Help Me Please [Archive] - Safer-Networking Forums

andrerlp

2006-11-12, 14:04

hi i have a problem, i downloaded a program by mistake and now i have a kind of archives that slow my computer, one of them is dmnro.exe, there is another archive in my strat up menu that is fknku.exe and other archives that is diferent nvcpl.exe ncbjot.exe, i tried hijackthis, but none still the same,
please help me???

shelf life

2006-11-13, 01:40

hi andrerlp,

see this sticky about downloading, installing and posting a hjt log:

http://forums.spybot.info/showthread.php?t=288

follow the directions in the sticky.

in the mean time please update and run any antivirus or malware software you have.

i would try using avg anti spyware:

Download the trial version of AVG Anti-Spyware 7.5 (formerly ewido anti-spyware 4.0) from here:

http://www.ewido.net/en/download/

* Install AVG Anti-Spyware
* The program will now go to the main screen.

You will need to update AVG Anti-Spyware to the latest definition files.

* On the left-hand side of the main screen click the Update Button.
* Click on Start.

The update will start and a progress bar will show the updates being installed.
After the updates are installed:
* Click on Scanner
* Click on Complete System Scan to start the scan process.
* Let the program scan the machine, it may take some time.
* AVG Anti-Spyware will list any infections found on the left hand side.
* When the scan has finished, it will automatically set the recommended action. Click "Apply all actions" AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
* Click OK.
When the scan finishes click on "Save Report", then "Save Report As". This will create a text file.
Save the report to your Desktop.
----------------------------------------------------------------------------
please scan with and post a hjt log after you run your antivirus and antimalware apps.

shelf life

andrerlp

2006-11-13, 16:26

OK i did the hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 15:04:57, on 13/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
D:\WINDOWS\system32\cisvc.exe
D:\Program Files\ASUS\Ai Booster\OverClk.exe
D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
D:\WINDOWS\TBPanel.exe
D:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
D:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
D:\Program Files\VoyagerTest\fts.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Google\Google Talk\googletalk.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Belkin\Bluetooth Software\BTTray.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\AOL 9.0b\waol.exe
D:\Program Files\AOL 9.0b\shellmon.exe
D:\Program Files\Common Files\AOL\aoltpspd.exe
D:\HIJACTHIS\hjt.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe, D:\WINDOWS\system32\dmrno.exe
F2 - REG:system.ini: UserInit=D:\WINDOWS\SYSTEM32\Userinit.exe,ohyryyw.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AOLDialer] D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Launch Ai Booster] "D:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [Gainward] D:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [DSLSTATEXE] D:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] D:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "D:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [googletalk] "D:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = D:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149093982625
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2811D64-D1E4-4D63-AB3F-225D3F709B32}: NameServer = 205.188.146.145
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - D:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - D:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

and i downloaded the avg-anti virus and the spyware free version and its fool of trojans but still i cant get rid of them i did everything, scanned with both of them rebooted and they come back.

this is the avg spyware report

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 13:10:38 13/11/2006

+ Scan result:

