C:\WINDOWS\Internet Logs
2008-07-18 20:19:50 2380 --a------ C:\WINDOWS\system32\BlockedCookies
2008-07-18 20:19:07 86016 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-07-18 17:34:10 0 d---s---- C:\Documents and Settings\Administrator\UserData
2008-07-18 12:25:14 2148 --ahs---- C:\WINDOWS\system32\bHhkSvut.ini2
-- Find3M Report ---------------------------------------------------------------
2008-08-14 22:08:53 0 d-------- C:\Program Files\Common Files
2008-08-08 11:46:54 0 d-------- C:\Program Files\MSN Messenger
2008-08-07 12:49:15 0 d-------- C:\Program Files\Common Files\InstallShield
2008-08-07 12:49:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-07 12:48:46 1056 --ahs---- C:\vvmjovma.sys
2008-08-04 11:36:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-31 17:50:17 0 d--hs---- C:\Documents and Settings\Administrator\Application Data\.#
2008-07-28 23:01:35 22748 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-07-26 23:46:48 0 d-------- C:\Program Files\GRETECH
2008-07-19 02:31:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-07-14 09:33:57 0 d-------- C:\Program Files\Intein Fjalor 2005
2008-07-08 16:24:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-07-08 16:18:48 0 d-------- C:\Program Files\CyberLink
2008-06-28 19:43:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\HideIP
2008-06-21 14:10:54 8813777 --a------ C:\WINDOWS\system32\SRPRSig.dll
2008-06-21 14:09:36 6538067 --a------ C:\WINDOWS\system32\SRPFSig.dll
2008-06-21 14:08:30 623157 --a------ C:\WINDOWS\system32\SRPESig.dll
2008-05-24 21:15:56 33 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.log
2008-05-24 21:15:50 1074 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.cat
2008-05-24 21:15:49 47360 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-05-24 21:15:49 1144 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.inf
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{274F5E23-9386-4F84-A02F-B7808084AC30}]
2006-10-30 04:49 191792 --a------ C:\Program Files\Intein Fjalor 2005\System\Word Addin.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-10 01:06]
"nwiz"="nwiz.exe" [2005-12-10 01:06 C:\WINDOWS\system32\nwiz.exe]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-08-14 05:02]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2008-06-30 12:35]
"pb_scheduler_agent"="C:\Program Files\Premium Booster\scheduler.exe" [2007-04-19 12:37]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
"MaxRecentDocs"=0 (0x0)
"NoResolveTrack"=1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NosecurityTab"=1 (0x1)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 01:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnMGxvv]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE
*Newly Created Service* - OSE
-- End of Deckard's System Scanner: finished at 2008-08-15 00:08:18 ------------
Active Desktop Calendar 7.53
Adobe Flash Player ActiveX
Error Repair Professional 3.6
ESET NOD32 Antivirus
Fjalor i Integruar 5 Gjuhesh 2005
Foxit Reader
GOM Player
HD Tune Pro 3.10
HijackThis 2.0.2
Lock Folder XP 3.6
M Turbo Restart 1.0
Malwarebytes' Anti-Malware
Microsoft Office Professional Edition 2003
Mozilla Firefox (3.0.1)
MSN Messenger 7.5
Nero 6 Ultra Edition
NetXfer 2.54.390
Nuclear Coffee - VideoGet 2.0.2.28
NVIDIA Drivers
O&O DiskRecovery
Premium Booster
Real Alternative 1.8.0
Registry Mechanic 7.0
RegistryFix v6.4
Spybot - Search & Destroy
Spyware Doctor 5.0
SUPERAntiSpyware Professional
Unlocker 1.8.7
WinRAR archiver
i scan pc with spybot s&d ,& virus (zlob.downloader.rid) was erased,i don't know how?? (maybe with Malwarebytes' Anti-Malware).....
Yes, MBAM likely removed it :)
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
Open HijackThis, click do a system scan only and checkmark these:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O20 - Winlogon Notify: pmnMGxvv - C:\WINDOWS\
Close all windows including browser and press fix checked.
Reboot.
Please make sure that all programs are closed when installing Java.
Click here (http://java.sun.com/javase/downloads/index.jsp) to visit Java's website.
Scroll down to Java Runtime Environment (JRE) 6 Update 7. Click on Download.
Select Windows from the drop-down list for Platform.
Select Multi-language from the drop-down list for Language.
Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
Click on jre-6u7-windows-i586-p.exe link to download it and save this to a convenient location.
Double click on jre-6u7-windows-i586-p.exe to install Java.
After the Java installation has finished, please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, August 15, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 15, 2008 16:37:47
Records in database: 1095732
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Files scanned: 20640
Threat name: 5
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 02:49:32
File name / Threat name / Threats count
C:\Program Files\M Turbo Restart\Log Off.exe Infected: not-a-virus:RiskTool.Win32.Shutdown.l 1
C:\Program Files\M Turbo Restart\Turn Off.exe Infected: not-a-virus:RiskTool.Win32.Shutdown.c 1
D:\U-S-R-A\Pc-control\Software\MsnMonitor[1].v3.0.rar Infected: not-a-virus:Monitor.Win32.MonitorSniffer.d 1
D:\U-S-R-A\Pc-control\Software\Password_hacking.rar Infected: Constructor.Win32.VB.x 1
D:\U-S-R-A\Pc-control\Software\Password_hacking.rar Infected: Trojan-PSW.MSIL.FakeMSN.a 1
The selected area was scanned.
------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25, on 2008-08-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\jkos-Administrator\binaries\ScanningProcess.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\jkos-Administrator\binaries\ScanningProcess.exe
C:\Program Files\Spyware Doctor\update.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60111
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=
O2 - BHO: IEConnect Class - {274F5E23-9386-4F84-A02F-B7808084AC30} - C:\Program Files\Intein Fjalor 2005\System\Word Addin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [VisualTooltip] C:\WINDOWS\Visualtooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [pb_scheduler_agent] C:\Program Files\Premium Booster\scheduler.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: TrueTransparency.lnk = C:\WINDOWS\TrueTransparency\TrueTransparency.exe
O4 - Startup: Visualtooltip.lnk = C:\WINDOWS\Visualtooltip\VisualToolTip.exe
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3D1C723-9027-4D44-882C-E2FE897775E7}: NameServer = 80.80.160.8 80.80.160.9
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 6028 bytes
Purpose of these?
D:\U-S-R-A\Pc-control\Software\MsnMonitor[1].v3.0.rar Infected: not-a-virus:Monitor.Win32.MonitorSniffer.d 1
D:\U-S-R-A\Pc-control\Software\Password_hacking.rar Infected: Constructor.Win32.VB.x 1
i delete these
D:\U-S-R-A\Pc-control\Software\MsnMonitor[1].v3.0.rar Infected: not-a-virus:Monitor.Win32.MonitorSniffer.d 1
D:\U-S-R-A\Pc-control\Software\Password_hacking.rar Infected: Constructor.Win32.VB.x 1
no with viruses,but pc run very slowly at welcome screen(1- minute)
For general slowness, see here (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html) and post back if it helped :)
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.