D:\WINDOWS\system32\jcibhona.dll -> Adware.Agent : No action taken.
D:\WINDOWS\stub_mm3.exe -> Adware.BookedSpace : No action taken.
D:\WINDOWS\Sk9ITiBXT1JN\asappsrv.dll -> Adware.CommAd : No action taken.
HKLM\SOFTWARE\DeluxeCommunications -> Adware.DeluxeCommunications : No action taken.
HKLM\SOFTWARE\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : No action taken.
HKU\S-1-5-21-861567501-1844237615-725345543-1004\Software\DeluxeCommunications -> Adware.DeluxeCommunications : No action taken.
HKU\S-1-5-21-861567501-1844237615-725345543-1004\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{202a961f-23ae-42b1-9505-ffe3c818d717} -> Adware.Generic : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{479fd0cf-5be9-4c63-8cda-b6d371c67bd5} -> Adware.Generic : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03 -> Adware.Generic : No action taken.
HKU\S-1-5-21-861567501-1844237615-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{202A961F-23AE-42B1-9505-FFE3C818D717} -> Adware.Generic : No action taken.
HKU\S-1-5-21-861567501-1844237615-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5} -> Adware.Generic : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006 -> Adware.IntCodec : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On -> Adware.IntCodec : No action taken.
HKU\S-1-5-21-861567501-1844237615-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : No action taken.
HKU\S-1-5-21-861567501-1844237615-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A8B28872-3324-4CD2-8AA3-7D555C872D96} -> Adware.Softomate : No action taken.
D:\WINDOWS\security\winsecure.dll -> Backdoor.Iroffer.1227 : No action taken.
D:\WINDOWS\Temp\_avast4_\unp139178104.tmp -> Downloader.Qoologic.bj : No action taken.
D:\WINDOWS\Temp\_avast4_\unp54437373.tmp -> Downloader.Qoologic.bj : No action taken.
D:\WINDOWS\Temp\_avast4_\unp90373329.tmp -> Downloader.Qoologic.bj : No action taken.
D:\WINDOWS\system32\__delete_on_reboot__d_m_r_n_o_._e_x_e_ -> Downloader.Qoologic.bj : No action taken.
D:\WINDOWS\system32\__delete_on_reboot__n_c_b_j_o_t_._e_x_e_ -> Downloader.Qoologic.bj : No action taken.
D:\WINDOWS\system32\__delete_on_reboot__t_j_b_j_g_c_i_._d_l_l_ -> Downloader.Qoologic.bj : No action taken.
D:\WINDOWS\system32\sapmb.dat -> Downloader.Qoologic.bj : No action taken.
[1432] D:\WINDOWS\system32\tjbjgci.dll -> Downloader.Qoologic.bj : No action taken.
[1556] D:\WINDOWS\system32\tjbjgci.dll -> Downloader.Qoologic.bj : No action taken.
[1860] D:\WINDOWS\system32\tjbjgci.dll -> Downloader.Qoologic.bj : No action taken.
[1868] D:\WINDOWS\system32\tjbjgci.dll -> Downloader.Qoologic.bj : No action taken.
[1940] D:\WINDOWS\system32\tjbjgci.dll -> Downloader.Qoologic.bj : No action taken.
[1952] D:\WINDOWS\system32\tjbjgci.dll -> Downloader.Qoologic.bj : No action taken.
[1960] D:\WINDOWS\system32\tjbjgci.dll -> Downloader.Qoologic.bj : No action taken.
[1972] D:\WINDOWS\system32\tjbjgci.dll -> Downloader.Qoologic.bj : No action taken.
[1984] D:\WINDOWS\system32\tjbjgci.dll -> Downloader.Qoologic.bj : No action taken.
[2016] D:\WINDOWS\system32\tjbjgci.dll -> Downloader.Qoologic.bj : No action taken.
[2028] D:\WINDOWS\system32\tjbjgci.dll -> Downloader.Qoologic.bj : No action taken.
[232] D:\WINDOWS\system32\tjbjgci.dll -> Downloader.Qoologic.bj : No action taken.
[260] D:\WINDOWS\system32\tjbjgci.dll -> Downloader.Qoologic.bj : No action taken.
[3204] D:\WINDOWS\system32\tjbjgci.dll -> Downloader.Qoologic.bj : No action taken.
D:\WINDOWS\security\logs\nc.exe -> Not-A-Virus.RemoteAdmin.Win32.NetCat.110 : No action taken.
D:\WINDOWS\security\netclient.exe -> Not-A-Virus.RemoteAdmin.Win32.NetClient.a : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus_at_worm@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus at worm@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus at worm@com[1].txt -> TrackingCookie.Com : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus_at_worm@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus at worm@estat[1].txt -> TrackingCookie.Estat : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus_at_worm@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus at worm@as1.falkag[1].txt -> TrackingCookie.Falkag : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus at worm@ads.gamershell[2].txt -> TrackingCookie.Gamershell : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus at worm@hotlog[2].txt -> TrackingCookie.Hotlog : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus at worm@hypertracker[1].txt -> TrackingCookie.Hypertracker : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus at worm@stat.onestat[1].txt -> TrackingCookie.Onestat : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus at worm@data1.perf.overture[2].txt -> TrackingCookie.Overture : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus at worm@overture[1].txt -> TrackingCookie.Overture : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus at worm@perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus at worm@paycounter[1].txt -> TrackingCookie.Paycounter : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus at worm@qksrv[2].txt -> TrackingCookie.Qksrv : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus_at_worm@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus_at_worm@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus at worm@www.smartadserver[2].txt -> TrackingCookie.Smartadserver : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus_at_worm@trafic[1].txt -> TrackingCookie.Trafic : No action taken.
D:\Documents and Settings\DIGNUS AT WORM\Cookies\dignus at worm@web-stat[2].txt -> TrackingCookie.Web-stat : No action taken.

::Report end

I never saw something like this, if someone could help i'd apreciate, thanks!

shelf life

2006-11-14, 02:20

hi andrerlp,

thanks for the info. first we will boot into safe mode, uninstall a file, use hjt, then run avg antispyware and antivirus.
after you reboot out of safe mode, do a online scan and get another download. ok

to reach safe mode you tap the f8 key after a computer restart. chsoe the first option from the list:safe mode. once in safe mode: (you might want to copy/paste the rest of this intonotepad so you can read it in safe mode)
---------------------------------------------------------
first look in add/remove programs panel and uninstall:
DeluxeCommunications

next:
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked

F2 - REG:system.ini: Shell=Explorer.exe, D:\WINDOWS\system32\dmrno.exe
F2 - REG:system.ini: UserInit=D:\WINDOWS\SYSTEM32\Userinit.exe,ohyryyw.exe

ok still in safe mode please run avg antispyware and avg antivirus.
------------------------------------------------
reboot normally, go here:
http://www.kaspersky.com/virusscanner

Please do an online scan with Kaspersky WebScanner. If you have any quarantined items in your antivirus, please delete those archives before the scan.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
o Scan Options:
Scan Archives
Scan Mail Bases
* Click OK
* Now under select a target to scan:
Select My Computer
* This program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
o Now click on the Save as Text button:
* Save the file to your desktop.
* Copy and paste that information in your next post.
-----------------------------------------------------------
next stop, please download Qoofix by RubbeR DuckY from one of these locations:

http://www.malwarebytes.org/Qoofix.zip
http://www.besttechie.net/tools/Qoofix.zip

1. Unzip all files to a convenient location such as C:\Qoofix.
2. Go to the folder you unzipped all files and run Qoofix.exe.
3. Click Begin Removal and wait for the scan to finish.
4. If an infection has been found, select yes to restart your computer.

Finally post a new Hijack This log and the contents of the Qoofix logfile.

andrerlp

2006-11-14, 22:36

hi i did all that you ask me apart that i didnt find anything about software deluxecompany to unistall.

this the report from HJT
Logfile of HijackThis v1.99.1
Scan saved at 21:30:53, on 14/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
D:\WINDOWS\system32\cisvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
D:\Program Files\ASUS\Ai Booster\OverClk.exe
D:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
D:\Program Files\VoyagerTest\fts.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Belkin\Bluetooth Software\BTTray.exe
D:\Program Files\AOL 9.0b\waol.exe
D:\Program Files\AOL 9.0b\shellmon.exe
D:\Program Files\Common Files\AOL\aoltpspd.exe
D:\Program Files\Microsoft Office\Office\WINWORD.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\system32\cidaemon.exe
D:\HIJACTHIS\hjt.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AOLDialer] D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Launch Ai Booster] "D:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [Gainward] D:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [DSLSTATEXE] D:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] D:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "D:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [googletalk] "D:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = D:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149093982625
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2811D64-D1E4-4D63-AB3F-225D3F709B32}: NameServer = 205.188.146.145
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - D:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - D:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

this is the report fro kaspersky

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 14, 2006 9:24:40 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 14/11/2006
Kaspersky Anti-Virus database records: 227926
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 113997
Number of viruses found: 4
Number of infected objects: 16 / 0
Number of suspicious objects: 4
Duration of the scan process: 01:41:20

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_9a3aacb3-c298-4446-a103-dbe0dc868751 Object is locked skipped
C:\Downloads\Age of Empires 3 The Warchiefs crack.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
C:\Downloads\Age of Empires 3 The Warchiefs crack.exe SetupFactory: infected - 1 skipped
C:\Downloads\NOCD Age of Empires 3 The Warchiefs crack.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
C:\Downloads\NOCD Age of Empires 3 The Warchiefs crack.exe SetupFactory: infected - 1 skipped
C:\Downloads\Win.All Age of Empires 3 The Warchiefs crack.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
C:\Downloads\Win.All Age of Empires 3 The Warchiefs crack.exe SetupFactory: infected - 1 skipped
C:\System Volume Information\_restore{956F38C0-6E54-46FA-92D5-436C56940F08}\RP2\A0001212.exe Infected: Trojan-Downloader.Win32.Adload.ik skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\ACS\1.0\ph Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\ACS\1.0\variable Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\D_AOL 9.0b\idb\APP10400.LST Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\D_AOL 9.0b\idb\Apps.Lst Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\D_AOL 9.0b\idb\Diction.lst Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\D_AOL 9.0b\idb\main.idx Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\D_AOL 9.0b\idb\sap.dat Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\D_AOL 9.0b\idb\spool.lst Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\D_AOL 9.0b\idb\STYLE.LST Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\D_AOL 9.0b\idb\sysnews.lst Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\D_AOL 9.0b\idb\Toolbar.lst Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\D_AOL 9.0b\organize\andrekugassy Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\D_AOL 9.0b\organize\andrekugassy.abi Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\D_AOL 9.0b\organize\andrekugassy.aby Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\D_AOL 9.0b\organize\CACHE\andrekugas00 Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\D_AOL 9.0b\ShopAssist\DataStore\global\clientcache.adb Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\D_AOL 9.0b\ShopAssist\DataStore\users\andrekugassy.adb Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\storage\cache.db Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\storage\server.lock Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\storage\stderr.txt Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\storage\stdout.txt Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\AVG7\Log\emc.log Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver.zip/MTE3NDI6ODoxNgnew.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver1.zip/MTE3NDI6ODoxNgMTE3NDI6ODoxNg.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Targetsaver1.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\DIGNUS AT WORM\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
D:\Documents and Settings\DIGNUS AT WORM\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\DIGNUS AT WORM\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
D:\Documents and Settings\DIGNUS AT WORM\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\DIGNUS AT WORM\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\DIGNUS AT WORM\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\DIGNUS AT WORM\Local Settings\History\History.IE5\MSHist012006111420061115\index.dat Object is locked skipped
D:\Documents and Settings\DIGNUS AT WORM\Local Settings\Temp\Perflib_Perfdata_8c0.dat Object is locked skipped
D:\Documents and Settings\DIGNUS AT WORM\Local Settings\Temp\~DF36A8.tmp Object is locked skipped
D:\Documents and Settings\DIGNUS AT WORM\Local Settings\Temp\~DFB67A.tmp Object is locked skipped
D:\Documents and Settings\DIGNUS AT WORM\Local Settings\Temp\~DFC770.tmp Object is locked skipped
D:\Documents and Settings\DIGNUS AT WORM\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\DIGNUS AT WORM\My Documents\hi andrerlp.doc Object is locked skipped
D:\Documents and Settings\DIGNUS AT WORM\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\DIGNUS AT WORM\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
D:\Program Files\Common Files\AOL\ACS\UK\forms.fdb Object is locked skipped
D:\Program Files\Common Files\AOL\ACS\UK\static Object is locked skipped
D:\Program Files\Shareaza\Downloads\Age of Empires 3 The Warchiefs crack.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
D:\Program Files\Shareaza\Downloads\Age of Empires 3 The Warchiefs crack.exe SetupFactory: infected - 1 skipped
D:\Program Files\Shareaza\Downloads\NOCD Age of Empires 3 The Warchiefs crack.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
D:\Program Files\Shareaza\Downloads\NOCD Age of Empires 3 The Warchiefs crack.exe SetupFactory: infected - 1 skipped
D:\Program Files\Shareaza\Downloads\Win.All Age of Empires 3 The Warchiefs crack.exe/irsetup.dat Infected: Trojan-Dropper.Win32.Peerad.a skipped
D:\Program Files\Shareaza\Downloads\Win.All Age of Empires 3 The Warchiefs crack.exe SetupFactory: infected - 1 skipped
D:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
D:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
D:\System Volume Information\catalog.wci\00010001.ci Object is locked skipped
D:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
D:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
D:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
D:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
D:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{956F38C0-6E54-46FA-92D5-436C56940F08}\RP5\change.log Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINDOWS\srviexae.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
D:\WINDOWS\srviexae.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
D:\WINDOWS\srviexae.exe NSIS: infected - 2 skipped
D:\WINDOWS\Sti_Trace.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\default Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\Internet.evt Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\software Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\system Object is locked skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\h323log.txt Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\wiadebug.log Object is locked skipped
D:\WINDOWS\wiaservc.log Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

and this is the report from qoofix

Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [14/11/2006] at [19:44:15]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [14/11/2006] at [19:45:58]

Note: Some registry keys may have been removed.

dude many thanks for your attention !

shelf life

2006-11-15, 01:34

hi andrerlp,

good. thanks for the info. lets try trendmicro syscleaner. needs to be run in safe mode after you download it.

to reach safe mode you would tap the f8 key during a computer restart. chose the first option from the list: safe mode. full directions here:

http://esupport.trendmicro.com/support/viewxml.do?ContentID=en-125991

might want to copy/paste the part to do in safe mode into notepad and save it somewhere so you read it in safe mode. after the scan please post the log thats placed in the system cleaner folder.

also while you are still in safe mode, please run avg antispyware again.

shelf life

andrerlp

2006-11-15, 16:20

ok i did it as well,

this is the report from sysclean,

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/

2006-11-15, 11:39:45, Auto-clean mode specified.
2006-11-15, 11:39:45, Running scanner "D:\Documents and Settings\DIGNUS AT WORM\Desktop\system cleaner\TSC.BIN"...
2006-11-15, 11:45:28, Scanner "D:\Documents and Settings\DIGNUS AT WORM\Desktop\system cleaner\TSC.BIN" has finished running.
2006-11-15, 11:45:28, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)

Start time : Wed Nov 15 2006 11:39:46

Load Damage Cleanup Template (DCT) "D:\Documents and Settings\DIGNUS AT WORM\Desktop\system cleaner\tsc.ptn" (version 804) [success]

Complete time : Wed Nov 15 2006 11:45:28
Execute pattern count(2970), Virus found count(0), Virus clean count(0), Clean failed count(0)

2006-11-15, 11:47:05, An error was detected on "D:\System Volume Information\*.*": Access is denied.
2006-11-15, 11:47:14, An error was detected on "D:\WINDOWS\?icrosoft\*.*": The filename, directory name, or volume label syntax is incorrect.
2006-11-15, 11:55:15, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 11/15/2006 11:47:14
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 925 (142711 Patterns) (2006/11/14) (392500)
Command Line: D:\Documents and Settings\DIGNUS AT WORM\Desktop\system cleaner\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=D:\Documents and Settings\DIGNUS AT WORM\Desktop\system cleaner

C:\System Volume Information\_restore{956F38C0-6E54-46FA-92D5-436C56940F08}\RP2\A0001212.exe [TROJ_ADLOAD.TJ]
14201 files have been read.
14201 files have been checked.
11943 files have been scanned.
14543 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/15/2006 11:55:15
---------*---------*---------*---------*---------*---------*---------*---------*
2006-11-15, 11:55:15, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 11/15/2006 11:47:14
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 925 (142711 Patterns) (2006/11/14) (392500)
Command Line: D:\Documents and Settings\DIGNUS AT WORM\Desktop\system cleaner\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=D:\Documents and Settings\DIGNUS AT WORM\Desktop\system cleaner

Success Clean [ TROJ_ADLOAD.TJ]( 1) from C:\System Volume Information\_restore{956F38C0-6E54-46FA-92D5-436C56940F08}\RP2\A0001212.exe
14201 files have been read.
14201 files have been checked.
11943 files have been scanned.
14543 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/15/2006 11:55:15 8 minutes (479.26 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-11-15, 11:55:15, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 11/15/2006 11:47:14
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 925 (142711 Patterns) (2006/11/14) (392500)
Command Line: D:\Documents and Settings\DIGNUS AT WORM\Desktop\system cleaner\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=D:\Documents and Settings\DIGNUS AT WORM\Desktop\system cleaner

14201 files have been read.
14201 files have been checked.
11943 files have been scanned.
14543 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/15/2006 11:55:15 8 minutes (479.26 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-11-15, 11:55:15, Scanner "D:\Documents and Settings\DIGNUS AT WORM\Desktop\system cleaner\VSCANTM.BIN" has finished running.
2006-11-15, 13:20:02, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 11/15/2006 11:55:15
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 925 (142711 Patterns) (2006/11/14) (392500)
Command Line: D:\Documents and Settings\DIGNUS AT WORM\Desktop\system cleaner\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=D:\Documents and Settings\DIGNUS AT WORM\Desktop\system cleaner

D:\WINDOWS\Duce6.exe [TROJ_DLOADER.FJF]
D:\WINDOWS\sys09-62431487.exe [TROJ_DLOADER.FJE]
77753 files have been read.
77753 files have been checked.
66926 files have been scanned.
173550 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/15/2006 13:19:43
---------*---------*---------*---------*---------*---------*---------*---------*
2006-11-15, 13:20:03, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 11/15/2006 11:55:15
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 925 (142711 Patterns) (2006/11/14) (392500)
Command Line: D:\Documents and Settings\DIGNUS AT WORM\Desktop\system cleaner\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=D:\Documents and Settings\DIGNUS AT WORM\Desktop\system cleaner

Success Clean [TROJ_DLOADER.FJF]( 1) from D:\WINDOWS\Duce6.exe
Success Clean [TROJ_DLOADER.FJE]( 1) from D:\WINDOWS\sys09-62431487.exe
77753 files have been read.
77753 files have been checked.
66926 files have been scanned.
173550 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/15/2006 13:19:43 1 hour 24 minutes 27 seconds (5066.77 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-11-15, 13:20:03, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 11/15/2006 11:55:15
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 925 (142711 Patterns) (2006/11/14) (392500)
Command Line: D:\Documents and Settings\DIGNUS AT WORM\Desktop\system cleaner\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=D:\Documents and Settings\DIGNUS AT WORM\Desktop\system cleaner

77753 files have been read.
77753 files have been checked.
66926 files have been scanned.
173550 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/15/2006 13:19:43 1 hour 24 minutes 27 seconds (5066.77 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-11-15, 13:20:03, Scanner "D:\Documents and Settings\DIGNUS AT WORM\Desktop\system cleaner\VSCANTM.BIN" has finished running.

results was clean from both avgs, but yeasterday from the kaspersky i just tooked the information , the webpage doesnt clean anything does it?
should i take another av to instal or should i iticky wiith avg?!

in the middle of the sysclean program , many of my files was access denied such pagefile.sys, netuser.dat.log (this one was inside many folders) is that a bad file?

thanks!

shelf life

2006-11-16, 01:31

hi andrerlp,

good. thanks for the info.

correct kapersky only lists virus/malware dosnt clean it.

you can stick with avg. if its finds something you can always do a online scan or two.

its normal to have acsess denied, some files are locked by windows.
-------------------------------------------------------------
please do one more run with Qoofix, then rescan and post another hjt log.

shelf life

andrerlp

2006-11-16, 13:01

hi, i downloaded as well the kaspersky and saned my computer it found a lot o f crap and trojan...then i cleaned restarted it and uninstalled after, then i idi what you ask me, i forgot to say that i have two harddisks, and diferent windows in each one, ihave win64 in the path c:/ and winxp in the path d:/
kaspersky found trojans in the c:/ which irarely use because the drivers ofmy modem doesnt support win64, and there is none available, so i went straight to C: and run all scanners we did before , but in win64, now i think its fine, have a look and tell me what do you think,

thanks again for your time, i appreciate that!

ANDRE

this reports is just from the d:/winxp hard disk

qoofix report

Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [16/11/2006] at [12:05:41]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [16/11/2006] at [12:06:29]

Note: Some registry keys may have been removed.

hjt report

Logfile of HijackThis v1.99.1
Scan saved at 12:07:17, on 16/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
D:\WINDOWS\system32\cisvc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\TBPanel.exe
D:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
D:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
D:\Program Files\VoyagerTest\fts.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Belkin\Bluetooth Software\BTTray.exe
D:\Program Files\AOL 9.0b\waol.exe
D:\Program Files\AOL 9.0b\shellmon.exe
D:\Program Files\Common Files\AOL\aoltpspd.exe
D:\WINDOWS\system32\cidaemon.exe
D:\WINDOWS\system32\wuauclt.exe
D:\HIJACTHIS\hjt.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AOLDialer] D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Launch Ai Booster] "D:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [Gainward] D:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [DSLSTATEXE] D:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] D:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "D:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = D:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149093982625
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2811D64-D1E4-4D63-AB3F-225D3F709B32}: NameServer = 205.188.146.145
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - D:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - D:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

shelf life

2006-11-17, 02:58

hi andrerlp,

compared to the first hjt log the last one looks good, i think between all the scans it got cleaned up. we can make new restore points to make sure no malware got archived in them.

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

shelf life

andrerlp

2006-11-18, 14:08

OK i done it m thanks a lot shelf life, i appreciate for your time and attention!!

MANY THANKS
ANDRE

shelf life

2006-11-19, 03:38

hi andrerlp,

glad to help. for your reading pleasure:

Be careful of what you download, and where you download it from. Many programs come bundled with extra software.You may be installing more than you think. Learn more about the program, Does it come bundled with other "3rd party" programs? If you search hard enough you can always find a "clean" alternative to any software. Stay away from warez and crack sites. Becarful what you download from file sharing networks. If you are not sure, scan it with your Antivirus app. DO YOU TRUST THE SOURCE? Check this database:Spyware Guide (http://www.spywareguide.com/) or this: Library (http://research.sunbelt-software.com/Browse_Library.cfm)before installing free/shareware.

Make sure you keep your Windows OS/Browser current by visiting Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp)
occasionaly to download and install any critical updates and service packs. These patch flaws/bugs that can be exploited.

Adjust your browser settings: Change your(active x) settings in IE. With IE open go to tools, internet options, security tab. Click on the internet globe, then custom level. Set the first option "download signed active x controls" to prompt, the next two to disable. Read more:
Working with Internet Explorer 6 Security (http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx)
Many exploits are directed at Internet Explorer, you dont have to use it. Try a different browser. You can have and use more than one browser on your computer.
Like Firefox (http://www.mozilla.org/products/firefox/),

Install a Firewall:A firewall will help to control what comes in from the internet and what leaves your computer to the internet. Zone Alarm is a free and easy to use firewall, that will provide in and outbound protection. XP firewall dosnt block outbound traffic. Its important to know/learn what routinely needs a internet connection.
Zone Alarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=dbtopnav_zass)
OutPost Lite (http://www.agnitum.com/products/outpostfree/download.php)
Jetico Personal Firewall (http://www.jetico.com/index.htm#/jpfirewall.htm)
Look n Stop (http://www.looknstop.com/En/index2.htm)

Outlook Express with the default settings is not secure. It will run scripts, download images etc, just like a browser, but this was the old Outlook Express. Service Pack 2 has made huge improvements to Outlook, but just like with Internet Explorer, you dont have to use it.
try Pegasus E-Mail. (http://www.pmail.com/)

Make sure you have and keep updated Antivirus software
Free for home users:
avast! 4 Home Edition Download (http://www.avast.com/eng/free_virus_protectio.html)
AVG free version 7.0 (http://free.grisoft.com/freeweb.php/doc/2/)
AntiVir Personal Edition (http://www.free-av.com/)
Clam Win (http://www.Clamwin.com/component/option,com_frontpage/Itemid,1/)

Download one or two of these, install and update before using:(if these are constantly finding malware, then you need to make changes to your browser and or your habits)
CounterSpy (http://www.sunbelt-software.com/)Free trial version
Spybot Search and destroy (http://www.safer-networking.org/en/index.html)
Ad-Aware SE Personal edition (http://www.lavasoft.de/)
Microsoft Windows Defender (http://www.microsoft.com/athome/security/spyware/software/default.mspx)
Becarful with spyware "removers and scanners"-- there are many "rogue/suspect" (http://www.spywarewarrior.com/rogue_anti-spyware.htm) programs that "claim to remove" spyware.Check here first.

AntiTrojan software to fill in the gap:
a2 free (http://www.emsisoft.com/en/software/free/)
Ewido Anti-Spyware (http://www.ewido.net/en/)
Trojan Hunter (http://www.misec.net/)
Tauscan trial version (http://www.agnitum.com/products/tauscan/)

Other programs to consider:
Process Guard (http://www.diamondcs.com.au/processguard/) stop events/processes with user intervention
SpywareBlaster (http://www.bleepingcomputer.com/forums/index.php?showtutorial=49) add security to IE
IE-SPYAD (https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD) adds adware peddlers sites/domains to IE restricted zone
ATF cleaner (W2K,XP only) (http://www.atribune.org/content/view/25/2/) cleans out temp files,history, cookies etc.

Learn More:
Test Your Browser (http://www.jasons-toolbox.com/BrowserSecurity/)
Parasite Free (http://www.doxdesk.com/parasite/prevention.html)
Safe Hex (http://www.claymania.com/safe-hex.html)
Shelf Lifes page (http://security-central.us/SafeHex/index.htm)
Browser Security Checkup (http://bcheck.scanit.be/bcheck/)

andrerlp

2006-11-24, 13:46

THank you very much, for helping me!

everything its fine.

thanks
andre

LonnyRJones

2006-12-02, 14:51

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let one of us know via a PM (personal message).